[Breaking change]: Remove port from SPN in Kerberos/Negotiate

[karelz]

Description

When using HttpClient with Kerberos/Negotiate authentication, we will NOT include non-default ports in SPN to lookup services. The new .NET 6 behavior is consistent with .NET Core 3.1 and earlier versions.

User has option to opt into old .NET 5 behavior (to include non-default ports in SPN) by setting app context switch 'System.Net.Http.UsePortInSpn' or environment variable 'DOTNET_SYSTEM_NET_HTTP_USEPORTINSPN' to true.

Version

.NET 6 RC 1

Previous behavior

.NET 5: SPN includes non-default ports.
.NET Core 1.0-3.1: SPN does not contain port (even for non-default ports).

New behavior

SPN does not contain port (even for non-default ports), unless app context switch 'System.Net.Http.UsePortInSpn' or environment variable 'DOTNET_SYSTEM_NET_HTTP_USEPORTINSPN' is to true.

Type of breaking change

• Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
• Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.

Reason for change

Bring back behavior from .NET Core 1.0-3.1 that customers started depending on.

Recommended action

If you need to preserve .NET 5 behavior, you can set app context switch 'System.Net.Http.UsePortInSpn' or environment variable 'DOTNET_SYSTEM_NET_HTTP_USEPORTINSPN' to true.

Feature area

Networking

Affected APIs

HttpClient behavior

[karelz]

@wfurt can you please review the full doc?