1

For context: I am working with .Net Framework 4.6.1 ASP.Net app deployed in IIS. Inside app we had implemented SSO authentication with Kerberos (that flow with HTTP 401 and WWW-Authenticate: Negotiate header in the response, which is intercepted by someone in between app server and browser, however I do not understand who is this interceptor, and can not debug it).

The issue is, right after I am resetting session, I see in logs that during processing of the first following request, the value of HttpContext.Current.User.Identity.Name is already exist (and it is the wrong value, representing Active Directory or Windows username, not the username we using inside application). I can't see any data looking like this username in the request in browser's Network tab.

I tried to perform session reset on client side (clear cookie in browser) and on server side by calling API that executes:

FormsAuthentication.SignOut();
httpContext.Session.Clear();
httpContext.Session.Abandon();
Roles.DeleteCookie();

I also see configuration item in web.config, that I do not understand: defaultProxy.

So, where did value of Identity.Name comes from? How can I make ASP.Net finally forget it? How this value can be matched with request even before I get any session cookie?

P.S. In my local environment without that Kerberos thing I am not facing this issue: the HttpContext.Current.User.Identity.Name value stays empty until authentication is completed.

UPD: I managed to find out the origin of this value. It comes from windows authentication (NTLM), which enabled in this funny app, and kerberos sits on top of it. Now I am looking for way to override Identity value after kerberos authentication. Is it possible?

Improve this question
5
  • AFAIR kerberos is header-based, deleting cookies or session has nothing to do with it. If the server returns 401 with WWW-Authenticate, then there's the handshake between the browser and the server and ultimately you end up with 200 from the server, this could be the response you see in the network tab. The negotiated value cannot be dropped or overridden afaik. If you close the browser and reopen it, the 401 kicks in again and you end up with the very same user.
    – Wiktor Zychla
    Commented Oct 12, 2023 at 11:39
  • Not sure then what you mean by value stays empty until authentication is completed as the very first moment your ASP.NET server processes the request (and you can inspect the context.user.identity.name) is after the kerberos handshake.
    – Wiktor Zychla
    Commented Oct 12, 2023 at 11:40
  • @WiktorZychla First, I am not seeing 401 response in browser. No Authorization header is sent after clearing session. The kerberos handshake starts in one particular point in app code, some requests (to GET login form or static files, for examples) can be processed before authentication, which is were I am seeing this strange behavior.
    – bearpro
    Commented Oct 12, 2023 at 12:09
  • Actually, I just managed to find out the origin of this value. It comes from windows authentication (NTLM), which enabled in this funny app, and kerberos sits on top of it. Now I am looking for way to override Identity value after kerberos authentication.
    – bearpro
    Commented Oct 12, 2023 at 12:09
  • Weird. Although ntlm is connection based and there are no headers, you still should see the 401 handshake and easily learn which protocol is used. Have you debugged it with burp/fiddler?
    – Wiktor Zychla
    Commented Oct 12, 2023 at 12:55
Related questions
0
401 unauth response in Kerberos
0
Asp.Net Core HTTP.SYS Windows authentication falls back to NTLM instead of Kerberos
8
How to prevent browser from sending NTLM credentials?
Load 7 more related questions Show fewer related questions

0

Reset to default