ASP.NET

How to add authorization via Active Directory to an application that already has JWT-based authorization?

Appendix:

• Backend on .NET Core 3.1 WebAPI
  
• Frontend on Vue.
  
• The backend runs on Debian. The machine is not entered into the domain, but if necessary, it can be entered.
  

I can't find anything concrete on this subject, except for this document, which says almost nothing. And the very knowledge in this area is zero.
For test purposes I did the following:

• Created a domain based on Samba. The controller and client are running Debian 10.
  
  • Controller Name: dc1.mydomain.net
    
  • Domain: MYDOMAIN
    
  • Realm: MYDOMAIN.NET
    
  • The machine on which I run the application is called m1.mydomain.net.
    
  
  
  
• Added to the environment variable KRB5_KTNAME with the path to the keytab file:
  
  • export KRB5_KTNAME=$HOME/krb5.keytab. Previously, I copied krb5.keytab from /etc to ~ and set read permissions on it.
    
  
  
  
• Added to Startup.cs file:
  

  services
          .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
          .AddJwtBearer(options =>
          {
              options.RequireHttpsMetadata = false;
              options.TokenValidationParameters = new TokenValidationParameters
              {
                  // ...
              };
          })
          .AddNegotiate(options =>
          {
              if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
              {
                  options.EnableLdap(settings =>
                  {
                      settings.Domain = "mydomain.net";
                      settings.MachineAccountName = "administrator";
                      settings.MachineAccountPassword = "...";
                  });
              }
          });
      
      // …
      app.UseAuthentication();
      app.UseAuthorization();

  
  
  

Questions:

1. What to do next? How is the user verified? No examples could be found.
   
2. What is MachineAccountName and MachineAccountPassword? Login and password of the domain user? And are they needed? Are they needed? If I add these options I get an exception: "System.DirectoryServices.Protocols.DirectoryOperationException: Strong authentication is required for this operation".
   
3. Do I need to add any additional SPNs to the keytab file other than those already there? The keytab now contains the following entries:
   

   
   1 2 host/[email protected]
   2 2 host/[email protected]
   3 2 host/[email protected]
   4 2 host/[email protected]
   5 2 host/debian. [email protected]
   6 2 host/[email protected]
   7 2 host/[email protected]
   8 2 host/[email protected]
   9 2 host/[email protected] NET
   10 2 host/[email protected]
   11 2 [email protected]
   12 2 [email protected]
   13 2 [email protected]
   14 2 [email protected]
   15 2 [email protected]
   16 2 host/[email protected]
   17 2 host/M1 @MYDOMAIN.NET
   18 2 host/[email protected]
   19 2 host/[email protected]
   20 2 host/[email protected]
   21 2 host/[email protected]
   22 2 host/[email protected]
   23 2 host/[email protected]
   24 2 host/[email protected]
   25 2 host/[email protected]
   26 2 [email protected]
   27 2 [email protected]
   28 2 M1 [email protected]
   29 2 [email protected]
   30 2 [email protected]
   

   
   
   

I would be very grateful if someone could provide an example. Thanks in advance!

PS. I looked at examples for .NET Core 2.XX, in particular this one . Connection to Ldap fails with "Unable to read data from the transport connection: Connection reset by peer" exception. If you specify "SecureSocketLayer = false" in the connection, then a "Strong Authentication Required" exception will be thrown, even if tls and ssl were disabled in smb.conf.

P.P.S. I would like an example using Microsoft.AspNetCore.Authentication.Negotiate, because this is, as I understand it, the preferred option for ASP.NET Core version 3.1 and up.