nsspi

nsspi copied to clipboard

I created a minimal WebAPI application, attempting to do Negotiate authentication using the NSSPI library. The first negotiate token I get back from the client (browser or PowerShell) generates a ContinueNeeded status from serverContext.AcceptToken(). I send the generated server token back to the client, but then the next negotiate token I get back from the client throws an exception within serverContext.AcceptToken().

Here is the message flow: (client:) GET /secure (server:) HTTP 401 WWW-Authenticate: Negotiate (client:) GET /secure Authorization: Negotiate {initial token generated by client} (server:) HTTP 401 WWW-Authenticate: Negotiate: {server token generated by server.AcceptToken} (client:) GET /secure Authorization: Negotiate {presumably a secondary token generated by the client based on the server token} (server:) HTTP 500 Body: {"Failed to call AcceptSecurityContext. Error Code = '0x80090308' - "The provided authentication token is invalid or corrupted."."}

I'm guessing this has to do with the multi-threaded nature of WebAPI and that the serverContext instance is destroyed between the first step and the second step of authentication. I turns out that if I make the serverContext static, that two-step negotiation works fine. Is SeverContext not stateless? How can I save and restore its state if I need to avoid static members?