internal static KerberosClient CreateClient(KdcListener listener, string kdc = null, bool caching = true, bool queryDns = false)
        {
            KerberosClient client;

            if (listener == null)
            {
                client = new KerberosClient();

                client.PinKdc("corp.identityintervention.com", kdc);
            }
            else
            {
                IKerberosTransport transport = new InMemoryTransport(listener);

                client = new KerberosClient(transports: transport);
            }

            client.Configuration.Defaults.DnsLookupKdc = queryDns;

            client.CacheServiceTickets   = caching;
            client.RenewTickets          = caching;
            client.RenewTicketsThreshold = TimeSpan.MaxValue;
            client.RefreshPollInterval   = TimeSpan.FromMilliseconds(10);

            return(client);
        }
Beispiel #2
0
        public void RequestTgt()
        {
            TcpKerberosTransport.MaxPoolSize = this.ConcurrentRequests * 2;

            if (this.credential == null)
            {
                this.credential = Creds.GetOrAdd(this.AlgorithmType, a => new KerberosPasswordCredential(a + this.user, this.password));
            }

            var requestCounter = 0;

            try
            {
                Task.WaitAll(Enumerable.Range(0, this.ConcurrentRequests).Select(taskNum => Task.Run(async() =>
                {
                    var client = new KerberosClient();

                    client.Transports.OfType <UdpKerberosTransport>().FirstOrDefault().Enabled   = false;
                    client.Transports.OfType <HttpsKerberosTransport>().FirstOrDefault().Enabled = false;

                    client.PinKdc(this.credential.Domain, $"{this.overrideKdc}:{this.Port}");

                    for (var i = 0; i < this.AuthenticationAttempts; i++)
                    {
                        try
                        {
                            await client.Authenticate(this.credential);

                            Interlocked.Increment(ref Successes);

                            if (this.DisplayProgress)
                            {
                                CountItOut(ref requestCounter);
                            }
                        }
                        catch (Exception)
                        {
                        }
                    }
                })).ToArray());
            }
            catch
            {
            }
        }
Beispiel #3
0
        public async Task RequestServiceTicket(string algo)
        {
            var kerbCred = new KerberosPasswordCredential(algo + this.user, this.password);

            using (var client = new KerberosClient())
            {
                client.PinKdc(kerbCred.Domain, $"{this.overrideKdc}:{this.port}");

                await client.Authenticate(kerbCred);

                for (var i = 0; i < this.AuthenticationAttempts; i++)
                {
                    await client.GetServiceTicket(
                        "host/appservice.corp.identityintervention.com",
                        ApOptions.MutualRequired
                        );
                }
            }
        }
Beispiel #4
0
        public void RequestTgt()
        {
            var requestCounter = 0;

            Task.WaitAll(Enumerable.Range(0, ConcurrentRequests).Select(taskNum => Task.Run(async() =>
            {
                var client = new KerberosClient();

                client.PinKdc(credential.Domain, $"{overrideKdc}:{Port}");

                for (var i = 0; i < AuthenticationAttempts; i++)
                {
                    await client.Authenticate(credential);

                    if (DisplayProgress)
                    {
                        CountItOut(ref requestCounter);
                    }
                }
            })).ToArray());
        }
        public async Task ClientConnectsToServer_WithTimeout()
        {
            var port = NextPort();

            using (var client = new KerberosClient()
            {
                ConnectTimeout = TimeSpan.FromMilliseconds(1)
            })
            {
                client.Configuration.Defaults.DnsLookupKdc = false;

                client.PinKdc("test", $"127.0.0.1:{port}");

                try
                {
                    await client.Authenticate(new KerberosPasswordCredential("test", "test", "test"));
                }
                catch (AggregateException agg)
                {
                    throw agg.InnerExceptions.First();
                }
            }
        }
Beispiel #6
0
        private static async Task RequestTickets(
            X509Certificate2 cert,
            string user,
            string password,
            string overrideKdc,
            string s4u,
            string spn,
            bool retryDH,
            bool includeCNameHint,
            string servicePassword,
            string serviceSalt,
            bool cacheToFile
            )
        {
            KerberosCredential kerbCred;

            if (cert == null)
            {
                kerbCred = new KerberosPasswordCredential(user, password);
            }
            else
            {
                var chain = new X509Chain();
                chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
                chain.Build(cert);

                var kdcCerts = new List <X509Certificate2>();

                for (var i = 0; i < chain.ChainElements.Count; i++)
                {
                    var c = chain.ChainElements[i].Certificate;

                    if (c.Thumbprint != cert.Thumbprint)
                    {
                        kdcCerts.Add(c);
                    }
                }

                if (retryDH)
                {
                    kerbCred = new RandomDHAsymmetricCredential(cert, user);
                }
                else
                {
                    kerbCred = new TrustedKdcAsymmetricCredential(cert, user);
                }
            }

            var factory = LoggerFactory.Create(builder =>
            {
                builder.AddConsole(opt => opt.IncludeScopes = true);
                builder.AddFilter <ConsoleLoggerProvider>(level => level >= LogLevel.Trace);
            });

            var client = new KerberosClient(logger: factory);

            if (Uri.TryCreate(overrideKdc, UriKind.Absolute, out Uri kdcProxy))
            {
                client.Configuration.Realms[kdcProxy.DnsSafeHost].Kdc.Add(kdcProxy.OriginalString);
                client.Configuration.Realms[kerbCred.Domain].Kdc.Add(kdcProxy.OriginalString);
                client.Configuration.Defaults.DnsLookupKdc = false;
            }
            else if (!string.IsNullOrWhiteSpace(overrideKdc))
            {
                client.Configuration.Defaults.DnsLookupKdc = false;
                client.PinKdc(kerbCred.Domain, overrideKdc);
            }

            if (cacheToFile)
            {
                client.Configuration.Defaults.DefaultCCacheName = "krb5cc";
            }

            KrbPrincipalName cnameHint = null;

            if (includeCNameHint)
            {
                cnameHint = KrbPrincipalName.FromString(kerbCred.UserName, PrincipalNameType.NT_PRINCIPAL, kerbCred.Domain);
            }

            client.RenewTickets = true;

            using (client)
                using (kerbCred as IDisposable)
                {
                    await client.Authenticate(kerbCred);

                    spn = spn ?? "host/appservice.corp.identityintervention.com";

                    KrbTicket s4uTicket = null;

                    if (!string.IsNullOrWhiteSpace(s4u))
                    {
                        var s4uSelf = await client.GetServiceTicket(
                            kerbCred.UserName,
                            ApOptions.MutualRequired,
                            s4u : s4u
                            );

                        s4uTicket = s4uSelf.Ticket;
                    }

                    var session = await client.GetServiceTicket(
                        new RequestServiceTicket
                    {
                        ServicePrincipalName = spn,
                        ApOptions            = ApOptions.MutualRequired,
                        S4uTicket            = s4uTicket,
                        CNameHint            = cnameHint
                    }
                        );

                    DumpTicket(session.ApReq);

                    ResetColor();

                    if (!retryDH)
                    {
                        try
                        {
                            await TryValidate(spn, session.ApReq, servicePassword, serviceSalt, factory);
                        }
                        catch (Exception ex)
                        {
                            W(ex.Message, ConsoleColor.Yellow);

                            ResetColor();
                        }
                    }
                }
        }
        internal static async Task <List <Exception> > MultithreadedRequests(
            int threads,
            int requests,
            bool cacheTickets,
            bool encodeNego,
            bool includePac,
            string kdc,
            X509Certificate2 cert,
            KdcListener listener
            )
        {
            var exceptions = new List <Exception>();

            KerberosCredential kerbCred;

            if (cert != null)
            {
                kerbCred = new TrustedAsymmetricCredential(cert, TestAtCorpUserName);
            }
            else
            {
                kerbCred = new KerberosPasswordCredential(AdminAtCorpUserName, FakeAdminAtCorpPassword);
            }

            KerberosClient client = CreateClient(listener, kdc);

            using (kerbCred as IDisposable)
                using (client)
                {
                    client.PinKdc(kerbCred.Domain, kdc);

                    client.CacheServiceTickets = cacheTickets;

                    if (!includePac)
                    {
                        client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
                    }

                    await client.Authenticate(kerbCred);

                    Task.WaitAll(Enumerable.Range(0, threads).Select(taskNum => Task.Run(async() =>
                    {
                        for (var i = 0; i < requests; i++)
                        {
                            try
                            {
                                if (i % 2 == 0)
                                {
                                    await client.Authenticate(kerbCred);
                                }

                                var ticket = await client.GetServiceTicket(new RequestServiceTicket
                                {
                                    ServicePrincipalName = FakeAppServiceSpn,
                                    ApOptions            = ApOptions.MutualRequired
                                });

                                Assert.IsNotNull(ticket.ApReq);

                                await ValidateTicket(ticket, encodeNego: encodeNego, includePac: includePac);
                            }
#pragma warning disable CA1031 // Do not catch general exception types
                            catch (Exception ex)
#pragma warning restore CA1031 // Do not catch general exception types
                            {
                                exceptions.Add(ex);
                            }
                        }
                    })).ToArray());
                }

            return(exceptions);
        }