public void GetKrbCred()
{
KerberosSupplementalTicket ticket = KerberosSupplementalTicketManager.FromIdToken(_testIdTokenWithKerberosTicketClaim);
byte[] krbCred = KerberosSupplementalTicketManager.GetKrbCred(ticket);
Assert.IsNotNull(krbCred);
}
public void FromIdToken_WithKerberosTicket()
{
KerberosSupplementalTicket ticket = KerberosSupplementalTicketManager.FromIdToken(_testIdTokenWithKerberosTicketClaim);
Assert.IsNotNull(ticket);
Assert.IsTrue(string.IsNullOrEmpty(ticket.ErrorMessage));
Assert.IsFalse(string.IsNullOrEmpty(ticket.KerberosMessageBuffer));
Assert.AreEqual(_testServicePrincipalName, ticket.ServicePrincipalName, "Service principal name is not matched.");
Assert.AreEqual(_testClientName, ticket.ClientName, "Client name is not matched.");
}
/// <summary>
/// Get a Kerberos Ticket contained in the given token.
/// </summary>
/// <param name="token">Token to be validated.</param>
/// <param name="userUpn">UPN of the client.</param>
/// <returns>A <see cref="KerberosSupplementalTicket"/> if there's valid one.</returns>
public static KerberosSupplementalTicket GetValidatedKerberosTicketFromToken(string token, string userUpn)
{
KerberosSupplementalTicket ticket = KerberosSupplementalTicketManager.FromIdToken(token);
Assert.IsNotNull(ticket, "Kerberos Ticket is not found.");
Assert.IsTrue(string.IsNullOrEmpty(ticket.ErrorMessage), "Kerberos Ticket creation failed with: " + ticket.ErrorMessage);
Assert.IsFalse(string.IsNullOrEmpty(ticket.KerberosMessageBuffer), "Kerberos Ticket data is not found.");
Assert.IsTrue(ticket.KerberosMessageBuffer.Length > TestConstants.KerberosMinMessageBufferLength, "Received Kerberos Ticket data is too short.");
Assert.AreEqual(KerberosKeyTypes.Aes256CtsHmacSha196, ticket.KeyType, "Kerberos key type is not matched.");
Assert.AreEqual(TestConstants.KerberosServicePrincipalName, ticket.ServicePrincipalName, true, CultureInfo.InvariantCulture, "Service principal name is not matched.");
Assert.AreEqual(userUpn, ticket.ClientName, true, CultureInfo.InvariantCulture, "Client name is not matched.");
return(ticket);
}
/// <summary>
/// Checks there's a valid Kerberos Ticket information within the received authentication token.
/// If there's a valid one, show the ticket information and cache it into current user's
/// Windows Ticket Cache so that it can be shared with other Kerberos-aware applications.
/// </summary>
/// <param name="result">The <see cref="AuthenticationResult"/> from token request.</param>
private void ProcessKerberosTicket(AuthenticationResult result)
{
KerberosSupplementalTicket ticket;
if (_ticketContainer == KerberosTicketContainer.IdToken)
{
// 1. Get the Kerberos Ticket contained in the Id Token.
ticket = KerberosSupplementalTicketManager.FromIdToken(result.IdToken);
if (ticket == null)
{
AADKerberosLogger.Save("ERROR: There's no Kerberos Ticket information within the IdToken.");
return;
}
AADKerberosLogger.PrintLines(2);
try
{
// 2. Save the Kerberos Ticket into current user's Windows Ticket Cache.
KerberosSupplementalTicketManager.SaveToWindowsTicketCache(ticket, _logonId);
AADKerberosLogger.Save("---Kerberos Ticket cached into user's Ticket Cache\n");
}
catch (Win32Exception ex)
{
AADKerberosLogger.Save("---Kerberos Ticket caching failed: " + ex.Message);
}
AADKerberosLogger.PrintLines(2);
AADKerberosLogger.Save("KerberosSupplementalTicket {");
AADKerberosLogger.Save(" Client Key: " + ticket.ClientKey);
AADKerberosLogger.Save(" Key Type: " + ticket.KeyType);
AADKerberosLogger.Save(" Errorr Message: " + ticket.ErrorMessage);
AADKerberosLogger.Save(" Realm: " + ticket.Realm);
AADKerberosLogger.Save(" Service Principal Name: " + ticket.ServicePrincipalName);
AADKerberosLogger.Save(" Client Name: " + ticket.ClientName);
AADKerberosLogger.Save(" KerberosMessageBuffer: " + ticket.KerberosMessageBuffer);
AADKerberosLogger.Save("}\n");
// shows detailed ticket information.
TicketDecoder decoder = new TicketDecoder();
decoder.ShowKrbCredTicket(ticket.KerberosMessageBuffer);
}
else
{
AADKerberosLogger.PrintLines(2);
AADKerberosLogger.Save("Kerberos Ticket handling is not supported for access token.");
}
}
public void FromIdToken_WithoutKerberosTicket()
{
KerberosSupplementalTicket ticket = KerberosSupplementalTicketManager.FromIdToken(_testIdToken);
Assert.IsNull(ticket);
}
/// <summary>
/// Validates there were no valid Kerberos Ticket contained in the given token.
/// </summary>
/// <param name="token">Token to be validated.</param>
public static void ValidateNoKerberosTicketFromToken(string token)
{
KerberosSupplementalTicket ticket = KerberosSupplementalTicketManager.FromIdToken(token);
Assert.IsNull(ticket, "Kerberos Ticket exists.");
}