Reset negotiateAuth if SNI doesn't work

This change also adds some book keeping to ensure we're only using the spn that has previously generated a context once one has been created.

Author: twsouthwick

src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs

@@ -459,7 +459,7 @@ internal void Connect(ServerInfo serverInfo,
                 hostNameInCertificate,
                 serverCertificateFilename);
 
-            _authenticationProvider?.Initialize(serverInfo, _physicalStateObj, this);
+            _authenticationProvider?.Initialize(serverInfo, _physicalStateObj, this, _serverSpn);
 
             if (TdsEnums.SNI_SUCCESS != _physicalStateObj.Status)
             {
@@ -559,7 +559,7 @@ internal void Connect(ServerInfo serverInfo,
                     hostNameInCertificate,
                     serverCertificateFilename);
 
-                _authenticationProvider?.Initialize(serverInfo, _physicalStateObj, this);
+                _authenticationProvider?.Initialize(serverInfo, _physicalStateObj, this, _serverSpn);
 
                 if (TdsEnums.SNI_SUCCESS != _physicalStateObj.Status)
                 {

src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/TdsParser.cs

@@ -518,7 +518,7 @@ internal void Connect(ServerInfo serverInfo,
                 FQDNforDNSCache,
                 hostNameInCertificate);
 
-            _authenticationProvider?.Initialize(serverInfo, _physicalStateObj, this);
+            _authenticationProvider?.Initialize(serverInfo, _physicalStateObj, this, _serverSpn);
 
             if (TdsEnums.SNI_SUCCESS != _physicalStateObj.Status)
             {
@@ -612,7 +612,7 @@ internal void Connect(ServerInfo serverInfo,
                     serverInfo.ResolvedServerName,
                     hostNameInCertificate);
 
-                _authenticationProvider?.Initialize(serverInfo, _physicalStateObj, this);
+                _authenticationProvider?.Initialize(serverInfo, _physicalStateObj, this, _serverSpn);
 
                 if (TdsEnums.SNI_SUCCESS != _physicalStateObj.Status)
                 {

src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SSPI/NegotiateSspiContextProvider.cs

@@ -2,6 +2,7 @@
 
 using System;
 using System.Buffers;
+using System.Diagnostics;
 using System.Net.Security;
 
 #nullable enable
@@ -17,6 +18,9 @@ protected override bool GenerateSspiClientContext(ReadOnlySpan<byte> incomingBlo
             NegotiateAuthenticationStatusCode statusCode = NegotiateAuthenticationStatusCode.UnknownCredentials;
 
             _negotiateAuth ??= new(new NegotiateAuthenticationClientOptions { Package = "Negotiate", TargetName = authParams.Resource });
+
+            Debug.Assert(_negotiateAuth.TargetName == authParams.Resource, "SSPI resource does not match TargetName");
+
             var sendBuff = _negotiateAuth.GetOutgoingBlob(incomingBlob, out statusCode)!;
 
             // Log session id, status code and the actual SPN used in the negotiation
@@ -29,6 +33,8 @@ protected override bool GenerateSspiClientContext(ReadOnlySpan<byte> incomingBlo
                 return true;
             }
 
+            // Reset _negotiateAuth to be generated again for next SPN.
+            _negotiateAuth = null;
             return false;
         }
     }

src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SSPI/SspiContextProvider.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Buffers;
 using System.Diagnostics;
+using System.Linq;
 
 #nullable enable
 
@@ -10,14 +11,34 @@ internal abstract class SspiContextProvider
     {
         private TdsParser _parser = null!;
         private ServerInfo _serverInfo = null!;
+
+        // This is used to store either a single or multiple SspiAuthenticationParameters. Since we initially have potential
+        // multiple SPNs, we'll start with that. However, once we've succeeded creating an SSPI context, we'll consider that
+        // to be the correct SPN going forward
+        private object? _authParams;
+
         private protected TdsParserStateObject _physicalStateObj = null!;
 
-        internal void Initialize(ServerInfo serverInfo, TdsParserStateObject physicalStateObj, TdsParser parser)
+        internal void Initialize(
+            ServerInfo serverInfo,
+            TdsParserStateObject physicalStateObj,
+            TdsParser parser,
+#if NETFRAMEWORK
+            string serverSpn
+#else
+            string[] serverSpns
+#endif
+            )
         {
             _parser = parser;
             _physicalStateObj = physicalStateObj;
             _serverInfo = serverInfo;
 
+#if NETFRAMEWORK
+            _authParams = CreateAuthParams(serverSpn);
+#else
+            _authParams = serverSpns.Select(CreateAuthParams).ToArray();
+#endif
             Initialize();
         }
 
@@ -27,46 +48,49 @@ private protected virtual void Initialize()
 
         protected abstract bool GenerateSspiClientContext(ReadOnlySpan<byte> incomingBlob, IBufferWriter<byte> outgoingBlobWriter, SspiAuthenticationParameters authParams);
 
-        internal void SSPIData(ReadOnlySpan<byte> receivedBuff, IBufferWriter<byte> outgoingBlobWriter, string serverSpn)
+        internal void SSPIData(ReadOnlySpan<byte> receivedBuff, IBufferWriter<byte> outgoingBlobWriter)
         {
             using var _ = TrySNIEventScope.Create(nameof(SspiContextProvider));
 
-            if (!RunGenerateSspiClientContext(receivedBuff, outgoingBlobWriter, serverSpn))
+            if (_authParams is SspiAuthenticationParameters authParam)
             {
-                // If we've hit here, the SSPI context provider implementation failed to generate the SSPI context.
-                SSPIError(SQLMessage.SSPIGenerateError(), TdsEnums.GEN_CLIENT_CONTEXT);
+                RunGenerateSspiClientContext(receivedBuff, outgoingBlobWriter, authParam);
+                return;
             }
-        }
-
-        internal void SSPIData(ReadOnlySpan<byte> receivedBuff, IBufferWriter<byte> outgoingBlobWriter, ReadOnlySpan<string> serverSpns)
-        {
-            using var _ = TrySNIEventScope.Create(nameof(SspiContextProvider));
-
-            foreach (var serverSpn in serverSpns)
+            else if (_authParams is SspiAuthenticationParameters[] authParams)
             {
-                if (RunGenerateSspiClientContext(receivedBuff, outgoingBlobWriter, serverSpn))
+                foreach (var p in authParams)
                 {
-                    return;
+                    if (RunGenerateSspiClientContext(receivedBuff, outgoingBlobWriter, p))
+                    {
+                        // Reset the _authParams to only have a single one going forward to always call the context with that one
+                        _authParams = p;
+                        return;
+                    }
                 }
             }
 
             // If we've hit here, the SSPI context provider implementation failed to generate the SSPI context.
             SSPIError(SQLMessage.SSPIGenerateError(), TdsEnums.GEN_CLIENT_CONTEXT);
         }
 
-        private bool RunGenerateSspiClientContext(ReadOnlySpan<byte> incomingBlob, IBufferWriter<byte> outgoingBlobWriter, string serverSpn)
+        private SspiAuthenticationParameters CreateAuthParams(string serverSpn)
         {
             var options = _parser.Connection.ConnectionOptions;
-            var authParams = new SspiAuthenticationParameters(options.DataSource, serverSpn)
+
+            return new SspiAuthenticationParameters(options.DataSource, serverSpn)
             {
                 DatabaseName = options.InitialCatalog,
                 UserId = options.UserID,
                 Password = options.Password,
             };
+        }
 
+        private bool RunGenerateSspiClientContext(ReadOnlySpan<byte> incomingBlob, IBufferWriter<byte> outgoingBlobWriter, SspiAuthenticationParameters authParams)
+        {
             try
             {
-                SqlClientEventSource.Log.TryTraceEvent("{0}.{1} | Info | SPN={1}", GetType().FullName, nameof(GenerateSspiClientContext), serverSpn);
+                SqlClientEventSource.Log.TryTraceEvent("{0}.{1} | Info | SPN={1}", GetType().FullName, nameof(GenerateSspiClientContext), authParams.Resource);
 
                 return GenerateSspiClientContext(incomingBlob, outgoingBlobWriter, authParams);
             }

src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/TdsParser.cs

@@ -35,7 +35,7 @@ internal void ProcessSSPI(int receivedLength)
                 try
                 {
                     // make call for SSPI data
-                    _authenticationProvider!.SSPIData(receivedBuff.AsSpan(0, receivedLength), writer, _serverSpn);
+                    _authenticationProvider!.SSPIData(receivedBuff.AsSpan(0, receivedLength), writer);
 
                     // DO NOT SEND LENGTH - TDS DOC INCORRECT!  JUST SEND SSPI DATA!
                     _physicalStateObj.WriteByteSpan(writer.WrittenSpan);
@@ -175,7 +175,7 @@ internal void TdsLogin(
                         // byte[] buffer and 0 for the int length.
                         Debug.Assert(SniContext.Snix_Login == _physicalStateObj.SniContext, $"Unexpected SniContext. Expecting Snix_Login, actual value is '{_physicalStateObj.SniContext}'");
                         _physicalStateObj.SniContext = SniContext.Snix_LoginSspi;
-                        _authenticationProvider.SSPIData(ReadOnlySpan<byte>.Empty, sspiWriter, _serverSpn);
+                        _authenticationProvider.SSPIData(ReadOnlySpan<byte>.Empty, sspiWriter);
 
                         _physicalStateObj.SniContext = SniContext.Snix_Login;