http.sys: Allow configuring HTTP_AUTH_EX_FLAGs as options

[evgenykotkov]

http.sys: Allow configuring HTTP_AUTH_EX_FLAGs as options

Description

The native HTTP.sys API offers two extended authentication flags:

• HTTP_AUTH_EX_FLAG_ENABLE_KERBEROS_CREDENTIAL_CACHING and
• HTTP_AUTH_EX_FLAG_CAPTURE_CREDENTIAL

that can be used by users to fine-tune their Windows authentication setups.

For instance, the HTTP_AUTH_EX_FLAG_ENABLE_KERBEROS_CREDENTIAL_CACHING flag can be used to avoid having to authenticate every request and make the authentication session-based, thus reducing the overall number of requests and improving the high-latency scenarios. Enabling it can be used to achieve the same behavior as with the authPersistNonNTLM option in IIS.

Change details:

• The groundwork change c50346d fixes an existing issue in the definition/layout of the HTTP_SERVER_AUTHENTICATION_INFO interop structure.

• The core change 7489786 exposes both flags as options in the authentication manager. Because setting the extended flags requires a different property type (HttpServerExtendedAuthenticationProperty), we take additional precaution to only use that property type if we actually have the extended flags to set, and use the original HttpServerAuthenticationProperty otherwise.

Fixes #13634

API proposal: #51990

[ghost]

Thanks for your PR, @evgenykotkov. Someone from the team will get assigned to your PR shortly and we'll get it reviewed.

[Tratcher]

FYI https://github.com/dotnet/aspnetcore/pull/50685/files#diff-9ef7d6eddeed6c08a6095b72475b87bc6b8b84b2b657ad07d407f9feb44f232c removes the need for pre-defined interop structs.

[Tratcher]

@blowdart

[blowdart]

Cached in the comments is vague.

Cached for how long?

[ghost]

Thank you for your API proposal. I'm removing the api-ready-for-review label. API Proposals should be submitted for review through Issues based on this template.

[Tratcher]

I think this is the same intent as

aspnetcore/src/Security/Authentication/Negotiate/src/NegotiateOptions.cs

Lines 22 to 27 in 0fe51bd

	/// <summary>
	/// Indicates if Kerberos credentials should be persisted and re-used for subsquent anonymous requests.
	/// This option must not be used if connections may be shared by requests from different users.
	/// </summary>
	/// <value>Defaults to <see langword="false"/>.</value>
	public bool PersistKerberosCredentials { get; set; }

[amcasey]

Please have a look at the merge conflicts.

[amcasey]

I know we're mirroring an underlying API, but it seems like this should be "CaptureCredentials".

[Tratcher]

CaptureProcessCredentials

[evgenykotkov]

In 39edd84, I went with the CaptureCredentials name for this option. Please let me know if it works for you.

[amcasey]

I'd prefer to retain at least a comment indicating that it's boolean.

[evgenykotkov]

I'd prefer to retain at least a comment indicating that it's boolean.

With 7f18f8f, this change seems to be no longer necessary for main.

However, since c50346d seems to fix a rather significant issue with an invalid structure layout/size, is it something that should be backported to stable branches?

Please let me know if that is the case, and whether you'd want me to handle that with a separate PR or in any other convenient way.

[Tratcher]

Can you demonstrate any negative effects from the old structure? We've not had any complaints here.

[evgenykotkov]

Can you demonstrate any negative effects from the old structure? We've not had any complaints here.

In my x64 environment, the native size of the structure is:

sizeof(HTTP_SERVER_AUTHENTICATION_INFO) == 64

In the same environment, the size of the interop structure before the fix is:

Marshal.SizeOf<HttpApiTypes.HTTP_SERVER_AUTHENTICATION_INFO> == 80

In turn, this means that:

1. The field layout is wrong after the AuthSchemes field
2. An invalid (larger) size is passed during the call to HttpSetUrlGroupProperty()

Maybe 1. hasn't been causing any practical issues because the current version of the code didn't change any structure fields after the AuthSchemes. But I would still say that 2. is quite significant just by itself: the behavior when passing an invalid size to the HttpSetUrlGroupProperty() function seems to be unspecified, and could have easily resulted in an error or even a crash.

In my environment the call seems to succeed, so from that perspective this remains a theoretical issue, but, to be precise, there is a chance that this behavior may change in the future or may differ depending on the OS version — I haven't checked that in detail.

---

For reference, here is the native definition of the related typedefs and the structure itself:

typedef BYTE  BOOLEAN;
typedef unsigned char UCHAR;

typedef struct _HTTP_SERVER_AUTHENTICATION_INFO
{
    HTTP_PROPERTY_FLAGS Flags;

    ULONG AuthSchemes;

    BOOLEAN ReceiveMutualAuth;
    BOOLEAN ReceiveContextHandle;
    BOOLEAN DisableNTLMCredentialCaching;

    UCHAR   ExFlags;

    HTTP_SERVER_AUTHENTICATION_DIGEST_PARAMS DigestParams;
    HTTP_SERVER_AUTHENTICATION_BASIC_PARAMS  BasicParams;

} HTTP_SERVER_AUTHENTICATION_INFO, *PHTTP_SERVER_AUTHENTICATION_INFO;

[Tratcher]

Ok, we won't consider backporting it without a repro of a functional issue. For now it's enough that the issue is gone in main.

[evgenykotkov]

Please have a look at the merge conflicts.

Done.

(With 7f18f8f, the groundwork change c50346d is no longer required, so I rebased the core change as bf884dc.)

[ghost]

Looks like this PR hasn't been active for some time and the codebase could have been changed in the meantime.
To make sure no conflicting changes have occurred, please rerun validation before merging. You can do this by leaving an /azp run comment here (requires commit rights), or by simply closing and reopening.

[amcasey]

I think we're just waiting for an API review.

[amcasey]

API review asked for a rename. Otherwise, we should be good to go.

[evgenykotkov]

API review asked for a rename. Otherwise, we should be good to go.

Based on the discussion in #51990, I kept the original names and made a couple of tweaks to the docstrings.