I recently needed to make call to a API which use NTLM auth. It worked like a charm on Windows but I struggle on Linux Containers. You could find some tips on the Internet to install the gss-ntlmssp native lib in order to help but be careful, there’s also a strange behavior for the actual version (1.2.0-1build3) through apt-get for aspnet10 noble.
Reminder
The EWS WebService answer add these headers at first request :
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLMIt means .NET will try 2 different authentication, first Negotiate, then NTLM
- Negotiate => will use Interop (gss-ntlmssp for Linux)
- NTLM => will use Managed (if UseManagedNtlm=true)
On Linux, if the lib gss-ntlmssp is not installed,
.NET 10 (via Linux Noble)
| UseManagedNtlm | gss-ntlmssp | Result | Remarks |
|---|---|---|---|
| False | Not installed | Fail | 1. Cannot use Interop for Negotiate 2. Cannot use Interop for NTLM |
| False | 1.2.1-build3 (apt-get) | Fail | 1. Use Interop for Negotiate 2. Cannot use Interop for NTLM |
| False | 1.3.1 (compiled from sources) | Fail | 1. Use Interop for Negotiate 2. Cannot use Interop for NTLM |
| True | 1.2.1-build3 (apt-get) | Fail | 1. Use Interop for Negotiate 2. Use Managed for NTLM the gss-ntlmssp version seems broken |
| True | 1.3.1 (compiled from sources) | Ok | 1. Use Interop for Negotiate 2. Use Managed for NTLM |
| True | Not installed | Ok | 1. Use Managed for NTLM Will only work for NTLM, no Kerberos |
Solution
Based on my dig, in order to make Negotiate and NTLM and Kerberos you need to :
- 1. Compile and install gss-ntlmssp latest version 1.3.1
- 2. Enable UseManagedNtlm by AppSwitch in your code
if (OperatingSystem.IsLinux())
{
// We need to do that to be able to authenticate on Linux with EWS that uses NTLM under the hood
AppContext.SetSwitch("System.Net.Security.UseManagedNtlm", true);
}- 3. install these extra libs
- libgssapi-krb5-2
- krb5-user
- libkrb5-3