From 6b3c120e28183cb61ecc2982dab14d24437cd612 Mon Sep 17 00:00:00 2001 From: Filip Navara Date: Mon, 7 Mar 2022 19:45:51 +0100 Subject: [PATCH] Fix compatibility with NTLM authentication to McAfee Web Gateway --- .../AuthenticationHelper.NtAuth.cs | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs b/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs index 09bee9a1952568..ca9ab2dc705377 100644 --- a/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs +++ b/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs @@ -154,8 +154,19 @@ private static async Task SendWithNtAuthAsync(HttpRequestMe NetEventSource.Info(connection, $"Authentication: {challenge.AuthenticationType}, SPN: {spn}"); } + ContextFlagsPal contextFlags = ContextFlagsPal.Connection; + // When connecting to proxy server don't enforce the integrity to avoid + // compatibility issues. The assumption is that the proxy server comes + // from a trusted source. On macOS we always need to enforce the integrity + // to avoid the GSSAPI implementation generating corrupted authentication + // tokens. + if (!isProxyAuth || OperatingSystem.IsMacOS()) + { + contextFlags |= ContextFlagsPal.InitIntegrity; + } + ChannelBinding? channelBinding = connection.TransportContext?.GetChannelBinding(ChannelBindingKind.Endpoint); - NTAuthentication authContext = new NTAuthentication(isServer: false, challenge.SchemeName, challenge.Credential, spn, ContextFlagsPal.Connection | ContextFlagsPal.InitIntegrity, channelBinding); + NTAuthentication authContext = new NTAuthentication(isServer: false, challenge.SchemeName, challenge.Credential, spn, contextFlags, channelBinding); string? challengeData = challenge.ChallengeData; try {