diff --git a/aspnetcore/fundamentals/servers/httpsys.md b/aspnetcore/fundamentals/servers/httpsys.md index b681c84d5b08..1e87e34df61d 100644 --- a/aspnetcore/fundamentals/servers/httpsys.md +++ b/aspnetcore/fundamentals/servers/httpsys.md @@ -6,7 +6,7 @@ description: Learn about HTTP.sys, a web server for ASP.NET Core on Windows. Bui monikerRange: '>= aspnetcore-2.1' ms.author: tdykstra ms.custom: mvc -ms.date: 03/26/2026 +ms.date: 04/30/2026 uid: fundamentals/servers/httpsys --- # HTTP.sys web server implementation in ASP.NET Core @@ -99,6 +99,29 @@ Http.Sys also supports sending an AltSvc HTTP/2 protocol message rather than a r HTTP.sys delegates to kernel mode authentication with the Kerberos authentication protocol. User mode authentication isn't supported with Kerberos and HTTP.sys. The machine account must be used to decrypt the Kerberos token/ticket that's obtained from Active Directory and forwarded by the client to the server to authenticate the user. Register the Service Principal Name (SPN) for the host, not the user of the app. +### Enable channel binding token (CBT) hardening + +Channel binding tokens (CBT) tie Windows authentication to the underlying TLS channel, which helps mitigate NTLM relay and man-in-the-middle attacks. For HTTPS endpoints that use Windows authentication with HTTP.sys, you can opt in to CBT hardening by setting the `Microsoft.AspNetCore.Server.HttpSys.EnableCBTHardening` AppContext switch to `true`. + +Enable the switch in your project's `runtimeconfig.template.json` file: + +```json +{ + "configProperties": { + "Microsoft.AspNetCore.Server.HttpSys.EnableCBTHardening": true + } +} +``` + +Or set the switch programmatically before building the host in `Program.cs`: + +```csharp +AppContext.SetSwitch("Microsoft.AspNetCore.Server.HttpSys.EnableCBTHardening", true); +``` + +> [!WARNING] +> CBT hardening is off by default. Enabling it can cause Windows authentication to fail for clients or proxies that don't support channel binding. Test thoroughly in your environment before enabling in production. + ### Support for kernel-mode response buffering In some scenarios, high volumes of small writes with high latency can cause significant performance impact to `HTTP.sys`. This impact is due to the lack of a buffer in the `HTTP.sys` implementation. To improve performance in these scenarios, support for response buffering is included in `HTTP.sys`. Enable buffering by setting [HttpSysOptions.EnableKernelResponseBuffering](https://github.com/dotnet/aspnetcore/blob/main/src/Servers/HttpSys/src/HttpSysOptions.cs#L120) to `true`. diff --git a/aspnetcore/fundamentals/servers/httpsys/includes/httpsys8-9.md b/aspnetcore/fundamentals/servers/httpsys/includes/httpsys8-9.md index 0e9d66555129..10b299f5c43e 100644 --- a/aspnetcore/fundamentals/servers/httpsys/includes/httpsys8-9.md +++ b/aspnetcore/fundamentals/servers/httpsys/includes/httpsys8-9.md @@ -79,6 +79,29 @@ Http.Sys also supports sending an AltSvc HTTP/2 protocol message rather than a r HTTP.sys delegates to kernel mode authentication with the Kerberos authentication protocol. User mode authentication isn't supported with Kerberos and HTTP.sys. The machine account must be used to decrypt the Kerberos token/ticket that's obtained from Active Directory and forwarded by the client to the server to authenticate the user. Register the Service Principal Name (SPN) for the host, not the user of the app. +### Enable channel binding token (CBT) hardening + +Channel binding tokens (CBT) tie Windows authentication to the underlying TLS channel, which helps mitigate NTLM relay and man-in-the-middle attacks. For HTTPS endpoints that use Windows authentication with HTTP.sys, you can opt in to CBT hardening by setting the `Microsoft.AspNetCore.Server.HttpSys.EnableCBTHardening` AppContext switch to `true`. + +Enable the switch in your project's `runtimeconfig.template.json` file: + +```json +{ + "configProperties": { + "Microsoft.AspNetCore.Server.HttpSys.EnableCBTHardening": true + } +} +``` + +Or set the switch programmatically before building the host in `Program.cs`: + +```csharp +AppContext.SetSwitch("Microsoft.AspNetCore.Server.HttpSys.EnableCBTHardening", true); +``` + +> [!WARNING] +> CBT hardening is off by default. Enabling it can cause Windows authentication to fail for clients or proxies that don't support channel binding. Test thoroughly in your environment before enabling in production. + ### Support for kernel-mode response buffering In some scenarios, high volumes of small writes with high latency can cause significant performance impact to `HTTP.sys`. This impact is due to the lack of a buffer in the `HTTP.sys` implementation. To improve performance in these scenarios, support for response buffering is included in `HTTP.sys`. Enable buffering by setting [HttpSysOptions.EnableKernelResponseBuffering](https://github.com/dotnet/aspnetcore/blob/main/src/Servers/HttpSys/src/HttpSysOptions.cs#L120) to `true`. diff --git a/aspnetcore/security/authentication/windowsauth.md b/aspnetcore/security/authentication/windowsauth.md index 7377cdf38be6..80d9a13dc49d 100644 --- a/aspnetcore/security/authentication/windowsauth.md +++ b/aspnetcore/security/authentication/windowsauth.md @@ -5,7 +5,7 @@ description: Learn how to configure Windows Authentication in ASP.NET Core for I monikerRange: '>= aspnetcore-3.1' ms.author: wpickett ms.custom: mvc -ms.date: 10/17/2025 +ms.date: 04/30/2026 uid: security/authentication/windowsauth ms.ai: assisted --- @@ -262,6 +262,9 @@ The following code adds authentication and configures the app's web host to use > [!NOTE] > HTTP.sys delegates to [Kernel Mode](/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode) authentication with the Kerberos authentication protocol. [User Mode](/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode) authentication isn't supported with Kerberos and HTTP.sys. The machine account must be used to decrypt the Kerberos token/ticket that's obtained from Active Directory and forwarded by the client to the server to authenticate the user. Register the Service Principal Name (SPN) for the host, not the user of the app. +> [!TIP] +> To further protect Windows authentication over HTTPS, consider enabling channel binding token (CBT) hardening. For details, see [Enable channel binding token (CBT) hardening](xref:fundamentals/servers/httpsys#enable-channel-binding-token-cbt-hardening). +