internal static KerberosClient CreateClient(KdcListener listener, string kdc = null, bool caching = true, bool queryDns = false)
        {
            KerberosClient client;

            if (listener == null)
            {
                client = new KerberosClient();

                client.PinKdc("corp.identityintervention.com", kdc);
            }
            else
            {
                IKerberosTransport transport = new InMemoryTransport(listener);

                client = new KerberosClient(transports: transport);
            }

            client.Configuration.Defaults.DnsLookupKdc = queryDns;

            client.CacheServiceTickets   = caching;
            client.RenewTickets          = caching;
            client.RenewTicketsThreshold = TimeSpan.MaxValue;
            client.RefreshPollInterval   = TimeSpan.FromMilliseconds(10);

            return(client);
        }
Beispiel #2
0
        private static KerberosClient CreateClient(string kdc, KdcListener listener)
        {
            KerberosClient client;

            if (listener == null)
            {
                throw new Exception();
            }
            else
            {
                IKerberosTransport transport = new InMemoryTransport(listener);

                client = new KerberosClient(transports: transport);
            }

            return(client);
        }
        internal static KerberosClient CreateClient(
            KdcListener listener,
            string kdc              = null,
            bool caching            = true,
            bool queryDns           = false,
            bool allowWeakCrypto    = false,
            bool useWeakCrypto      = false,
            bool useKrb5TicketCache = false
            )
        {
            KerberosClient client;

            if (listener == null)
            {
                client = new KerberosClientWrapper(useKrb5TicketCache);

                client.PinKdc("corp.identityintervention.com", kdc);
            }
            else
            {
                IKerberosTransport transport = new InMemoryTransport(listener);

                client = new KerberosClientWrapper(useKrb5TicketCache, transports: transport);
            }

            client.Configuration.Defaults.DnsLookupKdc    = queryDns;
            client.Configuration.Defaults.AllowWeakCrypto = allowWeakCrypto;
            client.CacheServiceTickets   = caching;
            client.RenewTickets          = caching;
            client.RenewTicketsThreshold = TimeSpan.MaxValue;
            client.RefreshPollInterval   = TimeSpan.FromMilliseconds(10);
            client.CacheInMemory         = !useKrb5TicketCache;
            client.Cache.RefreshTickets  = useKrb5TicketCache;

            if (useWeakCrypto)
            {
                client.Configuration.Defaults.DefaultTicketEncTypes.Clear();
                client.Configuration.Defaults.DefaultTicketEncTypes.Add(EncryptionType.RC4_HMAC_NT);
            }

            return(client);
        }
Beispiel #4
0
        internal static KerberosClient CreateClient(KdcListener listener, string kdc = null, bool caching = true)
        {
            KerberosClient client;

            if (listener == null)
            {
                client = new KerberosClient(kdc: kdc);
            }
            else
            {
                IKerberosTransport transport = new InMemoryTransport(listener);

                client = new KerberosClient(transports: transport);
            }

            client.CacheServiceTickets   = caching;
            client.RenewTickets          = caching;
            client.RenewTicketsThreshold = TimeSpan.MaxValue;
            client.RefreshPollInterval   = TimeSpan.FromMilliseconds(10);

            return(client);
        }
Beispiel #5
0
 public InMemoryTransport(KdcListener listener)
 {
     this.listener = listener;
     this.Enabled  = true;
 }
Beispiel #6
0
        internal static async Task RequestAndValidateTickets(
            KdcListener listener,
            string user,
            string password       = null,
            string overrideKdc    = null,
            KeyTable keytab       = null,
            string s4u            = null,
            bool encodeNego       = false,
            bool caching          = false,
            bool includePac       = true,
            X509Certificate2 cert = null,
            string spn            = FakeAppServiceSpn,
            KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14
            )
        {
            KerberosCredential kerbCred;

            if (cert != null)
            {
                kerbCred = new TrustedAsymmetricCredential(cert, user)
                {
                    KeyAgreement = keyAgreement
                };
            }
            else if (keytab != null)
            {
                kerbCred = new KeytabCredential(user, keytab);
            }
            else
            {
                kerbCred = new KerberosPasswordCredential(user, password);
            }

            KerberosClient client = CreateClient(listener, overrideKdc, caching: caching);

            using (client)
            {
                if (!includePac)
                {
                    client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
                }

                await client.Authenticate(kerbCred);

                var ticket = await client.GetServiceTicket(
                    new RequestServiceTicket
                {
                    ServicePrincipalName = spn,
                    ApOptions            = ApOptions.MutualRequired
                }
                    );

                await ValidateTicket(ticket, includePac : includePac, spn : spn);

                await client.RenewTicket();

                ticket = await client.GetServiceTicket(
                    new RequestServiceTicket
                {
                    ServicePrincipalName = spn,
                    ApOptions            = ApOptions.MutualRequired
                }
                    );

                await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn);

                ticket = await client.GetServiceTicket(
                    new RequestServiceTicket
                {
                    ServicePrincipalName = spn,
                    ApOptions            = ApOptions.MutualRequired,
                    S4uTarget            = s4u
                }
                    );

                await ValidateTicket(ticket, includePac : includePac, spn : spn);
            }
        }
Beispiel #7
0
        internal static async Task <List <Exception> > MultithreadedRequests(
            int threads,
            int requests,
            bool cacheTickets,
            bool encodeNego,
            bool includePac,
            string kdc,
            X509Certificate2 cert,
            KdcListener listener
            )
        {
            var exceptions = new List <Exception>();

            KerberosCredential kerbCred;

            if (cert != null)
            {
                kerbCred = new TrustedAsymmetricCredential(cert, TestAtCorpUserName);
            }
            else
            {
                kerbCred = new KerberosPasswordCredential(AdminAtCorpUserName, FakeAdminAtCorpPassword);
            }

            KerberosClient client = CreateClient(listener, kdc);

            using (client)
            {
                client.CacheServiceTickets = cacheTickets;

                if (!includePac)
                {
                    client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
                }

                await client.Authenticate(kerbCred);

                Task.WaitAll(Enumerable.Range(0, threads).Select(taskNum => Task.Run(async() =>
                {
                    for (var i = 0; i < requests; i++)
                    {
                        try
                        {
                            if (i % 2 == 0)
                            {
                                await client.Authenticate(kerbCred);
                            }

                            var ticket = await client.GetServiceTicket(new RequestServiceTicket
                            {
                                ServicePrincipalName = FakeAppServiceSpn,
                                ApOptions            = ApOptions.MutualRequired
                            });

                            Assert.IsNotNull(ticket.ApReq);

                            await ValidateTicket(ticket, encodeNego: encodeNego, includePac: includePac);
                        }
                        catch (Exception ex)
                        {
                            exceptions.Add(ex);
                        }
                    }
                })).ToArray());
            }

            return(exceptions);
        }
        internal static async Task RequestAndValidateTicketsWithCaches(
            KdcListener listener,
            string user,
            string password       = null,
            string overrideKdc    = null,
            KeyTable keytab       = null,
            string s4u            = null,
            bool encodeNego       = false,
            bool caching          = false,
            bool includePac       = true,
            X509Certificate2 cert = null,
            string spn            = FakeAppServiceSpn,
            KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14,
            bool allowWeakCrypto    = false,
            bool useWeakCrypto      = false,
            bool mutualAuth         = true,
            KrbTicket s4uTicket     = null,
            bool useKrb5TicketCache = false
            )
        {
            KerberosCredential kerbCred;

            if (cert != null)
            {
                kerbCred = new TrustedAsymmetricCredential(cert, user)
                {
                    KeyAgreement = keyAgreement
                };
            }
            else if (keytab != null)
            {
                kerbCred = new KeytabCredential(user, keytab);
            }
            else
            {
                kerbCred = new KerberosPasswordCredential(user, password);
            }

            KerberosClient client = CreateClient(
                listener,
                overrideKdc,
                caching: caching,
                allowWeakCrypto: allowWeakCrypto,
                useWeakCrypto: useWeakCrypto,
                useKrb5TicketCache: useKrb5TicketCache
                );

            using (kerbCred as IDisposable)
                using (client)
                {
                    if (!includePac)
                    {
                        client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
                    }

                    await client.Authenticate(kerbCred);

                    var ticket = await client.GetServiceTicket(
                        new RequestServiceTicket
                    {
                        ServicePrincipalName = spn,
                        ApOptions            = mutualAuth ? ApOptions.MutualRequired : 0
                    }
                        );

                    await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth);

                    await client.RenewTicket();

                    ticket = await client.GetServiceTicket(
                        new RequestServiceTicket
                    {
                        ServicePrincipalName = spn,
                        ApOptions            = mutualAuth ? ApOptions.MutualRequired : 0
                    }
                        );

                    await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn, mutualAuth : mutualAuth);

                    ticket = await client.GetServiceTicket(
                        new RequestServiceTicket
                    {
                        ServicePrincipalName = spn,
                        ApOptions            = mutualAuth ? ApOptions.MutualRequired : 0,
                        S4uTarget            = s4u,
                        S4uTicket            = s4uTicket
                    }
                        );

                    await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth);
                }

            if (user.Contains("-fallback"))
            {
                Assert.AreEqual(PrincipalNameType.NT_PRINCIPAL, kerbCred.PrincipalNameType);
            }
            else
            {
                Assert.AreEqual(PrincipalNameType.NT_ENTERPRISE, kerbCred.PrincipalNameType);
            }
        }
        internal static async Task RequestAndValidateTickets(
            KdcListener listener,
            string user,
            string password       = null,
            string overrideKdc    = null,
            KeyTable keytab       = null,
            string s4u            = null,
            bool encodeNego       = false,
            bool caching          = false,
            bool includePac       = true,
            X509Certificate2 cert = null,
            string spn            = FakeAppServiceSpn,
            KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14,
            bool allowWeakCrypto = false,
            bool useWeakCrypto   = false,
            bool mutualAuth      = true,
            KrbTicket s4uTicket  = null
            )
        {
            await RequestAndValidateTicketsWithCaches(
                listener,
                user,
                password,
                overrideKdc,
                keytab,
                s4u,
                encodeNego,
                caching,
                includePac,
                cert,
                spn,
                keyAgreement,
                allowWeakCrypto,
                useWeakCrypto,
                mutualAuth,
                s4uTicket
                );

            if (caching)
            {
                await RequestAndValidateTicketsWithCaches(
                    listener,
                    user,
                    password,
                    overrideKdc,
                    keytab,
                    s4u,
                    encodeNego,
                    caching,
                    includePac,
                    cert,
                    spn,
                    keyAgreement,
                    allowWeakCrypto,
                    useWeakCrypto,
                    mutualAuth,
                    s4uTicket,
                    useKrb5TicketCache : true
                    );
            }
        }