Revert all the fallback code paths, System.Net.Security.UseManagedNtlm has to be enabled explicitly; NativeAOT on Linux Bionic does that by default because it doesn't have GSSAPI and native shim

Author: filipnavara

src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.targets

@@ -279,6 +279,9 @@ The .NET Foundation licenses this file to you under the MIT license.
       <IlcArg Include="--feature:System.Linq.Expressions.CanEmitObjectArrayDelegate=false" />
       <IlcArg Include="--feature:System.Linq.Expressions.CanCreateArbitraryDelegates=false" />
 
+      <!-- Linux Bionic doesn't ship GSSAPI, so enable managed implementation -->
+      <IlcArg Condition="'$(_linuxLibcFlavor)' == 'bionic'" Include="--feature:System.Net.Security.UseManagedNtlm=true" />
+
       <!-- The managed debugging support in libraries is unused - trim it -->
       <IlcArg Condition="'$(IlcKeepManagedDebuggerSupport)' != 'true'" Include="--feature:System.Diagnostics.Debugger.IsSupported=false" />
       <IlcArg Condition="'$(UseWindowsThreadPool)' != '' and '$(_targetOS)' == 'win'" Include="--feature:System.Threading.ThreadPool.UseWindowsThreadPool=$(UseWindowsThreadPool)" />

src/libraries/Common/tests/System/Net/Capability.Security.Unix.cs

@@ -7,7 +7,9 @@ public static partial class Capability
     {
         public static bool IsNtlmInstalled()
         {
-            return true;
+            // GSS on Linux does not work with OpenSSL 3.0. Fix was submitted to gss-ntlm but it will take a while to make to
+            // all supported distributions. The second part of the check should be removed when it does.
+            return Interop.NetSecurityNative.IsNtlmInstalled() && (!PlatformDetection.IsOpenSslSupported || PlatformDetection.OpenSslVersion.Major < 3);
         }
     }
 }

src/libraries/System.Net.Security/src/ILLink/ILLink.Substitutions.xml

@@ -0,0 +1,7 @@
+<linker>
+  <assembly fullname="System.Net.Security">
+    <type fullname="System.Net.NegotiateAuthenticationPal">
+      <method signature="System.Boolean get_UseManagedNtlm()" feature="System.Net.Security.UseManagedNtlm" featurevalue="false" body="stub" value="false" />
+    </type>
+  </assembly>
+</linker>

src/libraries/System.Net.Security/src/System.Net.Security.csproj

@@ -284,6 +284,7 @@
     <Compile Include="System\Net\Security\Pal.Managed\SafeChannelBindingHandle.cs" />
   </ItemGroup>
   <ItemGroup Condition="'$(TargetPlatformIdentifier)' != '' and '$(TargetPlatformIdentifier)' != 'windows' and '$(UseManagedNtlm)' != 'true'">
+    <ILLinkSubstitutionsXmls Include="$(ILLinkDirectory)ILLink.Substitutions.xml" />
     <Compile Include="System\Net\NegotiateAuthenticationPal.Unix.cs" />
     <Compile Include="$(CommonPath)Microsoft\Win32\SafeHandles\GssSafeHandles.cs"
              Link="Common\Microsoft\Win32\SafeHandles\GssSafeHandles.cs" />

src/libraries/System.Net.Security/src/System/Net/NegotiateAuthenticationPal.Unix.cs

@@ -19,35 +19,11 @@ namespace System.Net
 {
     internal partial class NegotiateAuthenticationPal
     {
-        private static bool _useManagedNtlm;
-        private static bool _isGssApiAvailable;
-
-#pragma warning disable CA1810 // explicit static cctor
-        static NegotiateAuthenticationPal()
-        {
-            try
-            {
-                if (!Interop.NetSecurityNative.IsNtlmInstalled())
-                {
-                    _useManagedNtlm = !AppContext.TryGetSwitch("System.Net.Security.UseManagedNtlm", out bool useManagedNtlm) || useManagedNtlm;
-                }
-                else
-                {
-                    _useManagedNtlm = AppContext.TryGetSwitch("System.Net.Security.UseManagedNtlm", out bool useManagedNtlm) && useManagedNtlm;
-                }
-                _isGssApiAvailable = true;
-            }
-            catch (EntryPointNotFoundException)
-            {
-                // GSSAPI shim may not be available on some platforms (Linux Bionic)
-                _isGssApiAvailable = false;
-            }
-        }
-#pragma warning restore CA1810
+        private static bool UseManagedNtlm { get; } = AppContext.TryGetSwitch("System.Net.Security.UseManagedNtlm", out bool useManagedNtlm) && useManagedNtlm;
 
         public static NegotiateAuthenticationPal Create(NegotiateAuthenticationClientOptions clientOptions)
         {
-            if (_useManagedNtlm)
+            if (UseManagedNtlm)
             {
                 switch (clientOptions.Package)
                 {
@@ -57,11 +33,6 @@ public static NegotiateAuthenticationPal Create(NegotiateAuthenticationClientOpt
                     case NegotiationInfoClass.Negotiate:
                         return new ManagedSpnegoNegotiateAuthenticationPal(clientOptions, supportKerberos: true);
                 }
-
-                if (!_isGssApiAvailable)
-                {
-                    return new UnsupportedNegotiateAuthenticationPal(clientOptions);
-                }
             }
 
             try
@@ -76,15 +47,15 @@ public static NegotiateAuthenticationPal Create(NegotiateAuthenticationClientOpt
             {
                 return new UnsupportedNegotiateAuthenticationPal(clientOptions);
             }
+            catch (EntryPointNotFoundException)
+            {
+                // GSSAPI shim may not be available on some platforms (Linux Bionic)
+                return new UnsupportedNegotiateAuthenticationPal(clientOptions);
+            }
         }
 
         public static NegotiateAuthenticationPal Create(NegotiateAuthenticationServerOptions serverOptions)
         {
-            if (!_isGssApiAvailable)
-            {
-                return new UnsupportedNegotiateAuthenticationPal(serverOptions);
-            }
-
             try
             {
                 return new UnixNegotiateAuthenticationPal(serverOptions);
@@ -97,6 +68,11 @@ public static NegotiateAuthenticationPal Create(NegotiateAuthenticationServerOpt
             {
                 return new UnsupportedNegotiateAuthenticationPal(serverOptions);
             }
+            catch (EntryPointNotFoundException)
+            {
+                // GSSAPI shim may not be available on some platforms (Linux Bionic)
+                return new UnsupportedNegotiateAuthenticationPal(serverOptions);
+            }
         }
 
         internal sealed class UnixNegotiateAuthenticationPal : NegotiateAuthenticationPal