/// <summary>
/// Query Kerberos Ticket cache.
/// </summary>
/// <param name="logon_id">The Logon Session ID to query.</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The list of cached tickets.</returns>
public static NtResult <KerberosExternalTicket[]> QueryTicketCache(Luid logon_id, bool throw_on_error)
{
using (var handle = SafeLsaLogonHandle.Connect(throw_on_error)) {
if (!handle.IsSuccess)
{
return(handle.Cast <KerberosExternalTicket[]>());
}
var list = QueryTicketCacheList(handle.Result, logon_id, throw_on_error);
if (!list.IsSuccess)
{
return(list.Cast <KerberosExternalTicket[]>());
}
var tickets = new List <KerberosExternalTicket>();
foreach (var info in list.Result)
{
var ticket = QueryCachedTicket(handle.Result, $"{info.ServerName}@{info.RealmName}", KERB_RETRIEVE_TICKET_FLAGS.UseCacheOnly,
logon_id, new SecHandle(), false);
if (ticket.IsSuccess)
{
tickets.Add(ticket.Result);
}
}
return(tickets.ToArray().CreateResult());
}
}
private static NtResult <NtToken> LsaLogonUser(SecurityLogonType type, string auth_package, string origin_name,
SafeBuffer buffer, IEnumerable <UserGroup> local_groups, bool throw_on_error)
{
using (var list = new DisposableList()) {
var hlsa = list.AddResource(SafeLsaLogonHandle.Connect(throw_on_error));
if (!hlsa.IsSuccess)
{
return(hlsa.Cast <NtToken>());
}
var auth_pkg = hlsa.Result.LookupAuthPackage(auth_package, throw_on_error);
if (!auth_pkg.IsSuccess)
{
return(auth_pkg.Cast <NtToken>());
}
var groups = local_groups == null ? SafeTokenGroupsBuffer.Null
: list.AddResource(SafeTokenGroupsBuffer.Create(local_groups));
TOKEN_SOURCE tokenSource = new TOKEN_SOURCE("NT.NET");
SecurityNativeMethods.AllocateLocallyUniqueId(out tokenSource.SourceIdentifier);
QUOTA_LIMITS quota_limits = new QUOTA_LIMITS();
return(SecurityNativeMethods.LsaLogonUser(hlsa.Result, new LsaString(origin_name),
type, auth_pkg.Result, buffer, buffer.GetLength(), groups,
tokenSource, out SafeLsaReturnBufferHandle profile,
out int cbProfile, out Luid logon_id, out SafeKernelObjectHandle token_handle,
quota_limits, out NtStatus subStatus).CreateResult(throw_on_error, () => {
using (profile) {
return NtToken.FromHandle(token_handle);
}
}));
}
}
internal static NtResult <KerberosTicketCacheInfo[]> QueryTicketCacheList(Luid logon_id, bool throw_on_error)
{
using (var handle = SafeLsaLogonHandle.Connect(throw_on_error)) {
if (!handle.IsSuccess)
{
return(handle.Cast <KerberosTicketCacheInfo[]>());
}
return(QueryTicketCacheList(handle.Result, logon_id, throw_on_error));
}
}
/// <summary>
/// Get a Kerberos Ticket.
/// </summary>
/// <param name="target_name">The target service for the Ticket.</param>
/// <param name="cached_only">True to only query for cached tickets.</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The Kerberos Ticket.</returns>
public static NtResult <KerberosExternalTicket> GetTicket(string target_name, bool cached_only, bool throw_on_error)
{
using (var handle = SafeLsaLogonHandle.Connect(throw_on_error)) {
if (!handle.IsSuccess)
{
return(handle.Cast <KerberosExternalTicket>());
}
Luid luid = NtToken.PseudoEffectiveToken.AuthenticationId;
KERB_RETRIEVE_TICKET_FLAGS flags = cached_only ? KERB_RETRIEVE_TICKET_FLAGS.UseCacheOnly : KERB_RETRIEVE_TICKET_FLAGS.Default;
return(QueryCachedTicket(handle.Result, target_name, flags,
luid, new SecHandle(), throw_on_error));
}
}
