Calling WCF service with NTLM auth from .NET Core on linux

Question

I am unable to successfully call a WCF service with NTLM authentication from .NET Core running on a linux box (docker container). The same code works perfectly on Windows 10 though.

What I have done:

• Add this to ConfigureServices:

AppContext.SetSwitch("System.Net.Http.UseSocketsHttpHandler", false);

• Run apt-get -y install gss-ntlmssp
• This is the code prior to calling the service:

var client = new WcfServiceSoapClient();
client.Endpoint.Address = new EndpointAddress(settings.Uri);
client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
client.ClientCredentials.Windows.ClientCredential = new NetworkCredential
{
    Domain = settings.Domain,
    UserName = settings.Username,
    Password = settings.Password
};
var binding = (BasicHttpBinding)client.Endpoint.Binding;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
binding.Security.Transport.ProxyCredentialType = HttpProxyCredentialType.Ntlm;

As mentioned this works fine on Windows 10. On Linux the following error is logged:

System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM, Negotiate'.
   at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result)
   at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)
   at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
   at System.ServiceModel.Channels.ServiceChannelProxy.TaskCreator.<>c__DisplayClass1_0.<CreateGenericTask>b__0(IAsyncResult asyncResult)

Question is: why is it still failing on linux?

Answer 1

I had the same problem and was able to fix it, with a lot of help from the guys on the net core GitHub.

Essentially net core uses the underlying OS to handle http calls. Before, on Linux libCurl was used, but the newer SocketsHttpHandler uses gss, which doesn't come with ntlm support (at least not in the 'microsoft/dotnet:2.2-aspnetcore-runtime-stretch-slim' image).

To fix this you need to install an extra library in your container, using the docker file. Right after

FROM microsoft/dotnet:2.2-aspnetcore-runtime-stretch-slim

(Or whatever image you use)

on the next line add the following:

RUN apt-get update && apt-get install -y --no-install-recommends apt-utils gss-ntlmssp

Hope this helps!