Issue authenticating with Windows Auth

[adamdriscoll]

• ASP.NET Core 3.1
• Windows Service configured with a service account
• SPN configured to host name (FQDN) and service account
• HTTP listening on 5000

I have a customer that is running our product built on ASP.NET Core in their environment and cannot authenticate with Windows Auth. They have setup an SPN for the host name and service account following this documentation.

The service itself is doing very little when it comes to configuration.

authBuilder.AddNegotiate(opts => {});

The SPN is configured with the FQDN for the host name. They are unable to access the website by host name or FQDN and the following error is shown in the log. They can access the site by IP Address and it authenticates correctly.

2021-02-10T13:08:40.5046720-05:00 0HM6DTQUKTK26:00000014 [DBG] Connection id ""0HM6DTQUKTK26"" completed keep alive response. (9784cde9)
2021-02-10T13:08:40.5047539-05:00 0HM6DTQUKTK26:00000014 [INF] Request finished in 22.2343ms 500  (791a596a)
2021-02-10T13:08:41.3247666-05:00 0HM6DTQUKTK26:00000015 [INF] Request starting HTTP/1.1 GET http://se152254:5000/admin   (ca22a1cb)
2021-02-10T13:08:41.3250210-05:00 0HM6DTQUKTK26:00000015 [DBG] AuthenticationScheme: "Negotiate" was not authenticated. (1152f827)
2021-02-10T13:08:41.3256071-05:00 0HM6DTQUKTK26:00000015 [DBG] The request path "" does not match the path filter (c4ce145c)
2021-02-10T13:08:41.3256835-05:00 0HM6DTQUKTK26:00000015 [DBG] No candidates found for the request path '"/admin"' (76d5928c)
2021-02-10T13:08:41.3257145-05:00 0HM6DTQUKTK26:00000015 [DBG] Request did not match any endpoints (328c36bf)
2021-02-10T13:08:41.3280425-05:00 0HM6DTQUKTK26:00000015 [INF] Executing ChallengeResult with authentication schemes ([]). (f3dca807)
2021-02-10T13:08:41.3281516-05:00 0HM6DTQUKTK26:00000015 [DBG] Challenged 401 Negotiate (30e6988d)
2021-02-10T13:08:41.3281794-05:00 0HM6DTQUKTK26:00000015 [INF] AuthenticationScheme: "Negotiate" was challenged. (d45f1f38)
2021-02-10T13:08:41.3285647-05:00 0HM6DTQUKTK26:00000015 [DBG] The request path "" does not match the path filter (c4ce145c)
2021-02-10T13:08:41.3286204-05:00 0HM6DTQUKTK26:00000015 [DBG] No candidates found for the request path '"/admin"' (76d5928c)
2021-02-10T13:08:41.3286440-05:00 0HM6DTQUKTK26:00000015 [DBG] Request did not match any endpoints (328c36bf)
2021-02-10T13:08:41.3305053-05:00 0HM6DTQUKTK26:00000015 [INF] Executing ChallengeResult with authentication schemes ([]). (f3dca807)
2021-02-10T13:08:41.3306041-05:00 0HM6DTQUKTK26:00000015 [DBG] Challenged 401 Negotiate (30e6988d)
2021-02-10T13:08:41.3306323-05:00 0HM6DTQUKTK26:00000015 [INF] AuthenticationScheme: "Negotiate" was challenged. (d45f1f38)
2021-02-10T13:08:41.3307878-05:00 0HM6DTQUKTK26:00000015 [DBG] Connection id ""0HM6DTQUKTK26"" completed keep alive response. (9784cde9)
2021-02-10T13:08:41.3309741-05:00 0HM6DTQUKTK26:00000015 [INF] Request finished in 6.1507ms 401  (791a596a)
2021-02-10T13:08:41.3579870-05:00 0HM6DTQUKTK26:00000016 [INF] Request starting HTTP/1.1 GET http://se152254:5000/admin   (ca22a1cb)
2021-02-10T13:08:41.3587052-05:00 0HM6DTQUKTK26:00000016 [INF] None (61c24651)
2021-02-10T13:08:41.3587425-05:00 0HM6DTQUKTK26:00000016 [INF] Incomplete Negotiate handshake, sending an additional 401 Negotiate challenge. (cbe1a9a9)
2021-02-10T13:08:41.3588298-05:00 0HM6DTQUKTK26:00000016 [DBG] Connection id ""0HM6DTQUKTK26"" completed keep alive response. (9784cde9)
2021-02-10T13:08:41.3588904-05:00 0HM6DTQUKTK26:00000016 [INF] Request finished in 0.9062ms 401  (791a596a)
2021-02-10T13:08:41.4232308-05:00 0HM6DTQUKTK26:00000017 [INF] Request starting HTTP/1.1 GET http://se152254:5000/admin   (ca22a1cb)
2021-02-10T13:08:41.4239314-05:00 0HM6DTQUKTK26:00000017 [INF] None (61c24651)
2021-02-10T13:08:41.4239714-05:00 0HM6DTQUKTK26:00000017 [INF] Incomplete Negotiate handshake, sending an additional 401 Negotiate challenge. (cbe1a9a9)
2021-02-10T13:08:41.4240781-05:00 0HM6DTQUKTK26:00000017 [DBG] Connection id ""0HM6DTQUKTK26"" completed keep alive response. (9784cde9)
2021-02-10T13:08:41.4241530-05:00 0HM6DTQUKTK26:00000017 [INF] Request finished in 0.9449ms 401  (791a596a)
2021-02-10T13:08:41.4440388-05:00 0HM6DTQUKTK26:00000018 [INF] Request starting HTTP/1.1 GET http://se152254:5000/admin   (ca22a1cb)
2021-02-10T13:08:41.4447160-05:00 0HM6DTQUKTK26:00000018 [ERR] An exception occurred while processing the authentication request. (65f99532)
System.InvalidOperationException: An anonymous request was received in between authentication handshake requests.
   at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
2021-02-10T13:08:41.4462395-05:00 0HM6DTQUKTK26:00000018 [ERR] Connection id ""0HM6DTQUKTK26"", Request id ""0HM6DTQUKTK26:00000018"": An unhandled exception was thrown by the application. (560e7d32)
System.InvalidOperationException: An anonymous request was received in between authentication handshake requests.
   at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)

I'm mostly just looking for debugging steps to provide them. I know our service works in other environments but am at a bit of a loss at what to tell them to look into. It looks like the SPN and service account are configured correctly. The service account was set to deny logon interactively so not sure if that's a problem.

I've found a few outstanding issues but they don't seem to apply here:

• Windows Authentication Error using Kestrel for .NET Core Web API, when accessed remotely. #20540
• https://xtremeownage.com/2021/02/05/system-invalidoperationexception-an-anonymous-request-was-received-in-between-authentication-handshake-requests/

[Tratcher]

A) You can use kestrel's connection logging to capture the headers. The auth headers can be decoded using standard tools to check that the expected SPNs are being included. https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel/endpoints?view=aspnetcore-5.0#connection-logging
B) The SPN is configured with the FQDN for the host name. Is this the FQDN of the machine, the website, or both?
C) They have setup an SPN for the host name and service account following this please clarify what configuration they did. Was the SPN added to a specific account in active directory?