internal static KerberosClient CreateClient(KdcListener listener, string kdc = null, bool caching = true, bool queryDns = false) { KerberosClient client; if (listener == null) { client = new KerberosClient(); client.PinKdc("corp.identityintervention.com", kdc); } else { IKerberosTransport transport = new InMemoryTransport(listener); client = new KerberosClient(transports: transport); } client.Configuration.Defaults.DnsLookupKdc = queryDns; client.CacheServiceTickets = caching; client.RenewTickets = caching; client.RenewTicketsThreshold = TimeSpan.MaxValue; client.RefreshPollInterval = TimeSpan.FromMilliseconds(10); return(client); }
private static KerberosClient CreateClient(string kdc, KdcListener listener) { KerberosClient client; if (listener == null) { throw new Exception(); } else { IKerberosTransport transport = new InMemoryTransport(listener); client = new KerberosClient(transports: transport); } return(client); }
internal static KerberosClient CreateClient( KdcListener listener, string kdc = null, bool caching = true, bool queryDns = false, bool allowWeakCrypto = false, bool useWeakCrypto = false, bool useKrb5TicketCache = false ) { KerberosClient client; if (listener == null) { client = new KerberosClientWrapper(useKrb5TicketCache); client.PinKdc("corp.identityintervention.com", kdc); } else { IKerberosTransport transport = new InMemoryTransport(listener); client = new KerberosClientWrapper(useKrb5TicketCache, transports: transport); } client.Configuration.Defaults.DnsLookupKdc = queryDns; client.Configuration.Defaults.AllowWeakCrypto = allowWeakCrypto; client.CacheServiceTickets = caching; client.RenewTickets = caching; client.RenewTicketsThreshold = TimeSpan.MaxValue; client.RefreshPollInterval = TimeSpan.FromMilliseconds(10); client.CacheInMemory = !useKrb5TicketCache; client.Cache.RefreshTickets = useKrb5TicketCache; if (useWeakCrypto) { client.Configuration.Defaults.DefaultTicketEncTypes.Clear(); client.Configuration.Defaults.DefaultTicketEncTypes.Add(EncryptionType.RC4_HMAC_NT); } return(client); }
internal static KerberosClient CreateClient(KdcListener listener, string kdc = null, bool caching = true) { KerberosClient client; if (listener == null) { client = new KerberosClient(kdc: kdc); } else { IKerberosTransport transport = new InMemoryTransport(listener); client = new KerberosClient(transports: transport); } client.CacheServiceTickets = caching; client.RenewTickets = caching; client.RenewTicketsThreshold = TimeSpan.MaxValue; client.RefreshPollInterval = TimeSpan.FromMilliseconds(10); return(client); }
public InMemoryTransport(KdcListener listener) { this.listener = listener; this.Enabled = true; }
internal static async Task RequestAndValidateTickets( KdcListener listener, string user, string password = null, string overrideKdc = null, KeyTable keytab = null, string s4u = null, bool encodeNego = false, bool caching = false, bool includePac = true, X509Certificate2 cert = null, string spn = FakeAppServiceSpn, KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14 ) { KerberosCredential kerbCred; if (cert != null) { kerbCred = new TrustedAsymmetricCredential(cert, user) { KeyAgreement = keyAgreement }; } else if (keytab != null) { kerbCred = new KeytabCredential(user, keytab); } else { kerbCred = new KerberosPasswordCredential(user, password); } KerberosClient client = CreateClient(listener, overrideKdc, caching: caching); using (client) { if (!includePac) { client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest; } await client.Authenticate(kerbCred); var ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = ApOptions.MutualRequired } ); await ValidateTicket(ticket, includePac : includePac, spn : spn); await client.RenewTicket(); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = ApOptions.MutualRequired } ); await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = ApOptions.MutualRequired, S4uTarget = s4u } ); await ValidateTicket(ticket, includePac : includePac, spn : spn); } }
internal static async Task <List <Exception> > MultithreadedRequests( int threads, int requests, bool cacheTickets, bool encodeNego, bool includePac, string kdc, X509Certificate2 cert, KdcListener listener ) { var exceptions = new List <Exception>(); KerberosCredential kerbCred; if (cert != null) { kerbCred = new TrustedAsymmetricCredential(cert, TestAtCorpUserName); } else { kerbCred = new KerberosPasswordCredential(AdminAtCorpUserName, FakeAdminAtCorpPassword); } KerberosClient client = CreateClient(listener, kdc); using (client) { client.CacheServiceTickets = cacheTickets; if (!includePac) { client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest; } await client.Authenticate(kerbCred); Task.WaitAll(Enumerable.Range(0, threads).Select(taskNum => Task.Run(async() => { for (var i = 0; i < requests; i++) { try { if (i % 2 == 0) { await client.Authenticate(kerbCred); } var ticket = await client.GetServiceTicket(new RequestServiceTicket { ServicePrincipalName = FakeAppServiceSpn, ApOptions = ApOptions.MutualRequired }); Assert.IsNotNull(ticket.ApReq); await ValidateTicket(ticket, encodeNego: encodeNego, includePac: includePac); } catch (Exception ex) { exceptions.Add(ex); } } })).ToArray()); } return(exceptions); }
internal static async Task RequestAndValidateTicketsWithCaches( KdcListener listener, string user, string password = null, string overrideKdc = null, KeyTable keytab = null, string s4u = null, bool encodeNego = false, bool caching = false, bool includePac = true, X509Certificate2 cert = null, string spn = FakeAppServiceSpn, KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14, bool allowWeakCrypto = false, bool useWeakCrypto = false, bool mutualAuth = true, KrbTicket s4uTicket = null, bool useKrb5TicketCache = false ) { KerberosCredential kerbCred; if (cert != null) { kerbCred = new TrustedAsymmetricCredential(cert, user) { KeyAgreement = keyAgreement }; } else if (keytab != null) { kerbCred = new KeytabCredential(user, keytab); } else { kerbCred = new KerberosPasswordCredential(user, password); } KerberosClient client = CreateClient( listener, overrideKdc, caching: caching, allowWeakCrypto: allowWeakCrypto, useWeakCrypto: useWeakCrypto, useKrb5TicketCache: useKrb5TicketCache ); using (kerbCred as IDisposable) using (client) { if (!includePac) { client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest; } await client.Authenticate(kerbCred); var ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = mutualAuth ? ApOptions.MutualRequired : 0 } ); await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth); await client.RenewTicket(); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = mutualAuth ? ApOptions.MutualRequired : 0 } ); await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn, mutualAuth : mutualAuth); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = mutualAuth ? ApOptions.MutualRequired : 0, S4uTarget = s4u, S4uTicket = s4uTicket } ); await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth); } if (user.Contains("-fallback")) { Assert.AreEqual(PrincipalNameType.NT_PRINCIPAL, kerbCred.PrincipalNameType); } else { Assert.AreEqual(PrincipalNameType.NT_ENTERPRISE, kerbCred.PrincipalNameType); } }
internal static async Task RequestAndValidateTickets( KdcListener listener, string user, string password = null, string overrideKdc = null, KeyTable keytab = null, string s4u = null, bool encodeNego = false, bool caching = false, bool includePac = true, X509Certificate2 cert = null, string spn = FakeAppServiceSpn, KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14, bool allowWeakCrypto = false, bool useWeakCrypto = false, bool mutualAuth = true, KrbTicket s4uTicket = null ) { await RequestAndValidateTicketsWithCaches( listener, user, password, overrideKdc, keytab, s4u, encodeNego, caching, includePac, cert, spn, keyAgreement, allowWeakCrypto, useWeakCrypto, mutualAuth, s4uTicket ); if (caching) { await RequestAndValidateTicketsWithCaches( listener, user, password, overrideKdc, keytab, s4u, encodeNego, caching, includePac, cert, spn, keyAgreement, allowWeakCrypto, useWeakCrypto, mutualAuth, s4uTicket, useKrb5TicketCache : true ); } }