diff --git a/src/System.Net.Http/src/System.Net.Http.csproj b/src/System.Net.Http/src/System.Net.Http.csproj
index a349ce848d45..dd933eb290d8 100644
--- a/src/System.Net.Http/src/System.Net.Http.csproj
+++ b/src/System.Net.Http/src/System.Net.Http.csproj
@@ -599,6 +599,9 @@
     <Compile Include="System\Net\Http\HttpClientHandler.Core.cs" />
     <Compile Include="uap\System\Net\HttpClientHandler.cs" />
   </ItemGroup>
+  <ItemGroup Condition="'$(TargetGroup)' == 'netcoreapp'">
+    <Reference Include="System.Net.NameResolution" />
+  </ItemGroup>
   <ItemGroup Condition="'$(TargetGroup)' == 'netcoreapp' OR '$(TargetGroup)' == 'netcoreappaot' OR '$(TargetGroup)' == 'uap'">
     <Reference Include="Microsoft.Win32.Primitives" />
     <Reference Include="System.Buffers" />
diff --git a/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs b/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs
index 1f262968e03e..3d3eaed48b8c 100644
--- a/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs
+++ b/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs
@@ -4,6 +4,7 @@
 
 using System.Collections.Generic;
 using System.Diagnostics;
+using System.Net;
 using System.Net.Http.Headers;
 using System.Threading;
 using System.Threading.Tasks;
@@ -77,7 +78,28 @@ private static async Task<HttpResponseMessage> SendWithNtAuthAsync(HttpRequestMe
 
                         string challengeData = challenge.ChallengeData;
 
-                        string spn = "HTTP/" + authUri.IdnHost;
+                        // Need to use FQDN normalized host so that CNAME's are traversed.
+                        // Use DNS to do the forward lookup to an A (host) record.
+                        // But skip DNS lookup on IP literals. Otherwise, we would end up
+                        // doing an unintended reverse DNS lookup.
+                        string spn;
+                        UriHostNameType hnt = authUri.HostNameType;
+                        if (hnt == UriHostNameType.IPv6 || hnt == UriHostNameType.IPv4)
+                        {
+                            spn = authUri.IdnHost;
+                        }
+                        else
+                        {
+                            IPHostEntry result = await Dns.GetHostEntryAsync(authUri.IdnHost).ConfigureAwait(false);
+                            spn = result.HostName;
+                        }
+                        spn = "HTTP/" + spn;
+
+                        if (NetEventSource.IsEnabled)
+                        {
+                            NetEventSource.Info(connection, $"Authentication: {challenge.AuthenticationType}, Host: {authUri.IdnHost}, SPN: {spn}");
+                        }
+
                         ChannelBinding channelBinding = connection.TransportContext?.GetChannelBinding(ChannelBindingKind.Endpoint);
                         NTAuthentication authContext = new NTAuthentication(isServer:false, challenge.SchemeName, challenge.Credential, spn, ContextFlagsPal.Connection, channelBinding);
                         try