public async Task NegotiateStream_StreamToStream_Authentication_EmptyCredentials_Fails()
{
string targetName = "testTargetName";
// Ensure there is no confusion between DefaultCredentials / DefaultNetworkCredentials and a
// NetworkCredential object with empty user, password and domain.
NetworkCredential emptyNetworkCredential = new NetworkCredential("", "", "");
Assert.NotEqual(emptyNetworkCredential, CredentialCache.DefaultCredentials);
Assert.NotEqual(emptyNetworkCredential, CredentialCache.DefaultNetworkCredentials);
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Task[] auth = new Task[2];
auth[0] = AuthenticateAsClientAsync(client, emptyNetworkCredential, targetName);
auth[1] = AuthenticateAsServerAsync(server);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(auth);
// Expected Client property values:
Assert.True(client.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel);
Assert.Equal(IsEncryptedAndSigned, client.IsEncrypted);
Assert.False(client.IsMutuallyAuthenticated);
Assert.False(client.IsServer);
Assert.Equal(IsEncryptedAndSigned, client.IsSigned);
Assert.False(client.LeaveInnerStreamOpen);
IIdentity serverIdentity = client.RemoteIdentity;
Assert.Equal("NTLM", serverIdentity.AuthenticationType);
Assert.True(serverIdentity.IsAuthenticated);
Assert.Equal(targetName, serverIdentity.Name);
// Expected Server property values:
Assert.True(server.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, server.ImpersonationLevel);
Assert.Equal(IsEncryptedAndSigned, server.IsEncrypted);
Assert.False(server.IsMutuallyAuthenticated);
Assert.True(server.IsServer);
Assert.Equal(IsEncryptedAndSigned, server.IsSigned);
Assert.False(server.LeaveInnerStreamOpen);
IIdentity clientIdentity = server.RemoteIdentity;
Assert.Equal("NTLM", clientIdentity.AuthenticationType);
Assert.False(clientIdentity.IsAuthenticated);
// On .NET Desktop: Assert.True(clientIdentity.IsAuthenticated);
IdentityValidator.AssertHasName(clientIdentity, new SecurityIdentifier(WellKnownSidType.AnonymousSid, null).Translate(typeof(NTAccount)).Value);
}
}
public void NegotiateStream_StreamToStream_Authentication_Success()
{
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Task[] auth = new Task[2];
auth[0] = AuthenticateAsClientAsync(client, CredentialCache.DefaultNetworkCredentials, string.Empty);
auth[1] = AuthenticateAsServerAsync(server);
bool finished = Task.WaitAll(auth, TestConfiguration.PassingTestTimeoutMilliseconds);
Assert.True(finished, "Handshake completed in the allotted time");
// Expected Client property values:
Assert.True(client.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel);
Assert.Equal(true, client.IsEncrypted);
Assert.Equal(false, client.IsMutuallyAuthenticated);
Assert.Equal(false, client.IsServer);
Assert.Equal(true, client.IsSigned);
Assert.Equal(false, client.LeaveInnerStreamOpen);
IIdentity serverIdentity = client.RemoteIdentity;
Assert.Equal("NTLM", serverIdentity.AuthenticationType);
Assert.Equal(false, serverIdentity.IsAuthenticated);
Assert.Equal("", serverIdentity.Name);
// Expected Server property values:
Assert.True(server.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, server.ImpersonationLevel);
Assert.Equal(true, server.IsEncrypted);
Assert.Equal(false, server.IsMutuallyAuthenticated);
Assert.Equal(true, server.IsServer);
Assert.Equal(true, server.IsSigned);
Assert.Equal(false, server.LeaveInnerStreamOpen);
IIdentity clientIdentity = server.RemoteIdentity;
Assert.Equal("NTLM", clientIdentity.AuthenticationType);
if (PlatformDetection.IsUap)
{
// TODO #21282: UWP AppContainer issue - clientIdentity.IsAuthenticated == false.
Assert.Equal(false, clientIdentity.IsAuthenticated);
}
else
{
Assert.Equal(true, clientIdentity.IsAuthenticated);
}
IdentityValidator.AssertIsCurrentIdentity(clientIdentity);
}
}
public async Task NegotiateStream_StreamToStream_Authentication_TargetName_Success()
{
string targetName = "testTargetName";
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Assert.False(client.IsMutuallyAuthenticated);
Assert.False(server.IsMutuallyAuthenticated);
Task[] auth = new Task[2];
auth[0] = AuthenticateAsClientAsync(client, CredentialCache.DefaultNetworkCredentials, targetName);
auth[1] = AuthenticateAsServerAsync(server);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(auth);
// Expected Client property values:
Assert.True(client.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel);
Assert.Equal(true, client.IsEncrypted);
Assert.Equal(false, client.IsMutuallyAuthenticated);
Assert.Equal(false, client.IsServer);
Assert.Equal(true, client.IsSigned);
Assert.Equal(false, client.LeaveInnerStreamOpen);
IIdentity serverIdentity = client.RemoteIdentity;
Assert.Equal("NTLM", serverIdentity.AuthenticationType);
Assert.Equal(true, serverIdentity.IsAuthenticated);
Assert.Equal(targetName, serverIdentity.Name);
// Expected Server property values:
Assert.True(server.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, server.ImpersonationLevel);
Assert.Equal(true, server.IsEncrypted);
Assert.Equal(false, server.IsMutuallyAuthenticated);
Assert.Equal(true, server.IsServer);
Assert.Equal(true, server.IsSigned);
Assert.Equal(false, server.LeaveInnerStreamOpen);
IIdentity clientIdentity = server.RemoteIdentity;
Assert.Equal("NTLM", clientIdentity.AuthenticationType);
Assert.Equal(true, clientIdentity.IsAuthenticated);
IdentityValidator.AssertIsCurrentIdentity(clientIdentity);
}
}
public void NegotiateStream_StreamToStream_Authentication_TargetName_Success()
{
string targetName = "testTargetName";
MockNetwork network = new MockNetwork();
using (var clientStream = new FakeNetworkStream(false, network))
using (var serverStream = new FakeNetworkStream(true, network))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Task[] auth = new Task[2];
auth[0] = client.AuthenticateAsClientAsync(CredentialCache.DefaultNetworkCredentials, targetName);
auth[1] = server.AuthenticateAsServerAsync();
bool finished = Task.WaitAll(auth, TestConfiguration.PassingTestTimeoutMilliseconds);
Assert.True(finished, "Handshake completed in the allotted time");
// Expected Client property values:
Assert.True(client.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel);
Assert.Equal(true, client.IsEncrypted);
Assert.Equal(false, client.IsMutuallyAuthenticated);
Assert.Equal(false, client.IsServer);
Assert.Equal(true, client.IsSigned);
Assert.Equal(false, client.LeaveInnerStreamOpen);
IIdentity serverIdentity = client.RemoteIdentity;
Assert.Equal("NTLM", serverIdentity.AuthenticationType);
Assert.Equal(true, serverIdentity.IsAuthenticated);
Assert.Equal(targetName, serverIdentity.Name);
// Expected Server property values:
Assert.True(server.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, server.ImpersonationLevel);
Assert.Equal(true, server.IsEncrypted);
Assert.Equal(false, server.IsMutuallyAuthenticated);
Assert.Equal(true, server.IsServer);
Assert.Equal(true, server.IsSigned);
Assert.Equal(false, server.LeaveInnerStreamOpen);
IIdentity clientIdentity = server.RemoteIdentity;
Assert.Equal("NTLM", clientIdentity.AuthenticationType);
Assert.Equal(true, clientIdentity.IsAuthenticated);
IdentityValidator.AssertIsCurrentIdentity(clientIdentity);
}
}
public async Task NegotiateStream_StreamToStream_Authentication_Success(int delay)
{
(Stream stream1, Stream stream2) = TestHelper.GetConnectedStreams();
using (var clientStream = new DelayStream(stream1, delay))
using (var serverStream = new DelayStream(stream2, delay))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Task[] auth = new Task[2];
auth[0] = AuthenticateAsClientAsync(client, CredentialCache.DefaultNetworkCredentials, string.Empty);
auth[1] = AuthenticateAsServerAsync(server);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(auth);
// Expected Client property values:
Assert.True(client.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel);
Assert.Equal(IsEncryptedAndSigned, client.IsEncrypted);
Assert.False(client.IsMutuallyAuthenticated);
Assert.False(client.IsServer);
Assert.Equal(IsEncryptedAndSigned, client.IsSigned);
Assert.False(client.LeaveInnerStreamOpen);
IIdentity serverIdentity = client.RemoteIdentity;
Assert.Equal("NTLM", serverIdentity.AuthenticationType);
Assert.False(serverIdentity.IsAuthenticated);
Assert.Equal("", serverIdentity.Name);
// Expected Server property values:
Assert.True(server.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, server.ImpersonationLevel);
Assert.Equal(IsEncryptedAndSigned, server.IsEncrypted);
Assert.False(server.IsMutuallyAuthenticated);
Assert.True(server.IsServer);
Assert.Equal(IsEncryptedAndSigned, server.IsSigned);
Assert.False(server.LeaveInnerStreamOpen);
IIdentity clientIdentity = server.RemoteIdentity;
Assert.Equal("NTLM", clientIdentity.AuthenticationType);
Assert.True(clientIdentity.IsAuthenticated);
IdentityValidator.AssertIsCurrentIdentity(clientIdentity);
}
}
private void AssertClientPropertiesForTarget(NegotiateStream client, string target)
{
Assert.True(client.IsAuthenticated, "client.IsAuthenticated");
Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel);
Assert.True(client.IsEncrypted, "client.IsEncrypted");
Assert.True(client.IsMutuallyAuthenticated, "client.IsMutuallyAuthenticated");
Assert.False(client.IsServer, "client.IsServer");
Assert.True(client.IsSigned, "client.IsSigned");
Assert.False(client.LeaveInnerStreamOpen, "client.LeaveInnerStreamOpen");
IIdentity serverIdentity = client.RemoteIdentity;
Assert.Equal("Kerberos", serverIdentity.AuthenticationType);
Assert.True(serverIdentity.IsAuthenticated, "serverIdentity.IsAuthenticated");
IdentityValidator.AssertHasName(serverIdentity, target);
}
public void NegotiateStream_StreamToStream_KerberosAuthDefaultCredentials_Success()
{
if (!_isKrbAvailable)
{
_output.WriteLine("skipping NegotiateStream_StreamToStream_KerberosAuthDefaultCredentials_Success");
return;
}
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new UnixGssFakeNegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated, "client is not authenticated before AuthenticateAsClient call");
Task[] auth = new Task[2];
string user = string.Format("{0}@{1}", TestConfiguration.KerberosUser, TestConfiguration.Realm);
string target = string.Format("{0}@{1}", TestConfiguration.HostTarget, TestConfiguration.Realm);
// Seed the default Kerberos cache with the TGT
UnixGssFakeNegotiateStream.GetDefaultKerberosCredentials(user, _fixture.password);
auth[0] = client.AuthenticateAsClientAsync(CredentialCache.DefaultNetworkCredentials, target);
auth[1] = server.AuthenticateAsServerAsync();
bool finished = Task.WaitAll(auth, TestConfiguration.PassingTestTimeoutMilliseconds);
Assert.True(finished, "Handshake completed in the allotted time");
// Expected Client property values:
Assert.True(client.IsAuthenticated, "client.IsAuthenticated");
Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel);
Assert.True(client.IsEncrypted, "client.IsEncrypted");
Assert.True(client.IsMutuallyAuthenticated, "client.IsMutuallyAuthenticated");
Assert.False(client.IsServer, "client.IsServer");
Assert.True(client.IsSigned, "client.IsSigned");
Assert.False(client.LeaveInnerStreamOpen, "client.LeaveInnerStreamOpen");
IIdentity serverIdentity = client.RemoteIdentity;
Assert.Equal("Kerberos", serverIdentity.AuthenticationType);
Assert.True(serverIdentity.IsAuthenticated, "serverIdentity.IsAuthenticated");
IdentityValidator.AssertHasName(serverIdentity, target);
}
}
public void NegotiateStream_StreamToStream_NtlmAuthentication_KerberosCreds_Success()
{
if (!_isNtlmAvailable)
{
_output.WriteLine("skipping NegotiateStream_StreamToStream_NtlmAuthentication_KerberosCreds_Success");
return;
}
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new UnixGssFakeNegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated, "client.IsAuthenticated");
Assert.False(server.IsAuthenticated, "server.IsAuthenticated");
string user = string.Format("{0}@{1}", TestConfiguration.KerberosUser, TestConfiguration.Realm);
NetworkCredential credential = new NetworkCredential(user, _fixture.password);
Task[] auth = new Task[] {
client.AuthenticateAsClientAsync(credential, TestConfiguration.HttpTarget, ProtectionLevel.None, TokenImpersonationLevel.Identification),
server.AuthenticateAsServerAsync()
};
bool finished = Task.WaitAll(auth, TestConfiguration.PassingTestTimeoutMilliseconds);
Assert.True(finished, "Handshake completed in the allotted time");
// Expected Client property values:
Assert.True(client.IsAuthenticated, "client.IsAuthenticated");
Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel);
Assert.False(client.IsEncrypted, "client.IsEncrypted");
Assert.False(client.IsMutuallyAuthenticated, "client.IsMutuallyAuthenticated");
Assert.False(client.IsServer, "client.IsServer");
Assert.False(client.IsSigned, "client.IsSigned");
Assert.False(client.LeaveInnerStreamOpen, "client.LeaveInnerStreamOpen");
IIdentity serverIdentity = client.RemoteIdentity;
Assert.Equal("NTLM", serverIdentity.AuthenticationType);
Assert.True(serverIdentity.IsAuthenticated, "server identity is authenticated");
IdentityValidator.AssertHasName(serverIdentity, TestConfiguration.HttpTarget);
}
}
public async Task NegotiateStream_StreamToStream_NtlmAuthentication_ValidCredentials_Success(NetworkCredential credential)
{
if (!_isNtlmAvailable)
{
_output.WriteLine("skipping NegotiateStream_StreamToStream_NtlmAuthentication_ValidCredentials_Success");
return;
}
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new UnixGssFakeNegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated, "client.IsAuthenticated");
Assert.False(server.IsAuthenticated, "server.IsAuthenticated");
Task[] auth = new Task[] {
client.AuthenticateAsClientAsync(credential, _testTarget, ProtectionLevel.None, TokenImpersonationLevel.Identification),
server.AuthenticateAsServerAsync()
};
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(auth);
// Expected Client property values:
Assert.True(client.IsAuthenticated, "client.IsAuthenticated");
Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel);
Assert.False(client.IsEncrypted, "client.IsEncrypted");
Assert.False(client.IsMutuallyAuthenticated, "client.IsMutuallyAuthenticated");
Assert.False(client.IsServer, "client.IsServer");
Assert.False(client.IsSigned, "client.IsSigned");
Assert.False(client.LeaveInnerStreamOpen, "client.LeaveInnerStreamOpen");
IIdentity serverIdentity = client.RemoteIdentity;
Assert.Equal("NTLM", serverIdentity.AuthenticationType);
Assert.True(serverIdentity.IsAuthenticated, "serverIdentity.IsAuthenticated");
IdentityValidator.AssertHasName(serverIdentity, _testTarget);
}
}
public void NegotiateStream_StreamToStream_Authentication_EmptyCredentials_Fails()
{
string targetName = "testTargetName";
// Ensure there is no confusion between DefaultCredentials / DefaultNetworkCredentials and a
// NetworkCredential object with empty user, password and domain.
NetworkCredential emptyNetworkCredential = new NetworkCredential("", "", "");
Assert.NotEqual(emptyNetworkCredential, CredentialCache.DefaultCredentials);
Assert.NotEqual(emptyNetworkCredential, CredentialCache.DefaultNetworkCredentials);
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Task[] auth = new Task[2];
auth[0] = client.AuthenticateAsClientAsync(emptyNetworkCredential, targetName);
auth[1] = server.AuthenticateAsServerAsync();
bool finished = Task.WaitAll(auth, TestConfiguration.PassingTestTimeoutMilliseconds);
Assert.True(finished, "Handshake completed in the allotted time");
// Expected Client property values:
Assert.True(client.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel);
Assert.Equal(true, client.IsEncrypted);
Assert.Equal(false, client.IsMutuallyAuthenticated);
Assert.Equal(false, client.IsServer);
Assert.Equal(true, client.IsSigned);
Assert.Equal(false, client.LeaveInnerStreamOpen);
IIdentity serverIdentity = client.RemoteIdentity;
Assert.Equal("NTLM", serverIdentity.AuthenticationType);
Assert.Equal(true, serverIdentity.IsAuthenticated);
Assert.Equal(targetName, serverIdentity.Name);
// Expected Server property values:
Assert.True(server.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, server.ImpersonationLevel);
Assert.Equal(true, server.IsEncrypted);
Assert.Equal(false, server.IsMutuallyAuthenticated);
Assert.Equal(true, server.IsServer);
Assert.Equal(true, server.IsSigned);
Assert.Equal(false, server.LeaveInnerStreamOpen);
IIdentity clientIdentity = server.RemoteIdentity;
Assert.Equal("NTLM", clientIdentity.AuthenticationType);
// TODO #5241: Behavior difference:
Assert.Equal(false, clientIdentity.IsAuthenticated);
// On .Net Desktop: Assert.Equal(true, clientIdentity.IsAuthenticated);
IdentityValidator.AssertHasName(clientIdentity, @"NT AUTHORITY\ANONYMOUS LOGON");
}
}
