/// Authenticates to the Kerberos domain and obtains
/// a Service Ticket to the service identified by the
/// configured Service Principal Name (SPN).
public async Task AuthenticateToKerberosAsync()
{
var kCred = new KerberosPasswordCredential(
_kerberosOptions.Username, _kerberosOptions.Password, _kerberosOptions.Domain);
var kClient = _options.KerberosOptions?.Client;
if (kClient == null)
{
kClient = new KerberosClient();
}
try
{
await kClient.Authenticate(kCred);
_serviceTicket = await kClient.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = _kerberosOptions.MapperServiceSpn,
ApOptions = ApOptions.MutualRequired,
});
_serviceTicketToken = ByteString.CopyFrom(_serviceTicket.ApReq.EncodeApplication().ToArray());
}
finally
{
if (kClient != _options.KerberosOptions?.Client)
{
kClient.Dispose();
}
}
}
protected static async Task ValidateTicket(
ApplicationSessionContext context,
bool encodeNego = false,
bool includePac = true,
string spn = FakeAppServiceSpn
)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var ticket = context.ApReq;
byte[] encoded;
if (encodeNego)
{
encoded = ticket.EncodeGssApi().ToArray();
}
else
{
encoded = ticket.EncodeApplication().ToArray();
}
var authenticator = new KerberosAuthenticator(
new KeyTable(
new KerberosKey(
FakeAdminAtCorpPassword,
principalName: new PrincipalName(
PrincipalNameType.NT_PRINCIPAL,
"CORP.IDENTITYINTERVENTION.com",
new[] { spn }
),
saltType: SaltType.ActiveDirectoryUser
)
)
);
var validated = (KerberosIdentity)await authenticator.Authenticate(encoded);
Assert.IsNotNull(validated);
var sidClaim = validated.FindFirst(ClaimTypes.Sid);
if (includePac)
{
Assert.AreEqual("S-1-5-123-456-789-12-321-888", sidClaim?.Value);
}
else
{
Assert.IsNull(sidClaim);
}
var sessionKey = context.AuthenticateServiceResponse(validated.ApRep);
Assert.IsNotNull(sessionKey);
}
private void DescribeApReq(ApplicationSessionContext delegated)
{
var properties = new List <(string, object)>()
{
};
GetObjectProperties(
new object[]
{
delegated,
delegated.ApReq,
delegated.ApReq.Ticket,
delegated.ApReq.Ticket.SName,
delegated.ApReq.Ticket.EncryptedPart,
delegated.ApReq.Authenticator,
delegated.SessionKey
},
properties
);
this.WriteProperties(properties);
}
private static async Task ValidateTicket(ApplicationSessionContext context, bool encodeNego = false)
{
var ticket = context.ApReq;
byte[] encoded;
if (encodeNego)
{
encoded = ticket.EncodeGssApi().ToArray();
}
else
{
encoded = ticket.EncodeApplication().ToArray();
}
var authenticator = new KerberosAuthenticator(
new KeyTable(
new KerberosKey(
"P@ssw0rd!",
principalName: new PrincipalName(
PrincipalNameType.NT_PRINCIPAL,
"CORP.IDENTITYINTERVENTION.com",
new[] { "host/appservice.corp.identityintervention.com" }
),
saltType: SaltType.ActiveDirectoryUser
)
)
);
var validated = (KerberosIdentity)await authenticator.Authenticate(encoded);
Assert.IsNotNull(validated);
Assert.AreEqual(validated.FindFirst(ClaimTypes.Sid).Value, "S-1-5-123-456-789-12-321-888");
var sessionKey = context.AuthenticateServiceResponse(validated.ApRep);
Assert.IsNotNull(sessionKey);
}
private async Task <KerberosIdentity> ProcessAsMiddleBox(Krb5Config config, ILoggerFactory logger, ApplicationSessionContext serviceTicket)
{
var serviceCred = new KerberosPasswordCredential(this.ServicePrincipalSamAccountName, this.ServicePrincipalNamePassword, serviceTicket.ApReq.Ticket.Realm);
var ping = await KerberosPing.Ping(serviceCred, config, logger);
serviceCred.IncludePreAuthenticationHints(ping.Error.DecodePreAuthentication());
var keytab = new KeyTable(serviceCred.CreateKey());
var authenticator = new KerberosAuthenticator(this.ServicePrincipalSamAccountName, keytab, config, logger);
var identity = await authenticator.Authenticate(serviceTicket.ApReq.EncodeGssApi()) as KerberosIdentity;
return(identity);
}
