/// Authenticates to the Kerberos domain and obtains
        /// a Service Ticket to the service identified by the
        /// configured Service Principal Name (SPN).
        public async Task AuthenticateToKerberosAsync()
        {
            var kCred = new KerberosPasswordCredential(
                _kerberosOptions.Username, _kerberosOptions.Password, _kerberosOptions.Domain);

            var kClient = _options.KerberosOptions?.Client;

            if (kClient == null)
            {
                kClient = new KerberosClient();
            }

            try
            {
                await kClient.Authenticate(kCred);

                _serviceTicket = await kClient.GetServiceTicket(
                    new RequestServiceTicket
                {
                    ServicePrincipalName = _kerberosOptions.MapperServiceSpn,
                    ApOptions            = ApOptions.MutualRequired,
                });

                _serviceTicketToken = ByteString.CopyFrom(_serviceTicket.ApReq.EncodeApplication().ToArray());
            }
            finally
            {
                if (kClient != _options.KerberosOptions?.Client)
                {
                    kClient.Dispose();
                }
            }
        }
        protected static async Task ValidateTicket(
            ApplicationSessionContext context,
            bool encodeNego = false,
            bool includePac = true,
            string spn      = FakeAppServiceSpn
            )
        {
            if (context == null)
            {
                throw new ArgumentNullException(nameof(context));
            }

            var ticket = context.ApReq;

            byte[] encoded;

            if (encodeNego)
            {
                encoded = ticket.EncodeGssApi().ToArray();
            }
            else
            {
                encoded = ticket.EncodeApplication().ToArray();
            }

            var authenticator = new KerberosAuthenticator(
                new KeyTable(
                    new KerberosKey(
                        FakeAdminAtCorpPassword,
                        principalName: new PrincipalName(
                            PrincipalNameType.NT_PRINCIPAL,
                            "CORP.IDENTITYINTERVENTION.com",
                            new[] { spn }
                            ),
                        saltType: SaltType.ActiveDirectoryUser
                        )
                    )
                );

            var validated = (KerberosIdentity)await authenticator.Authenticate(encoded);

            Assert.IsNotNull(validated);

            var sidClaim = validated.FindFirst(ClaimTypes.Sid);

            if (includePac)
            {
                Assert.AreEqual("S-1-5-123-456-789-12-321-888", sidClaim?.Value);
            }
            else
            {
                Assert.IsNull(sidClaim);
            }

            var sessionKey = context.AuthenticateServiceResponse(validated.ApRep);

            Assert.IsNotNull(sessionKey);
        }
Beispiel #3
0
        private void DescribeApReq(ApplicationSessionContext delegated)
        {
            var properties = new List <(string, object)>()
            {
            };

            GetObjectProperties(
                new object[]
            {
                delegated,
                delegated.ApReq,
                delegated.ApReq.Ticket,
                delegated.ApReq.Ticket.SName,
                delegated.ApReq.Ticket.EncryptedPart,
                delegated.ApReq.Authenticator,
                delegated.SessionKey
            },
                properties
                );

            this.WriteProperties(properties);
        }
        private static async Task ValidateTicket(ApplicationSessionContext context, bool encodeNego = false)
        {
            var ticket = context.ApReq;

            byte[] encoded;

            if (encodeNego)
            {
                encoded = ticket.EncodeGssApi().ToArray();
            }
            else
            {
                encoded = ticket.EncodeApplication().ToArray();
            }

            var authenticator = new KerberosAuthenticator(
                new KeyTable(
                    new KerberosKey(
                        "P@ssw0rd!",
                        principalName: new PrincipalName(
                            PrincipalNameType.NT_PRINCIPAL,
                            "CORP.IDENTITYINTERVENTION.com",
                            new[] { "host/appservice.corp.identityintervention.com" }
                            ),
                        saltType: SaltType.ActiveDirectoryUser
                        )
                    )
                );

            var validated = (KerberosIdentity)await authenticator.Authenticate(encoded);

            Assert.IsNotNull(validated);

            Assert.AreEqual(validated.FindFirst(ClaimTypes.Sid).Value, "S-1-5-123-456-789-12-321-888");

            var sessionKey = context.AuthenticateServiceResponse(validated.ApRep);

            Assert.IsNotNull(sessionKey);
        }
Beispiel #5
0
        private async Task <KerberosIdentity> ProcessAsMiddleBox(Krb5Config config, ILoggerFactory logger, ApplicationSessionContext serviceTicket)
        {
            var serviceCred = new KerberosPasswordCredential(this.ServicePrincipalSamAccountName, this.ServicePrincipalNamePassword, serviceTicket.ApReq.Ticket.Realm);

            var ping = await KerberosPing.Ping(serviceCred, config, logger);

            serviceCred.IncludePreAuthenticationHints(ping.Error.DecodePreAuthentication());

            var keytab = new KeyTable(serviceCred.CreateKey());

            var authenticator = new KerberosAuthenticator(this.ServicePrincipalSamAccountName, keytab, config, logger);

            var identity = await authenticator.Authenticate(serviceTicket.ApReq.EncodeGssApi()) as KerberosIdentity;

            return(identity);
        }