/// Authenticates to the Kerberos domain and obtains /// a Service Ticket to the service identified by the /// configured Service Principal Name (SPN). public async Task AuthenticateToKerberosAsync() { var kCred = new KerberosPasswordCredential( _kerberosOptions.Username, _kerberosOptions.Password, _kerberosOptions.Domain); var kClient = _options.KerberosOptions?.Client; if (kClient == null) { kClient = new KerberosClient(); } try { await kClient.Authenticate(kCred); _serviceTicket = await kClient.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = _kerberosOptions.MapperServiceSpn, ApOptions = ApOptions.MutualRequired, }); _serviceTicketToken = ByteString.CopyFrom(_serviceTicket.ApReq.EncodeApplication().ToArray()); } finally { if (kClient != _options.KerberosOptions?.Client) { kClient.Dispose(); } } }
protected static async Task ValidateTicket( ApplicationSessionContext context, bool encodeNego = false, bool includePac = true, string spn = FakeAppServiceSpn ) { if (context == null) { throw new ArgumentNullException(nameof(context)); } var ticket = context.ApReq; byte[] encoded; if (encodeNego) { encoded = ticket.EncodeGssApi().ToArray(); } else { encoded = ticket.EncodeApplication().ToArray(); } var authenticator = new KerberosAuthenticator( new KeyTable( new KerberosKey( FakeAdminAtCorpPassword, principalName: new PrincipalName( PrincipalNameType.NT_PRINCIPAL, "CORP.IDENTITYINTERVENTION.com", new[] { spn } ), saltType: SaltType.ActiveDirectoryUser ) ) ); var validated = (KerberosIdentity)await authenticator.Authenticate(encoded); Assert.IsNotNull(validated); var sidClaim = validated.FindFirst(ClaimTypes.Sid); if (includePac) { Assert.AreEqual("S-1-5-123-456-789-12-321-888", sidClaim?.Value); } else { Assert.IsNull(sidClaim); } var sessionKey = context.AuthenticateServiceResponse(validated.ApRep); Assert.IsNotNull(sessionKey); }
private void DescribeApReq(ApplicationSessionContext delegated) { var properties = new List <(string, object)>() { }; GetObjectProperties( new object[] { delegated, delegated.ApReq, delegated.ApReq.Ticket, delegated.ApReq.Ticket.SName, delegated.ApReq.Ticket.EncryptedPart, delegated.ApReq.Authenticator, delegated.SessionKey }, properties ); this.WriteProperties(properties); }
private static async Task ValidateTicket(ApplicationSessionContext context, bool encodeNego = false) { var ticket = context.ApReq; byte[] encoded; if (encodeNego) { encoded = ticket.EncodeGssApi().ToArray(); } else { encoded = ticket.EncodeApplication().ToArray(); } var authenticator = new KerberosAuthenticator( new KeyTable( new KerberosKey( "P@ssw0rd!", principalName: new PrincipalName( PrincipalNameType.NT_PRINCIPAL, "CORP.IDENTITYINTERVENTION.com", new[] { "host/appservice.corp.identityintervention.com" } ), saltType: SaltType.ActiveDirectoryUser ) ) ); var validated = (KerberosIdentity)await authenticator.Authenticate(encoded); Assert.IsNotNull(validated); Assert.AreEqual(validated.FindFirst(ClaimTypes.Sid).Value, "S-1-5-123-456-789-12-321-888"); var sessionKey = context.AuthenticateServiceResponse(validated.ApRep); Assert.IsNotNull(sessionKey); }
private async Task <KerberosIdentity> ProcessAsMiddleBox(Krb5Config config, ILoggerFactory logger, ApplicationSessionContext serviceTicket) { var serviceCred = new KerberosPasswordCredential(this.ServicePrincipalSamAccountName, this.ServicePrincipalNamePassword, serviceTicket.ApReq.Ticket.Realm); var ping = await KerberosPing.Ping(serviceCred, config, logger); serviceCred.IncludePreAuthenticationHints(ping.Error.DecodePreAuthentication()); var keytab = new KeyTable(serviceCred.CreateKey()); var authenticator = new KerberosAuthenticator(this.ServicePrincipalSamAccountName, keytab, config, logger); var identity = await authenticator.Authenticate(serviceTicket.ApReq.EncodeGssApi()) as KerberosIdentity; return(identity); }