This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 95%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERR%3C/text%3E%3C/svg%3E)
For a .NET 8 App to .NET windows service there is a negotiate auth scheme used to establish the connection. Both apps are running under accounts within the same domain. The host environment for this domain eventually will not support NTLM. I want to enable this for kerberos but the connection always fallsback to NTLM and fails. Noting the steps taken and the code snippet below.
I've set SPN for both accounts using setspn -S TestService/<Hostname> <Domain><username>. The client app uses impersonation to connect to the service.
The windows service hosts a background service that listens for connections
using HttpListener _httpListner = new HttpListener();
_httpListner.Prefixes.Add("http://192.2.0.1:9197/");
_httpListner.AuthenticationSchemes = AuthenticationSchemes.Negotiate;
_httpListner.Start();
On the client, the connection uses impersonation
var handler = new HttpClientHandler
{
UseDefaultCredentials = true,
PreAuthenticate = true
```};
var client = new HttpClient(handler);
var response = await client.GetAsync(service);
response.EnsureSuccessStatusCode();
This is on a test machine with no firewall rules or any other policy settings. What could be missing or how do I troubleshoot this? I tried auditing the NTLM attempts and can see the NTLM attempt made if the client is on a different host