From c6619e191e51a6d1400ff1237a971a6277db13ce Mon Sep 17 00:00:00 2001
From: Filip Navara <navara@emclient.com>
Date: Tue, 12 Jul 2022 09:06:50 +0000
Subject: [PATCH] Add support for specifying Kerberos package on Linux/macOS
 (in addition to NTLM and Negotiate)

---
 .../Interop.NetSecurityNative.PackageType.cs  | 17 ++++++
 .../Interop.NetSecurityNative.cs              | 14 ++---
 .../Win32/SafeHandles/GssSafeHandles.cs       |  6 +-
 .../Net/Security/NegotiateStreamPal.Unix.cs   | 48 ++++++++++-----
 .../Security/Unix/SafeFreeNegoCredentials.cs  | 14 ++---
 .../src/System.Net.Security.csproj            |  2 +
 .../System.Net.Security.Unit.Tests.csproj     |  2 +
 .../System.Net.Security.Native/pal_gssapi.c   | 59 +++++++++++--------
 .../System.Net.Security.Native/pal_gssapi.h   | 13 +++-
 9 files changed, 117 insertions(+), 58 deletions(-)
 create mode 100644 src/libraries/Common/src/Interop/Unix/System.Net.Security.Native/Interop.NetSecurityNative.PackageType.cs

diff --git a/src/libraries/Common/src/Interop/Unix/System.Net.Security.Native/Interop.NetSecurityNative.PackageType.cs b/src/libraries/Common/src/Interop/Unix/System.Net.Security.Native/Interop.NetSecurityNative.PackageType.cs
new file mode 100644
index 00000000000000..d8d6073c3d04a7
--- /dev/null
+++ b/src/libraries/Common/src/Interop/Unix/System.Net.Security.Native/Interop.NetSecurityNative.PackageType.cs
@@ -0,0 +1,17 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+
+internal static partial class Interop
+{
+    internal static partial class NetSecurityNative
+    {
+        internal enum PackageType : uint
+        {
+            Negotiate = 0,
+            NTLM = 1,
+            Kerberos = 2,
+        }
+    }
+}
diff --git a/src/libraries/Common/src/Interop/Unix/System.Net.Security.Native/Interop.NetSecurityNative.cs b/src/libraries/Common/src/Interop/Unix/System.Net.Security.Native/Interop.NetSecurityNative.cs
index 3ce98eb5d30769..84a31968d79378 100644
--- a/src/libraries/Common/src/Interop/Unix/System.Net.Security.Native/Interop.NetSecurityNative.cs
+++ b/src/libraries/Common/src/Interop/Unix/System.Net.Security.Native/Interop.NetSecurityNative.cs
@@ -61,7 +61,7 @@ internal static partial Status InitiateCredSpNego(
         [LibraryImport(Interop.Libraries.NetSecurityNative, EntryPoint="NetSecurityNative_InitiateCredWithPassword", StringMarshalling = StringMarshalling.Utf8)]
         internal static partial Status InitiateCredWithPassword(
             out Status minorStatus,
-            [MarshalAs(UnmanagedType.Bool)] bool isNtlm,
+            PackageType packageType,
             SafeGssNameHandle desiredName,
             string password,
             int passwordLen,
@@ -77,7 +77,7 @@ private static partial Status InitSecContext(
             out Status minorStatus,
             SafeGssCredHandle initiatorCredHandle,
             ref SafeGssContextHandle contextHandle,
-            [MarshalAs(UnmanagedType.Bool)] bool isNtlmOnly,
+            PackageType packageType,
             SafeGssNameHandle? targetName,
             uint reqFlags,
             ref byte inputBytes,
@@ -91,7 +91,7 @@ private static partial Status InitSecContext(
             out Status minorStatus,
             SafeGssCredHandle initiatorCredHandle,
             ref SafeGssContextHandle contextHandle,
-            [MarshalAs(UnmanagedType.Bool)] bool isNtlmOnly,
+            PackageType packageType,
             IntPtr cbt,
             int cbtSize,
             SafeGssNameHandle? targetName,
@@ -106,7 +106,7 @@ internal static Status InitSecContext(
             out Status minorStatus,
             SafeGssCredHandle initiatorCredHandle,
             ref SafeGssContextHandle contextHandle,
-            bool isNtlmOnly,
+            PackageType packageType,
             SafeGssNameHandle? targetName,
             uint reqFlags,
             ReadOnlySpan<byte> inputBytes,
@@ -118,7 +118,7 @@ internal static Status InitSecContext(
                 out minorStatus,
                 initiatorCredHandle,
                 ref contextHandle,
-                isNtlmOnly,
+                packageType,
                 targetName,
                 reqFlags,
                 ref MemoryMarshal.GetReference(inputBytes),
@@ -132,7 +132,7 @@ internal static Status InitSecContext(
             out Status minorStatus,
             SafeGssCredHandle initiatorCredHandle,
             ref SafeGssContextHandle contextHandle,
-            bool isNtlmOnly,
+            PackageType packageType,
             IntPtr cbt,
             int cbtSize,
             SafeGssNameHandle? targetName,
@@ -146,7 +146,7 @@ internal static Status InitSecContext(
                 out minorStatus,
                 initiatorCredHandle,
                 ref contextHandle,
-                isNtlmOnly,
+                packageType,
                 cbt,
                 cbtSize,
                 targetName,
diff --git a/src/libraries/Common/src/Microsoft/Win32/SafeHandles/GssSafeHandles.cs b/src/libraries/Common/src/Microsoft/Win32/SafeHandles/GssSafeHandles.cs
index 253e0548dea9d9..acc95913c863c5 100644
--- a/src/libraries/Common/src/Microsoft/Win32/SafeHandles/GssSafeHandles.cs
+++ b/src/libraries/Common/src/Microsoft/Win32/SafeHandles/GssSafeHandles.cs
@@ -91,9 +91,9 @@ public static SafeGssCredHandle CreateAcceptor()
         ///  returns the handle for the given credentials.
         ///  The method returns an invalid handle if the username is null or empty.
         /// </summary>
-        public static SafeGssCredHandle Create(string username, string password, bool isNtlmOnly)
+        public static SafeGssCredHandle Create(string username, string password, Interop.NetSecurityNative.PackageType packageType)
         {
-            if (isNtlmOnly && !s_IsNtlmInstalled.Value)
+            if (packageType == Interop.NetSecurityNative.PackageType.NTLM && !s_IsNtlmInstalled.Value)
             {
                 throw new Interop.NetSecurityNative.GssApiException(
                     Interop.NetSecurityNative.Status.GSS_S_BAD_MECH,
@@ -117,7 +117,7 @@ public static SafeGssCredHandle Create(string username, string password, bool is
                 }
                 else
                 {
-                    status = Interop.NetSecurityNative.InitiateCredWithPassword(out minorStatus, isNtlmOnly, userHandle, password, Encoding.UTF8.GetByteCount(password), out retHandle);
+                    status = Interop.NetSecurityNative.InitiateCredWithPassword(out minorStatus, packageType, userHandle, password, Encoding.UTF8.GetByteCount(password), out retHandle);
                 }
 
                 if (status != Interop.NetSecurityNative.Status.GSS_S_COMPLETE)
diff --git a/src/libraries/Common/src/System/Net/Security/NegotiateStreamPal.Unix.cs b/src/libraries/Common/src/System/Net/Security/NegotiateStreamPal.Unix.cs
index 73043391901aef..702167758da69c 100644
--- a/src/libraries/Common/src/System/Net/Security/NegotiateStreamPal.Unix.cs
+++ b/src/libraries/Common/src/System/Net/Security/NegotiateStreamPal.Unix.cs
@@ -134,7 +134,7 @@ private static SecurityStatusPal EstablishSecurityContext(
           out byte[]? resultBuffer,
           ref ContextFlagsPal outFlags)
         {
-            bool isNtlmOnly = credential.IsNtlmOnly;
+            Interop.NetSecurityNative.PackageType packageType = credential.PackageType;
 
             resultBuffer = null;
 
@@ -142,7 +142,11 @@ private static SecurityStatusPal EstablishSecurityContext(
             {
                 if (NetEventSource.Log.IsEnabled())
                 {
-                    string protocol = isNtlmOnly ? "NTLM" : "SPNEGO";
+                    string protocol = packageType switch {
+                        Interop.NetSecurityNative.PackageType.NTLM => "NTLM",
+                        Interop.NetSecurityNative.PackageType.Kerberos => "Kerberos",
+                        _ => "SPNEGO"
+                    };
                     NetEventSource.Info(context, $"requested protocol = {protocol}, target = {targetName}");
                 }
 
@@ -172,7 +176,7 @@ private static SecurityStatusPal EstablishSecurityContext(
                     status = Interop.NetSecurityNative.InitSecContext(out minorStatus,
                                                                       credential.GssCredential,
                                                                       ref contextHandle,
-                                                                      isNtlmOnly,
+                                                                      packageType,
                                                                       cbtAppData,
                                                                       cbtAppDataSize,
                                                                       negoContext.TargetName,
@@ -187,7 +191,7 @@ private static SecurityStatusPal EstablishSecurityContext(
                     status = Interop.NetSecurityNative.InitSecContext(out minorStatus,
                                                                       credential.GssCredential,
                                                                       ref contextHandle,
-                                                                      isNtlmOnly,
+                                                                      packageType,
                                                                       negoContext.TargetName,
                                                                       (uint)inputFlags,
                                                                       incomingBlob,
@@ -216,7 +220,11 @@ private static SecurityStatusPal EstablishSecurityContext(
                 {
                     if (NetEventSource.Log.IsEnabled())
                     {
-                        string protocol = isNtlmOnly ? "NTLM" : isNtlmUsed ? "SPNEGO-NTLM" : "SPNEGO-Kerberos";
+                        string protocol = packageType switch {
+                            Interop.NetSecurityNative.PackageType.NTLM => "NTLM",
+                            Interop.NetSecurityNative.PackageType.Kerberos => "Kerberos",
+                            _ => isNtlmUsed ? "SPNEGO-NTLM" : "SPNEGO-Kerberos"
+                        };
                         NetEventSource.Info(context, $"actual protocol = {protocol}");
                     }
 
@@ -441,24 +449,36 @@ internal static SafeFreeCredentials AcquireCredentialsHandle(string package, boo
         {
             bool isEmptyCredential = string.IsNullOrWhiteSpace(credential.UserName) ||
                                      string.IsNullOrWhiteSpace(credential.Password);
-            bool ntlmOnly = string.Equals(package, NegotiationInfoClass.NTLM, StringComparison.OrdinalIgnoreCase);
-            if (ntlmOnly && isEmptyCredential && !isServer)
+            Interop.NetSecurityNative.PackageType packageType;
+
+            if (string.Equals(package, NegotiationInfoClass.Negotiate, StringComparison.OrdinalIgnoreCase))
             {
-                // NTLM authentication is not possible with default credentials which are no-op
-                throw new PlatformNotSupportedException(SR.net_ntlm_not_possible_default_cred);
+                packageType = Interop.NetSecurityNative.PackageType.Negotiate;
             }
-
-            if (!ntlmOnly && !string.Equals(package, NegotiationInfoClass.Negotiate))
+            else if (string.Equals(package, NegotiationInfoClass.NTLM, StringComparison.OrdinalIgnoreCase))
+            {
+                packageType = Interop.NetSecurityNative.PackageType.NTLM;
+                if (isEmptyCredential && !isServer)
+                {
+                    // NTLM authentication is not possible with default credentials which are no-op
+                    throw new PlatformNotSupportedException(SR.net_ntlm_not_possible_default_cred);
+                }
+            }
+            else if (string.Equals(package, NegotiationInfoClass.Kerberos, StringComparison.OrdinalIgnoreCase))
+            {
+                packageType = Interop.NetSecurityNative.PackageType.Kerberos;
+            }
+            else
             {
-                // Native shim currently supports only NTLM and Negotiate
+                // Native shim currently supports only NTLM, Negotiate and Kerberos
                 throw new PlatformNotSupportedException(SR.net_securitypackagesupport);
             }
 
             try
             {
                 return isEmptyCredential ?
-                    new SafeFreeNegoCredentials(ntlmOnly, string.Empty, string.Empty, string.Empty) :
-                    new SafeFreeNegoCredentials(ntlmOnly, credential.UserName, credential.Password, credential.Domain);
+                    new SafeFreeNegoCredentials(packageType, string.Empty, string.Empty, string.Empty) :
+                    new SafeFreeNegoCredentials(packageType, credential.UserName, credential.Password, credential.Domain);
             }
             catch (Exception ex)
             {
diff --git a/src/libraries/Common/src/System/Net/Security/Unix/SafeFreeNegoCredentials.cs b/src/libraries/Common/src/System/Net/Security/Unix/SafeFreeNegoCredentials.cs
index 58d1942829e524..ffbd46db32aaf4 100644
--- a/src/libraries/Common/src/System/Net/Security/Unix/SafeFreeNegoCredentials.cs
+++ b/src/libraries/Common/src/System/Net/Security/Unix/SafeFreeNegoCredentials.cs
@@ -12,7 +12,7 @@ namespace System.Net.Security
     internal sealed class SafeFreeNegoCredentials : SafeFreeCredentials
     {
         private SafeGssCredHandle _credential;
-        private readonly bool _isNtlmOnly;
+        private readonly Interop.NetSecurityNative.PackageType _packageType;
         private readonly string _userName;
         private readonly bool _isDefault;
 
@@ -21,10 +21,10 @@ public SafeGssCredHandle GssCredential
             get { return _credential; }
         }
 
-        // Property represents if Ntlm Protocol is specfied or not.
-        public bool IsNtlmOnly
+        // Property represents which protocol is specfied (Negotiate, Ntlm or Kerberos).
+        public Interop.NetSecurityNative.PackageType PackageType
         {
-            get { return _isNtlmOnly; }
+            get { return _packageType; }
         }
 
         public string UserName
@@ -37,7 +37,7 @@ public bool IsDefault
             get { return _isDefault; }
         }
 
-        public SafeFreeNegoCredentials(bool isNtlmOnly, string username, string password, string domain)
+        public SafeFreeNegoCredentials(Interop.NetSecurityNative.PackageType packageType, string username, string password, string domain)
             : base(IntPtr.Zero, true)
         {
             Debug.Assert(username != null && password != null, "Username and Password can not be null");
@@ -66,10 +66,10 @@ public SafeFreeNegoCredentials(bool isNtlmOnly, string username, string password
             }
 
             bool ignore = false;
-            _isNtlmOnly = isNtlmOnly;
+            _packageType = packageType;
             _userName = username;
             _isDefault = string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password);
-            _credential = SafeGssCredHandle.Create(username, password, isNtlmOnly);
+            _credential = SafeGssCredHandle.Create(username, password, packageType);
             _credential.DangerousAddRef(ref ignore);
         }
 
diff --git a/src/libraries/System.Net.Security/src/System.Net.Security.csproj b/src/libraries/System.Net.Security/src/System.Net.Security.csproj
index 139ea7ce4ba064..55d140a914f553 100644
--- a/src/libraries/System.Net.Security/src/System.Net.Security.csproj
+++ b/src/libraries/System.Net.Security/src/System.Net.Security.csproj
@@ -252,6 +252,8 @@
              Link="Common\Interop\Unix\Interop.Errors.cs" />
     <Compile Include="$(CommonPath)Interop\Unix\System.Net.Security.Native\Interop.NetSecurityNative.GssFlags.cs"
              Link="Common\Interop\Unix\System.Net.Security.Native\Interop.NetSecurityNative.GssFlags.cs" />
+    <Compile Include="$(CommonPath)Interop\Unix\System.Net.Security.Native\Interop.NetSecurityNative.PackageType.cs"
+             Link="Common\Interop\Unix\System.Net.Security.Native\Interop.NetSecurityNative.PackageType.cs" />
     <Compile Include="$(CommonPath)Interop\Unix\System.Net.Security.Native\Interop.NetSecurityNative.Status.cs"
              Link="Common\Interop\Unix\System.Net.Security.Native\Interop.NetSecurityNative.Status.cs" />
     <Compile Include="$(CommonPath)System\Net\Security\Unix\SafeDeleteContext.cs"
diff --git a/src/libraries/System.Net.Security/tests/UnitTests/System.Net.Security.Unit.Tests.csproj b/src/libraries/System.Net.Security/tests/UnitTests/System.Net.Security.Unit.Tests.csproj
index 123346f7960003..c8d75808d00e10 100644
--- a/src/libraries/System.Net.Security/tests/UnitTests/System.Net.Security.Unit.Tests.csproj
+++ b/src/libraries/System.Net.Security/tests/UnitTests/System.Net.Security.Unit.Tests.csproj
@@ -130,6 +130,8 @@
              Link="Common\Interop\Unix\System.Net.Security.Native\Interop.NetSecurityNative.cs" />
     <Compile Include="$(CommonPath)Interop\Unix\System.Net.Security.Native\Interop.NetSecurityNative.GssFlags.cs"
              Link="Common\Interop\Unix\System.Net.Security.Native\Interop.NetSecurityNative.GssFlags.cs" />
+    <Compile Include="$(CommonPath)Interop\Unix\System.Net.Security.Native\Interop.NetSecurityNative.PackageType.cs"
+             Link="Common\Interop\Unix\System.Net.Security.Native\Interop.NetSecurityNative.PackageType.cs" />
     <Compile Include="$(CommonPath)Interop\Unix\System.Net.Security.Native\Interop.NetSecurityNative.Status.cs"
              Link="Common\Interop\Unix\System.Net.Security.Native\Interop.NetSecurityNative.Status.cs" />
     <Compile Include="$(CommonPath)Interop\Unix\System.Net.Security.Native\Interop.NetSecurityNative.IsNtlmInstalled.cs"
diff --git a/src/native/libs/System.Net.Security.Native/pal_gssapi.c b/src/native/libs/System.Net.Security.Native/pal_gssapi.c
index 2430e540a5d191..a325b1ac5aec84 100644
--- a/src/native/libs/System.Net.Security.Native/pal_gssapi.c
+++ b/src/native/libs/System.Net.Security.Native/pal_gssapi.c
@@ -276,7 +276,7 @@ uint32_t NetSecurityNative_ImportPrincipalName(uint32_t* minorStatus,
 uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus,
                                           GssCredId* claimantCredHandle,
                                           GssCtxId** contextHandle,
-                                          uint32_t isNtlm,
+                                          uint32_t packageType,
                                           GssName* targetName,
                                           uint32_t reqFlags,
                                           uint8_t* inputBytes,
@@ -288,7 +288,7 @@ uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus,
     return NetSecurityNative_InitSecContextEx(minorStatus,
                                               claimantCredHandle,
                                               contextHandle,
-                                              isNtlm,
+                                              packageType,
                                               NULL,
                                               0,
                                               targetName,
@@ -303,7 +303,7 @@ uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus,
 uint32_t NetSecurityNative_InitSecContextEx(uint32_t* minorStatus,
                                             GssCredId* claimantCredHandle,
                                             GssCtxId** contextHandle,
-                                            uint32_t isNtlm,
+                                            uint32_t packageType,
                                             void* cbt,
                                             int32_t cbtSize,
                                             GssName* targetName,
@@ -316,7 +316,7 @@ uint32_t NetSecurityNative_InitSecContextEx(uint32_t* minorStatus,
 {
     assert(minorStatus != NULL);
     assert(contextHandle != NULL);
-    assert(isNtlm == 0 || isNtlm == 1);
+    assert(packageType == PAL_GSS_NEGOTIATE || packageType == PAL_GSS_NTLM || packageType == PAL_GSS_KERBEROS);
     assert(targetName != NULL);
     assert(inputBytes != NULL || inputLength == 0);
     assert(outBuffer != NULL);
@@ -330,27 +330,33 @@ uint32_t NetSecurityNative_InitSecContextEx(uint32_t* minorStatus,
 #if HAVE_GSS_SPNEGO_MECHANISM
     gss_OID krbMech = GSS_KRB5_MECHANISM;
     gss_OID desiredMech;
-    if (isNtlm)
+    if (packageType == PAL_GSS_NTLM)
     {
         desiredMech = GSS_NTLM_MECHANISM;
     }
+    else if (packageType == PAL_GSS_KERBEROS)
+    {
+        desiredMech = GSS_KRB5_MECHANISM;
+    }
     else
     {
         desiredMech = GSS_SPNEGO_MECHANISM;
     }
 #else
     gss_OID krbMech = (gss_OID)(unsigned long)gss_mech_krb5;
-    gss_OID_desc gss_mech_OID_desc;
-    if (isNtlm)
+    gss_OID desiredMech;
+    if (packageType == PAL_GSS_NTLM)
+    {
+        desiredMech = &gss_mech_ntlm_OID_desc;
+    }
+    else if (packageType == PAL_GSS_KERBEROS)
     {
-        gss_mech_OID_desc = gss_mech_ntlm_OID_desc;
+        desiredMech = gss_mech_krb5;
     }
     else
     {
-        gss_mech_OID_desc = gss_mech_spnego_OID_desc;
+        desiredMech = &gss_mech_spnego_OID_desc;
     }
-
-    gss_OID desiredMech = &gss_mech_OID_desc;
 #endif
 
     GssBuffer inputToken = {.length = inputLength, .value = inputBytes};
@@ -379,7 +385,7 @@ uint32_t NetSecurityNative_InitSecContextEx(uint32_t* minorStatus,
                                                 retFlags,
                                                 NULL);
 
-    *isNtlmUsed = (isNtlm || majorStatus != GSS_S_COMPLETE || gss_oid_equal(outmech, krbMech) == 0) ? 1 : 0;
+    *isNtlmUsed = (packageType == PAL_GSS_NTLM || majorStatus != GSS_S_COMPLETE || gss_oid_equal(outmech, krbMech) == 0) ? 1 : 0;
 
     NetSecurityNative_MoveBuffer(&gssBuffer, outBuffer);
     return majorStatus;
@@ -598,7 +604,7 @@ uint32_t NetSecurityNative_VerifyMic(uint32_t* minorStatus,
 }
 
 static uint32_t AcquireCredWithPassword(uint32_t* minorStatus,
-                                        int32_t isNtlm,
+                                        int32_t packageType,
                                         GssName* desiredName,
                                         char* password,
                                         uint32_t passwdLen,
@@ -606,34 +612,39 @@ static uint32_t AcquireCredWithPassword(uint32_t* minorStatus,
                                         GssCredId** outputCredHandle)
 {
     assert(minorStatus != NULL);
-    assert(isNtlm == 1 || isNtlm == 0);
+    assert(packageType == PAL_GSS_NEGOTIATE || packageType == PAL_GSS_NTLM || packageType == PAL_GSS_KERBEROS);
     assert(desiredName != NULL);
     assert(password != NULL);
     assert(outputCredHandle != NULL);
     assert(*outputCredHandle == NULL);
 
 #if HAVE_GSS_SPNEGO_MECHANISM
-    (void)isNtlm; // unused
+    (void)packageType; // unused
     // Specifying GSS_SPNEGO_MECHANISM as a desiredMech on OSX fails.
-    gss_OID_set desiredMech = GSS_C_NO_OID_SET;
+    gss_OID_set desiredMechSet = GSS_C_NO_OID_SET;
 #else
     gss_OID_desc gss_mech_OID_desc;
-    if (isNtlm)
+    gss_OID desiredMech;
+    if (packageType == PAL_GSS_NTLM)
+    {
+        desiredMech = &gss_mech_ntlm_OID_desc;
+    }
+    else if (packageType == PAL_GSS_KERBEROS)
     {
-        gss_mech_OID_desc = gss_mech_ntlm_OID_desc;
+        desiredMech = gss_mech_krb5;
     }
     else
     {
-        gss_mech_OID_desc = gss_mech_spnego_OID_desc;
+        desiredMech = &gss_mech_spnego_OID_desc;
     }
 
-    gss_OID_set_desc gss_mech_OID_set_desc = {.count = 1, .elements = &gss_mech_OID_desc};
-    gss_OID_set desiredMech = &gss_mech_OID_set_desc;
+    gss_OID_set_desc gss_mech_OID_set_desc = {.count = 1, .elements = desiredMech};
+    gss_OID_set desiredMechSet = &gss_mech_OID_set_desc;
 #endif
 
     GssBuffer passwordBuffer = {.length = passwdLen, .value = password};
     uint32_t majorStatus = gss_acquire_cred_with_password(
-        minorStatus, desiredName, &passwordBuffer, 0, desiredMech, credUsage, outputCredHandle, NULL, NULL);
+        minorStatus, desiredName, &passwordBuffer, 0, desiredMechSet, credUsage, outputCredHandle, NULL, NULL);
 
     return majorStatus;
 }
@@ -652,14 +663,14 @@ uint32_t NetSecurityNative_AcquireAcceptorCred(uint32_t* minorStatus,
 }
 
 uint32_t NetSecurityNative_InitiateCredWithPassword(uint32_t* minorStatus,
-                                                    int32_t isNtlm,
+                                                    int32_t packageType,
                                                     GssName* desiredName,
                                                     char* password,
                                                     uint32_t passwdLen,
                                                     GssCredId** outputCredHandle)
 {
     return AcquireCredWithPassword(
-        minorStatus, isNtlm, desiredName, password, passwdLen, GSS_C_INITIATE, outputCredHandle);
+        minorStatus, packageType, desiredName, password, passwdLen, GSS_C_INITIATE, outputCredHandle);
 }
 
 uint32_t NetSecurityNative_IsNtlmInstalled()
diff --git a/src/native/libs/System.Net.Security.Native/pal_gssapi.h b/src/native/libs/System.Net.Security.Native/pal_gssapi.h
index 3bd8a59098378b..10be636c7789e5 100644
--- a/src/native/libs/System.Net.Security.Native/pal_gssapi.h
+++ b/src/native/libs/System.Net.Security.Native/pal_gssapi.h
@@ -40,6 +40,13 @@ typedef enum
     PAL_GSS_C_DELEG_POLICY_FLAG = 0x8000
 } PAL_GssFlags;
 
+typedef enum
+{
+    PAL_GSS_NEGOTIATE = 0,
+    PAL_GSS_NTLM = 1,
+    PAL_GSS_KERBEROS = 2,
+} PAL_GssPackageType;
+
 /*
 Issue: #7342
 Disable padded warning which occurs in case of 32-bit builds
@@ -111,7 +118,7 @@ Shims the gss_init_sec_context method with SPNEGO oids.
 PALEXPORT uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus,
                                                     GssCredId* claimantCredHandle,
                                                     GssCtxId** contextHandle,
-                                                    uint32_t isNtlm,
+                                                    uint32_t packageType,
                                                     GssName* targetName,
                                                     uint32_t reqFlags,
                                                     uint8_t* inputBytes,
@@ -123,7 +130,7 @@ PALEXPORT uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus,
 PALEXPORT uint32_t NetSecurityNative_InitSecContextEx(uint32_t* minorStatus,
                                                       GssCredId* claimantCredHandle,
                                                       GssCtxId** contextHandle,
-                                                      uint32_t isNtlm,
+                                                      uint32_t packageType,
                                                       void* cbt,
                                                       int32_t cbtSize,
                                                       GssName* targetName,
@@ -195,7 +202,7 @@ PALEXPORT uint32_t NetSecurityNative_VerifyMic(uint32_t* minorStatus,
 Shims the gss_acquire_cred_with_password method with GSS_C_INITIATE.
 */
 PALEXPORT uint32_t NetSecurityNative_InitiateCredWithPassword(uint32_t* minorStatus,
-                                                              int32_t isNtlm,
+                                                              int32_t packageType,
                                                               GssName* desiredName,
                                                               char* password,
                                                               uint32_t passwdLen,