Fix compatibility with NTLM authentication to McAfee Web Gateway (#66305)

filipnavara · web-flow · commit 1330ef5ef260 · 2022-03-07T14:00:02.000-08:00
diff --git a/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs b/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs
@@ -154,8 +154,19 @@ private static async Task<HttpResponseMessage> SendWithNtAuthAsync(HttpRequestMe
                             NetEventSource.Info(connection, $"Authentication: {challenge.AuthenticationType}, SPN: {spn}");
                         }
 
+                        ContextFlagsPal contextFlags = ContextFlagsPal.Connection;
+                        // When connecting to proxy server don't enforce the integrity to avoid
+                        // compatibility issues. The assumption is that the proxy server comes
+                        // from a trusted source. On macOS we always need to enforce the integrity
+                        // to avoid the GSSAPI implementation generating corrupted authentication
+                        // tokens.
+                        if (!isProxyAuth || OperatingSystem.IsMacOS())
+                        {
+                            contextFlags |= ContextFlagsPal.InitIntegrity;
+                        }
+
                         ChannelBinding? channelBinding = connection.TransportContext?.GetChannelBinding(ChannelBindingKind.Endpoint);
-                        NTAuthentication authContext = new NTAuthentication(isServer: false, challenge.SchemeName, challenge.Credential, spn, ContextFlagsPal.Connection | ContextFlagsPal.InitIntegrity, channelBinding);
+                        NTAuthentication authContext = new NTAuthentication(isServer: false, challenge.SchemeName, challenge.Credential, spn, contextFlags, channelBinding);
                         string? challengeData = challenge.ChallengeData;
                         try
                         {
