ASP.NET core Windows Authentication, Service Fabric vs no Service Fabric

[ericcox]

Describe the bug Using SF SDK 3.2.187.9494, Runtime 6.3.187.9494, and .NET Core SDK 2.1.403. I've been trying to create a stateless service with an ASP.NET Core API that does Windows Authentication. The default template for ASP.NET Core, without Service Fabric, works fine - if I browse to /api/values, I can set a breakpoint in the controller code and HttpContext.User.Identity.IsAuthenticated is true. I then create a Service Fabric project, with a stateless ASP.NET Core service with Windows Authentication. If I browse to the /api/values, the site produces the following unhandled exception:

InvalidOperationException: No authenticationScheme was specified, and there was no DefaultChallengeScheme found.

Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, string scheme, AuthenticationProperties properties)
Microsoft.AspNetCore.Mvc.ChallengeResult.ExecuteResultAsync(ActionContext context)
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeResultAsync(IActionResult result)
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAlwaysRunResultFilters()
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync()
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync()
Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext)
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

To Reproduce Create an ASP.NET Core web site project, select HTTPS and Windows Authentication. Works as expected. Create a SF project with a stateless ASP.NET Core service, select HTTPS and Windows Authentication. Browse to the https endpoint, produces the above error. Archive containing both projects: authenication.zip

Expected behavior I expected the two projects to perform Windows Authentication.

Additional context What am I doing wrong?

How do I have to change my code to do Windows Authentication through a SF-based web API?

Am I using old templates? How can I check?

Background: Ultimately I'm interested in running this cluster in Azure, but for now I'm stuck with an on-prem cluster (management is hesitant about running our in-house applications in the cloud, but I hope to change their minds). So this will be a Windows Authenticated service that will issue JWTs for the rest of the app. Then when we move into Azure, I'll kick it loose and move to Azure AD. If I'm completely off-base in trying to do this, can anyone suggest a better way?

Thanks in advance.

[Tratcher]

In the ASP.NET Core app you've enabled Windows Auth via IIS Express, not in the app itself.

In the ServiceFabric app I see no indication you’ve enabled windows auth, only an Authorize attribute. It’s even using the KestrelCommunicationListener which does not support windows auth. You’d need to use HttpSys instead. https://azure.microsoft.com/en-us/blog/windows-authentication-in-service-fabric-and-asp-net-core-2-0/ https://docs.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-2.1#enable-windows-authentication-with-httpsys

Also, when the app does not accept anonymous requests at the server level the controllers do not need to be marked with the Authorize attribute.

[ericcox]

Thanks for the info. I got it working a short time ago with Http.sys after much reading and trial & error.

I chose windows auth in the Change Authentication dialog when creating the project.

Perhaps this choice should be disabled until the templates support it by using http.sys.

[Tratcher]

Those are the ASP.NET Core templates, they support it via IIS Express.

How did you create the Service Fabric app?

[ericcox]

I just did File -> New -> Project, and then selected Cloud, Service Fabric Application. Then I setup the project name, chose .NET Framework 4.7.1, hit OK. On the New Service Fabric Service dialog, I chose Stateless ASP.NET Core and hit OK. The next dialog is in the screencap above.

[Tratcher]

Ah, SF is borrowing the normal web app templates and dialog rather than creating their own. That's not ideal when they don't support all of the configurations.

[amanbha]

I will share this feedback with Service Fabric VS tools team.

[dbreshears]

Thanks.. Will investigate what we can do here as we do have some control when we launch the asp.net dialog as to what shows and what doesn't.

[BinWuMSFT]

@ericcox Could you share the SF project you modified and applied Http.sys on and it is working?