diff --git a/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs b/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs index 09bee9a1952568..ca9ab2dc705377 100644 --- a/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs +++ b/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs @@ -154,8 +154,19 @@ private static async Task SendWithNtAuthAsync(HttpRequestMe NetEventSource.Info(connection, $"Authentication: {challenge.AuthenticationType}, SPN: {spn}"); } + ContextFlagsPal contextFlags = ContextFlagsPal.Connection; + // When connecting to proxy server don't enforce the integrity to avoid + // compatibility issues. The assumption is that the proxy server comes + // from a trusted source. On macOS we always need to enforce the integrity + // to avoid the GSSAPI implementation generating corrupted authentication + // tokens. + if (!isProxyAuth || OperatingSystem.IsMacOS()) + { + contextFlags |= ContextFlagsPal.InitIntegrity; + } + ChannelBinding? channelBinding = connection.TransportContext?.GetChannelBinding(ChannelBindingKind.Endpoint); - NTAuthentication authContext = new NTAuthentication(isServer: false, challenge.SchemeName, challenge.Credential, spn, ContextFlagsPal.Connection | ContextFlagsPal.InitIntegrity, channelBinding); + NTAuthentication authContext = new NTAuthentication(isServer: false, challenge.SchemeName, challenge.Credential, spn, contextFlags, channelBinding); string? challengeData = challenge.ChallengeData; try {