public static KrbAsReq CreateAsReq(KerberosCredential credential, AuthenticationOptions options)
{
if (credential == null)
{
throw new ArgumentNullException(nameof(credential));
}
var config = credential.Configuration ?? Krb5Config.Default();
var kdcOptions = (KdcOptions)(options & ~AuthenticationOptions.AllAuthentication);
var pacRequest = new KrbPaPacRequest
{
IncludePac = options.HasFlag(AuthenticationOptions.IncludePacRequest)
};
var padata = new List <KrbPaData>()
{
new KrbPaData
{
Type = PaDataType.PA_PAC_REQUEST,
Value = pacRequest.Encode()
}
};
var asreq = new KrbAsReq()
{
Body = new KrbKdcReqBody
{
Addresses = IncludeAddresses(config),
CName = ExtractCName(credential),
EType = KerberosConstants.GetPreferredETypes(config.Defaults.DefaultTicketEncTypes).ToArray(),
KdcOptions = kdcOptions,
Nonce = KerberosConstants.GetNonce(),
RTime = CalculateRenewTime(kdcOptions, config),
Realm = credential.Domain,
SName = new KrbPrincipalName
{
Type = PrincipalNameType.NT_SRV_INST,
Name = new[] { "krbtgt", credential.Domain }
},
Till = CalculateExpirationTime(config)
},
PaData = padata.ToArray()
};
if (options.HasFlag(AuthenticationOptions.PreAuthenticate))
{
credential.TransformKdcReq(asreq);
}
return(asreq);
}
public static KrbTgsReq CreateTgsReq(
RequestServiceTicket rst,
KrbEncryptionKey tgtSessionKey,
KrbKdcRep kdcRep,
out KrbEncryptionKey sessionKey
)
{
if (kdcRep == null)
{
throw new ArgumentNullException(nameof(kdcRep));
}
if (tgtSessionKey == null)
{
throw new ArgumentNullException(nameof(tgtSessionKey));
}
var sname = rst.ServicePrincipalName.Split('/', '@');
var tgt = kdcRep.Ticket;
var additionalTickets = new List <KrbTicket>();
if (rst.KdcOptions.HasFlag(KdcOptions.EncTktInSkey) && rst.UserToUserTicket != null)
{
additionalTickets.Add(rst.UserToUserTicket);
}
if (!string.IsNullOrWhiteSpace(rst.S4uTarget))
{
rst.KdcOptions |= KdcOptions.Forwardable;
}
if (rst.S4uTicket != null)
{
rst.KdcOptions |= KdcOptions.ConstrainedDelegation;
additionalTickets.Add(rst.S4uTicket);
}
var config = rst.Configuration ?? Krb5Config.Default();
var body = new KrbKdcReqBody
{
EType = KerberosConstants.GetPreferredETypes(config.Defaults.DefaultTicketEncTypes).ToArray(),
KdcOptions = rst.KdcOptions,
Nonce = KerberosConstants.GetNonce(),
Realm = rst.Realm,
SName = new KrbPrincipalName()
{
Type = PrincipalNameType.NT_SRV_INST,
Name = sname
},
Till = KerberosConstants.EndOfTime,
CName = rst.CNameHint
};
if (additionalTickets.Count > 0)
{
body.AdditionalTickets = additionalTickets.ToArray();
}
var bodyChecksum = KrbChecksum.Create(
body.Encode(),
tgtSessionKey.AsKey(),
KeyUsage.PaTgsReqChecksum
);
var tgtApReq = CreateApReq(kdcRep, tgtSessionKey, bodyChecksum, out sessionKey);
var pacOptions = new KrbPaPacOptions
{
Flags = PacOptions.ResourceBasedConstrainedDelegation | PacOptions.Claims | PacOptions.BranchAware
}.Encode();
var paData = new List <KrbPaData>()
{
new KrbPaData
{
Type = PaDataType.PA_TGS_REQ,
Value = tgtApReq.EncodeApplication()
},
new KrbPaData
{
Type = PaDataType.PA_PAC_OPTIONS,
Value = pacOptions
}
};
if (!string.IsNullOrWhiteSpace(rst.S4uTarget))
{
paData.Add(new KrbPaData
{
Type = PaDataType.PA_FOR_USER,
Value = EncodeS4URequest(rst.S4uTarget, tgt.Realm, tgtSessionKey)
});
}
var tgs = new KrbTgsReq
{
PaData = paData.ToArray(),
Body = body
};
return(tgs);
}