Commits on Nov 12, 2018

1. Fix SPN used for Negotiate authentication …

   SocketsHttpHandler was not normalizing the DNS name prior to using it for the SPN
   (Service Principal Name). So, when using URI's that involve a CNAME, it was using
   the CNAME directly and not evaluating it to the normalized FQDN A record of the host.
   
   This change fixes the behavior to match .NET Framework so that CNAMEs are resolved
   properly. We can use the standard Dns.GetHostEntryAsync() API to resolve the name.
   
   From a performance perspective, this additional DNS API call is limited to just
   the SPN calculation for NT Auth. Calling this API doesn't impact the performance on the
   wire since the OS will cache DNS calls.  Wireshark confirms that no additional DNS
   protocol packets will be sent.
   
   .NET Framework actually caches the normalized DNS resolution on the ServicePoint object
   when it opens up a connections. Thus, it doesn't have to call Dns.GetHostEntryAsync()
   for the SPN calculation. While a future PR could further optimize SocketsHttpHandler to
   also cache this DNS host name, it isn't clear it would result in measurable performance gain.
   
   I tested this change in a separate Enterprise testing environment I set up. I created
   a CNAME for a Windows IIS server in a Windows domain-joined environment and demonstrated that
   the Negotiate protocol results in a Kerberos authentication (and doesn't fall back to NTLM).
   
   Fixes #32328

   

   davidsh committed Nov 12, 2018
   Configuration menu

   • View commit details
   • Copy full SHA for 650c8e6
   • Browse repository at this point

   Copy the full SHA

   650c8e6 View commit details

   Browse the repository at this point in the history

2. Address PR feedback

   

   davidsh committed Nov 12, 2018
   Configuration menu

   • View commit details
   • Copy full SHA for 93d6e81
   • Browse repository at this point

   Copy the full SHA

   93d6e81 View commit details

   Browse the repository at this point in the history