[✨ Triage] dotnet/runtime#120058 by jurijr - HttpClient - Authenticating NetworkCredentials on Fedora throws Invalid ...

[MihuBot]

Triage for dotnet/runtime#120058.
Repo filter: All networking issues.
MihuBot version: dc2200.
Ping MihaZupan for any issues.

This is a test triage report generated by AI, aimed at helping the triage team quickly identify past issues/PRs that may be related.
Take any conclusions with a large grain of salt.

Tool logs

dotnet/runtime#120058: HttpClient - Authenticating NetworkCredentials on Fedora throws InvalidToken exception by jurijr
[Tool] Searching for HttpClient NTLM InvalidToken Fedora, HttpClient NTLM Linux InvalidToken, HttpClient NTLM authentication failed Linux, HttpClient NetworkCredential InvalidToken, NTLM authentication Fedora, gssntlmssp HttpClient (IncludeOpen=True, IncludeClosed=True, IncludeIssues=True, IncludePullRequests=True, Repository=dotnet/runtime)
[Tool] Searching for NTLM authentication Fedora, NTLM InvalidToken exception, HttpClient NTLM Fedora, NTLM gssntlmssp Fedora (IncludeOpen=True, IncludeClosed=True, IncludeIssues=True, IncludePullRequests=True, Repository=dotnet/runtime)
[Tool] Found 45 issues, 439 comments, 38 returned results (7703 ms)
[Tool] Found 47 issues, 403 comments, 33 returned results (29443 ms)

Here are related issues and discussions for the problem described in issue #120058 ('HttpClient - Authenticating NetworkCredentials on Fedora throws InvalidToken exception'):

---

1. Issue #101058 (April 2024) - NTLM authentication not working in Linux based environment

Summary:

• Users report NTLM authentication not working on Linux (Ubuntu 22, official aspnet docker image) while it works on Windows.
• The error is typically Unauthorized (401) on Linux.
• Discussion reveals that NTLM is supported on Linux/OSX via libgssapi, but requires the gss-ntlmssp package to be installed.
• On Ubuntu 22.04, there are known conflicts between gss-ntlmssp and OpenSSL 3, which can break NTLM support.
• Workarounds include:
  • Upgrading to Ubuntu 23+ (where gss-ntlmssp is fixed).
  • Using the managed NTLM implementation via System.Net.Security.UseManagedNtlm, though this is not the default and has caveats.
• The issue is marked as a documentation issue for .NET 9.0, with a need for better documentation of the managed NTLM option and its caveats.

---

2. Issue #25827 (April 2018) - SocketsHttpHandler: NTLM auth does not work by default on Unix

Summary:

• NTLM authentication fails on Unix by default unless the gss-ntlmssp package is installed.
• Workarounds:
  1. Install gss-ntlmssp (plugin for MIT Kerberos GSSAPI).
  2. Use Heimdal (alternative Kerberos implementation with NTLM support).
• The error message is typically a Win32Exception about GSSAPI operation failure.
• There are also issues with channel binding support on non-Windows platforms, especially over HTTPS.
• The issue was fixed in .NET Core 3.0, but proper dependencies must still be installed.

---

3. Issue #29748 (June 2019) - NTLM not working on Linux

Summary:

• .NET Core 2.1 does not support NTLM on Linux, even with gss-ntlmssp installed.
• .NET Core 3.0+ supports NTLM on Linux, but still requires gss-ntlmssp.
• Default credentials are not supported for NTLM on Linux; explicit credentials must be provided.
• The issue is not related to the Linux version, but to .NET Core version and the presence of the required package.

---

4. Issue #87568 (June 2023) - How to perform ntlm authentication when using alpine as base image?

Summary:

• NTLM authentication is not possible with default credentials on Alpine Linux, even after building and installing gss-ntlmssp.
• Alpine's musl libc and lack of packaged gss-ntlmssp complicate support.
• Workarounds include switching to a Debian-based image or contributing a package to Alpine.
• The server must offer the correct authentication scheme (Negotiate or NTLM) matching what the client provides.

---

5. Issue #110184 (Nov 2024) - Authentication validation failed with error - InvalidToken exception on .net

Summary:

• Reports of InvalidToken errors during authentication, even when the server returns 200 OK.
• The error seems to be related to Kerberos, but the stack trace is similar to the one in #120058.
• Deep investigation into the token exchange, with suggestions to enable Kerberos event logging and internal diagnostics.
• No clear resolution, but the discussion highlights the complexity of diagnosing InvalidToken errors.

---

6. Issue #113414 (Mar 2025) - Allow NTLM tests on newer Linux distributions

Summary:

• PR and discussion about enabling NTLM tests on new Linux distributions (Fedora 41, Ubuntu 24.10).
• Reports of crashes and InvalidToken errors with new versions of gss-ntlmssp.
• Fedora 41 ships gss-ntlmssp 1.3.0, but tests still fail with InvalidToken.
• Indicates that even with the latest packages, NTLM support may be broken or incomplete on some distros.

---

7. Issue #82547 (Feb 2023) - NTLM 401 macOS (Apple silicon)

Summary:

• NTLM authentication fails on macOS, with 401 Unauthorized.
• Discussion reveals that macOS's GSSAPI implementation always rewrites userdomainto domain\user, and there are username length limitations.
• Not directly Fedora-related, but highlights cross-platform NTLM issues.

---

8. Issue #28531 (Jan 2019) - Negotiate to NTLM authentication fallback not working

Summary:

• On non-Windows, Negotiate does not fall back to NTLM if Kerberos fails, unless the server offers NTLM explicitly.
• Fixes were made in .NET Core 3.0, but fallback behavior may still differ from Windows.

---

9. Issue #119298 (Sep 2025) - Negotiate to NTLM authentication fallback not working (Windows, net9.0)

Summary:

• Similar fallback issue reported on Windows/.NET 9.0.
• Workaround is to use a custom ICredentials implementation to force NTLM.
• Discussion about whether SocketsHttpHandler should fallback to less secure mechanisms.

---

10. Issue #35365 (Apr 2020) - NTLM authentication HttpClient in Core 3.1

Summary:

• Reports of NTLM authentication returning 401 on .NET Core 3.1, while working on 2.2.
• Workaround is to disable SocketsHttpHandler, but this is not possible in .NET 5+.
• Requests for packet captures to diagnose further.

---

Key Points and Recommendations

• gss-ntlmssp: Ensure the gss-ntlmssp package is installed and up-to-date. On Fedora, use dnf install gssntlmssp. On Ubuntu, use 23+ for best results.
• OpenSSL 3+ Issues: On Ubuntu 22.04 and similar, OpenSSL 3 can break NTLM support. Upgrade to a newer distro or use workarounds if possible.
• Managed NTLM: You can enable the managed NTLM implementation with <RuntimeHostConfigurationOption Include="System.Net.Security.UseManagedNtlm" Value="true" />, but this is not the default and may not work in all scenarios.
• Explicit Credentials: On Linux, always use explicit credentials for NTLM. Default credentials are not supported.
• Fallbacks: Negotiate does not always fallback to NTLM on non-Windows platforms unless the server offers NTLM explicitly.
• Distribution Issues: Even with the latest packages, NTLM support may be broken on some distros (e.g., Fedora 41, Ubuntu 24.10) due to changes in gss-ntlmssp.
• Debugging: Collect packet captures and enable detailed logging for deeper analysis.

---

In summary:
Your issue is a known class of problems with NTLM authentication on Linux, especially with recent changes in Linux distributions and the gss-ntlmssp package. There are multiple related issues, and the main recommendations are to ensure the correct packages are installed, consider using the managed NTLM implementation, and be aware of distribution-specific bugs. If possible, provide packet captures and logs for further diagnosis.

Let me know if you need a more focused summary or have a specific scenario to address!