-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use managed NTLM/SPNEGO on Apple platforms by default #89267
Conversation
Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones Issue DetailsApple implementation of NTLM has two major compatibility issues:
Let's try to use the managed NTLM implementation on Apple platforms now that we can support it with Kerberos at the same time. There's still an opt-out through setting
|
@filipnavara we discussed it and we fear that it might cause regressions. What is your confidence? |
Sure. There's already opt-in for .NET 8 so I am fine with doing this in .NET 9 with a bit more of a leeway. |
we can always pull it into servicing if we get decent verification and there is need. |
There are few things to balance here. Apple's NTLM implementation has both compatibility issues and known buffer overflows that are relatively easy to trigger. Apple has shown no interest in fixing the buffer overflows. Since they don't happen in the core authentication flow in HTTP and/or SMTP I don't expect people to run into it though. The compatibility issues are difficult to diagnose and several people run into it already. So, as far as NTLM itself is concerned I am quite confident that the managed implementation is better choice. Unfortunately, to offer consistent experience we have to use managed SPNEGO as well, and that received very little testing so far. I expect us to switch our application to it in the opt-in mode once .NET 8 is released, and we should get enough exposure throughout the .NET 9 timeline. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Apple implementation of NTLM has two major compatibility issues:
@
into name and domain. Unfortunately this has different semantics on the wire. It may work in some cases, but it fails when the NTLM is relayed to directory controller with different name, and for long user names. Issue NTLM 401 macOS (Apple sillicon) #82547.Let's try to use the managed NTLM implementation on Apple platforms now that we can support it with Kerberos at the same time. There's still an opt-out through setting
UseManagedNtlm
app context switch tofalse
.Fixes #65678
Fixes #82547