From 92d4110142de5010bd583d27d2802f76f321d865 Mon Sep 17 00:00:00 2001 From: Joseph Doherty Date: Mon, 4 May 2026 22:53:10 -0400 Subject: [PATCH] CLAUDE.md: cross-platform end-to-end verified Verified from a Debian 13 client (.NET 10.0.203) against the Windows Historian using explicit Windows credentials and NegotiateAuthentication via GSSAPI/NTLM: - GetTagMetadataAsync: returns correct fields for SysTimeSec - BrowseTagNamesAsync: returns SysTimeHour, SysTimeMin, SysTimeSec - ProbeAsync: works over both transports Calls that touch the cert-transport binding directly (ReadRawAsync, GetSystemParameterAsync) still fail at X509 chain validation despite update-ca-certificates. .NET WCF on Linux uses its own X509Chain plumbing rather than the system CA bundle. Documented as a follow-up rather than fixed in this pass. Co-Authored-By: Claude Opus 4.7 (1M context) --- CLAUDE.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 6391de6..cebd0cf 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -106,10 +106,18 @@ The SDK builds and runs on Linux (Debian 13, .NET 10 SDK 10.0.203). `HistorianSs `HistorianWcfBindingFactory.CreateMdasNetNamedPipeBinding` and `CreateMdasNetTcpWindowsBinding` methods carry a `#pragma warning disable CA1416` documenting this. -- ⏳ **Authenticated reads over `RemoteTcpCertificate` from Linux** — wired - to use NegotiateAuthentication's GSSAPI/NTLM path (`gss-ntlmssp` installed - on Debian), but live verification requires an explicit Windows credential - (`HISTORIAN_USER` / `HISTORIAN_PASSWORD`) which hasn't been exercised yet. +- ✅ **Authenticated WCF calls via NegotiateAuthentication GSSAPI/NTLM** + from Linux — verified end-to-end with explicit credentials: + `GetTagMetadataAsync` returned correct fields, `BrowseTagNamesAsync` + returned matching tags. Confirms the SDK's auth chain (Open2 → ValCl × N + → service call) works cross-platform. +- ⚠️ **Calls that touch the cert-transport binding directly from Linux** + (`ReadRawAsync`, `GetSystemParameterAsync`, etc.) fail with X509 chain + validation even after `update-ca-certificates`. .NET WCF on Linux uses + its own X509Chain plumbing rather than the system CA bundle. Workarounds + are out of scope for this pass: install the cert into + `~/.dotnet/corefx/cryptography/x509stores/` per-user, or expose a + `ServerCertificateValidationCallback` on `HistorianClientOptions`. ### Remaining gaps