public void TryGettingSspiTicketTest()
{
using (var contextSender = new SspiContext($"host/{Environment.MachineName}", "negotiate"))
using (var contextReceiver = new SspiContext($"host/{Environment.MachineName}", "negotiate"))
{
byte[] token = null;
byte[] serverResponse = null;
do
{
token = contextSender.RequestToken(serverResponse);
Assert.IsNotNull(token);
if (token != null && token.Length > 0)
{
contextReceiver.AcceptToken(token, out serverResponse);
Assert.IsNotNull(serverResponse);
}
}while (token != null && token.Length > 0);
var serverContext = NegotiationToken.Decode(serverResponse);
Assert.IsNotNull(serverContext);
Assert.IsNotNull(serverContext.ResponseToken);
Assert.IsNull(serverContext.InitialToken);
Assert.IsNotNull(contextSender.SessionKey);
Assert.IsTrue(KerberosCryptoTransformer.AreEqualSlow(contextSender.SessionKey, contextReceiver.SessionKey));
}
}
// https://github.com/SteveSyfuhs/Kerberos.NET/issues/89
//
// "However, if you're looking to create a KerberosClient and just grab credentials
// off the currently logged on user in Windows then you should just use SSPI.
// There's no way to extract the credentials from Windows (by design) to use in the initial
// authentication of the client, and it's not intended to be a wrapper around SSPI."
//
// and that same code works both for .NET Framework and .NET Core
public byte[] GetToken(string spn, string username, string password, string domain)
{
SspiContext context;
if (username == null)
{
context = new SspiContext(spn);
}
else
{
var credential = new SuppliedCredential(username, password, domain);
context = new SspiContext(spn, credential);
}
using (context)
{
return(context.RequestToken());
}
// kept for reference below, the way to do it that *only* works with .NET Framework
/*
*
* using System.IdentityModel.Selectors;
* using System.IdentityModel.Tokens;
* using System.Net;
* using System.Security;
* using System.Security.Principal;
*
* var tokenProvider = _username == null
* ? new KerberosSecurityTokenProvider(_spn, TokenImpersonationLevel.Identification)
* : new KerberosSecurityTokenProvider(_spn, TokenImpersonationLevel.Identification, new NetworkCredential(_username, _password, _domain));
*
* var timeout = TimeSpan.FromSeconds(30);
*
* byte[] tokenBytes;
* try
* {
* if (!(tokenProvider.GetToken(timeout) is KerberosRequestorSecurityToken token))
* throw new InvalidOperationException("Token is not KerberosRequestorSecurityToken.");
* tokenBytes = token.GetRequest();
* }
* catch (Exception e)
* {
* throw new SecurityException("Failed to get a Kerberos token.", e);
* }
*
* return _credentials = new KerberosCredentials(tokenBytes);
*
*/
}
private static void RetrieveAndVerifyTicket()
{
using (SspiContext context = new SspiContext(RequestedSpn))
{
var ticket = context.RequestToken();
var token = MessageParser.ParseKerberos(ticket);
var decryptedToken = token.DecryptApReq(new KeyTable(Key));
Assert.AreEqual("*****@*****.**", decryptedToken.Ticket.CName.FullyQualifiedName);
Assert.AreEqual("test.com", decryptedToken.Ticket.CRealm);
}
}
private void RequestLocalTicket()
{
if (string.IsNullOrWhiteSpace(hostName))
{
SetHost();
txtHost.Text = hostName;
}
SspiContext context = new SspiContext(spn: hostName);
byte[] tokenBytes = context.RequestToken();
txtTicket.Text = Convert.ToBase64String(tokenBytes);
}
public void TryGettingSspiTicketTest()
{
using (var contextSender = new SspiContext($"host/{Environment.MachineName}", "Negotiate"))
using (var contextReceiver = new SspiContext($"host/{Environment.MachineName}", "Negotiate"))
{
var token = contextSender.RequestToken();
Assert.IsNotNull(token);
var contextToken = MessageParser.Parse <NegotiateContextToken>(token);
Assert.IsNotNull(contextToken);
contextReceiver.AcceptToken(token, out byte[] serverResponse);
Assert.IsNotNull(serverResponse);
var serverContext = NegotiationToken.Decode(serverResponse);
Assert.IsNotNull(serverContext);
Assert.IsNotNull(serverContext.ResponseToken);
Assert.IsNull(serverContext.InitialToken);
}
}
