Closed mfinnigan closed 5 months ago
If I send a klist get,
PS C:\Users\mfinnigan\Desktop> klist get HTTP/company-hcp-sre-dev-private-vault-dff8581e.86e0ac9c.z1.hashicorp.cloud:8200@company.COMP.LOCAL
Current LogonId is 0:0x59dd667
A ticket to HTTP/company-hcp-sre-dev-private-vault-dff8581e.86e0ac9c.z1.hashicorp.cloud:8200@company.COMP.LOCAL has been retrieved successfully.
#2> Client: mfinnigan @ company.COMP.LOCAL
Server: HTTP/company-hcp-sre-dev-private-vault-dff8581e.86e0ac9c.z1.hashicorp.cloud:8200 @ company.COMP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 12/5/2023 15:10:08 (local)
End Time: 12/6/2023 1:10:08 (local)
Renew Time: 12/12/2023 15:08:38 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: TVDC01.company.COMP.local
here's the tgs-req as seen in wireshark
req-body
Padding: 0
kdc-options: 40810000
realm: company.COMP.LOCAL
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: HTTP
SNameString: company-hcp-sre-dev-private-vault-dff8581e.86e0ac9c.z1.hashicorp.cloud:8200
till: Sep 12, 2037 19:48:05.000000000 Pacific Daylight Time
nonce: 843374022
etype: 5 items
ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24)
ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135)
enc-authorization-data
here's the tgs-req from running quickstart.exe
req-body
Padding: 0
kdc-options: 40810000
realm: company.COMP.LOCAL
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: HTTP
SNameString: company-hcp-sre-dev-private-vault-dff8581e.86e0ac9c.z1.hashicorp.cloud
till: Sep 12, 2037 19:48:05.000000000 Pacific Daylight Time
nonce: 544884361
etype: 5 items
ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24)
ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135)
enc-authorization-data
Note the missing port number in the snamestring. the response from the kdc is
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
I have done some debugging and found that if I set DOTNET_SYSTEM_NET_HTTP_USEPORTINSPN as an environment variable, this works properly. I don't know the proper way to set System.Net.Http.UsePortInSpn to true as a user of VaultSharp (I don't see any likely option), or if these needs to be a PR to your project.
This may also be because I'm targetting .NET 6.0, it seems this was a change in 6.0? https://stackoverflow.com/questions/74390400/net-5-to-net-6-httpclient-breaking-change-for-default-spn-port
aha - adding this line "System.Net.Http.UsePortInSpn": true to ".\quick-start\bin\Release\net6.0\quickstart.runtimeconfig.json"
takes care of the issue.
I am now also running into this issue when targeting .NET framework (4.8). I'm unable to find a way to change the behavior. I did try adding this to my code
System.Net.AuthenticationManager.CustomTargetNameDictionary
.Add("https://bng-hcp-vault1-private-vault-dda82d4a.d714d954.z1.hashicorp.cloud:8200/", "HTTP/bng-hcp-vault1-private-vault-dda82d4a.d714d954.z1.hashicorp.cloud");
or
System.Net.AuthenticationManager.CustomTargetNameDictionary
.Add("https://bng-hcp-vault1-private-vault-dda82d4a.d714d954.z1.hashicorp.cloud:8200/", "HTTP/bng-hcp-vault1-private-vault-dda82d4a.d714d954.z1.hashicorp.cloud:8200");
with no change in behavior. (suggestion found here https://stackoverflow.com/questions/39740676/forcing-specific-spn-for-url-in-net)
I ended up just asking our AD team to create an additional SPN on the service account without the port number and that works. Don't even need to regenerate the keytab, this is just to paper over a bug in the client behavior
I've got Kerberos auth working from the CLI, but not from VaultSharp, using the quickstart sample program. This is against HCP Vault. See update in comment below - it's asking the KDC for a ticket without the port number of the vault SPN
VaultSharp Version 1.13.01, .NET 6.0, on Windows 10
Vault Version 1.15.2 +Ent (HCP)
Does this work with Vault CLI? Yes
Sample Code Snippet
Exception Details/Stack Trace/Error Message Fiddler seems to see me sending NTLM in response to a 401 Www-Authenticate: Negotiate prompt
Any additional info
successful CLI auth
setspn output
lack of a ticket for this spn in klist output
However, even if I run "klist get manually, this still fails with the same behavior.
PS C:\Users\mfinnigan\Desktop> klist |select-string http
this is an A record, not a CNAME