private void UpdateDefaultSettings()
{
EncryptionType[] encryptionTypes = new EncryptionType[]
{
EncryptionType.AES256_CTS_HMAC_SHA1_96,
EncryptionType.AES128_CTS_HMAC_SHA1_96,
EncryptionType.RC4_HMAC,
EncryptionType.RC4_HMAC_EXP,
EncryptionType.UnusedValue_135,
EncryptionType.DES_CBC_MD5,
};
KerbInt32[] etypes = new KerbInt32[encryptionTypes.Length];
for (int i = 0; i < encryptionTypes.Length; i++)
{
etypes[i] = new KerbInt32((int)encryptionTypes[i]);
}
Asn1SequenceOf <KerbInt32> etype = new Asn1SequenceOf <KerbInt32>(etypes);
Context.SupportedEType = etype;
this.Context.Pvno = KerberosConstValue.KERBEROSV5;
contextSizes = new SecurityPackageContextSizes();
contextSizes.MaxTokenSize = KerberosConstValue.MAX_TOKEN_SIZE;
contextSizes.MaxSignatureSize = KerberosConstValue.MAX_SIGNATURE_SIZE;
contextSizes.BlockSize = KerberosConstValue.BLOCK_SIZE;
contextSizes.SecurityTrailerSize = KerberosConstValue.SECURITY_TRAILER_SIZE;
}
public AddRequest(
LDAPDN entry,
Asn1SequenceOf<AddRequest_attrs_element> attrs)
{
this.entry = entry;
this.attrs = attrs;
}
public ModifyRequest(
LDAPDN modifyobject,
Asn1SequenceOf<ModifyRequest_modifications_element> modifications)
{
this.modifyobject = modifyobject;
this.modifications = modifications;
}
/// <summary>
/// Constructs a sort control with multiple sort keys.
/// </summary>
/// <param name="keys An">
/// array of sort key objects, to be processed in
/// order.
/// </param>
/// <param name="critical True">
/// if the search operation is to fail if the
/// server does not support this control.
/// </param>
public LdapSortControl(LdapSortKey[] keys, bool critical)
: base(RequestOid, critical, null)
{
var sortKeyList = new Asn1SequenceOf();
for (var i = 0; i < keys.Length; i++)
{
var key = new Asn1Sequence();
key.Add(new Asn1OctetString(keys[i].Key));
if (keys[i].MatchRule != null)
{
key.Add(new Asn1Tagged(
new Asn1Identifier(Asn1Identifier.Context, false, OrderingRule),
new Asn1OctetString(keys[i].MatchRule), false));
}
if (keys[i].Reverse)
{
// only add if true
key.Add(new Asn1Tagged(
new Asn1Identifier(Asn1Identifier.Context, false, ReverseOrder),
new Asn1Boolean(true), false));
}
sortKeyList.Add(key);
}
SetValue(sortKeyList.GetEncoding(new LberEncoder()));
}
public KDC_REQ_BODY(
KDCOptions param0,
PrincipalName param1,
Realm param2,
PrincipalName param3,
KerberosTime param4,
KerberosTime param5,
KerberosTime param6,
KerbUInt32 param7,
Asn1SequenceOf <KerbInt32> param8,
HostAddresses param9,
EncryptedData param10,
Asn1SequenceOf <Ticket> param11)
{
this.kdc_options = param0;
this.cname = param1;
this.realm = param2;
this.sname = param3;
this.from = param4;
this.till = param5;
this.rtime = param6;
this.nonce = param7;
this.etype = param8;
this.addresses = param9;
this.enc_authorization_data = param10;
this.additional_tickets = param11;
}
/// <summary>
/// Creates a ModifyRequest packet.
/// </summary>
/// <param name="context">The user context which contains message ID.</param>
/// <param name="objectDn">The DN of object to be modified.</param>
/// <param name="modificationList">Modification list of attributes.</param>
/// <returns>The packet that contains the request.</returns>
internal override AdtsModifyRequestPacket CreateModifyRequest(
AdtsLdapContext context,
string objectDn,
params MsLdap.DirectoryAttributeModification[] modificationList)
{
int length = (modificationList != null) ? modificationList.Length : 0;
ModifyRequest_modifications_element[] modifyRequestArray = new ModifyRequest_modifications_element[length];
for (int i = 0; i < length; i++)
{
modifyRequestArray[i] = new ModifyRequest_modifications_element(
new ModifyRequest_modifications_element_operation((long)modificationList[i].Operation),
new ModifyRequest_modifications_element_modification(
new AttributeType(modificationList[i].Name),
CreateAttributeValueSet((string[])modificationList[i].GetValues(typeof(string)))));
}
Asn1SequenceOf <ModifyRequest_modifications_element> modificationSequence = new Asn1SequenceOf <ModifyRequest_modifications_element>(modifyRequestArray);
ModifyRequest modifyRequest = new ModifyRequest(
new LDAPDN(objectDn ?? string.Empty),
modificationSequence);
LDAPMessage_protocolOp operation = new LDAPMessage_protocolOp();
operation.SetData(LDAPMessage_protocolOp.modifyRequest, modifyRequest);
LDAPMessage message = new LDAPMessage(new MessageID(context.MessageId), operation);
AdtsModifyRequestPacket packet = new AdtsModifyRequestPacket();
packet.ldapMessagev2 = message;
packet.messageId = context.MessageId;
return(packet);
}
public ModifyRequest(
LDAPDN object1,
Asn1SequenceOf<ModifyRequest_modification_element> modification)
{
this.object1 = object1;
this.modification = modification;
}
public EncASRepPart(
EncryptionKey param0,
LastReq param1,
KerbUInt32 param2,
KerberosTime param3,
TicketFlags param4,
KerberosTime param5,
KerberosTime param6,
KerberosTime param7,
KerberosTime param8,
Realm param9,
PrincipalName param10,
HostAddresses param11,
Asn1SequenceOf<PA_DATA> param12)
{
this.key = param0;
this.last_req = param1;
this.nonce = param2;
this.key_expiration = param3;
this.flags = param4;
this.authtime = param5;
this.starttime = param6;
this.endtime = param7;
this.renew_till = param8;
this.srealm = param9;
this.sname = param10;
this.caddr = param11;
this.pa_datas = param12;
}
/// <summary> Encode an array of LdapModifications to ASN.1.
///
/// </summary>
/// <param name="mods">an array of LdapModification objects
///
/// </param>
/// <returns> an Asn1SequenceOf object containing the modifications.
/// </returns>
static private Asn1SequenceOf encodeModifications(LdapModification[] mods)
{
// Convert Java-API LdapModification[] to RFC2251 SEQUENCE OF SEQUENCE
Asn1SequenceOf rfcMods = new Asn1SequenceOf(mods.Length);
for (int i = 0; i < mods.Length; i++)
{
LdapAttribute attr = mods[i].Attribute;
// place modification attribute values in Asn1SetOf
Asn1SetOf vals = new Asn1SetOf(attr.size());
if (attr.size() > 0)
{
System.Collections.IEnumerator attrEnum = attr.ByteValues;
while (attrEnum.MoveNext())
{
vals.add(new RfcAttributeValue((sbyte[])attrEnum.Current));
}
}
// create SEQUENCE containing mod operation and attr type and vals
Asn1Sequence rfcMod = new Asn1Sequence(2);
rfcMod.add(new Asn1Enumerated(mods[i].Op));
rfcMod.add(new RfcAttributeTypeAndValues(new RfcAttributeDescription(attr.Name), vals));
// place SEQUENCE into SEQUENCE OF
rfcMods.add(rfcMod);
}
return(rfcMods);
}
public SearchResponse_entry(
LDAPDN objectName,
Asn1SequenceOf<SearchResponse_entry_attributes_element> attributes)
{
this.objectName = objectName;
this.attributes = attributes;
}
public KDC_REQ_BODY(
KDCOptions param0,
PrincipalName param1,
Realm param2,
PrincipalName param3,
KerberosTime param4,
KerberosTime param5,
KerberosTime param6,
KerbUInt32 param7,
Asn1SequenceOf<KerbInt32> param8,
HostAddresses param9,
EncryptedData param10,
Asn1SequenceOf<Ticket> param11)
{
this.kdc_options = param0;
this.cname = param1;
this.realm = param2;
this.sname = param3;
this.from = param4;
this.till = param5;
this.rtime = param6;
this.nonce = param7;
this.etype = param8;
this.addresses = param9;
this.enc_authorization_data = param10;
this.additional_tickets = param11;
}
public AddRequest(
LDAPDN entry,
Asn1SequenceOf <AddRequest_attrs_element> attrs)
{
this.entry = entry;
this.attrs = attrs;
}
public SubstringFilter(
AttributeType type,
Asn1SequenceOf <SubstringFilter_substrings_element> substrings)
{
this.type = type;
this.substrings = substrings;
}
public ModifyRequest(
LDAPDN modifyobject,
Asn1SequenceOf <ModifyRequest_modifications_element> modifications)
{
this.modifyobject = modifyobject;
this.modifications = modifications;
}
/// <summary>
/// Creates a SearchResultEntry packet.
/// </summary>
/// <param name="context">The user context which contains message ID.</param>
/// <param name="matchedDn">Matched DN.</param>
/// <param name="attributes">The attributes and values that are contained in the entry.</param>
/// <returns>The packet that contains the response.</returns>
internal override AdtsSearchResultEntryPacket CreateSearchedResultEntry(
AdtsLdapContext context,
string matchedDn,
params KeyValuePair <string, string[]>[] attributes)
{
int length = (attributes != null) ? attributes.Length : 0;
SearchResponse_entry_attributes_element[] attributesElementArray = new SearchResponse_entry_attributes_element[length];
for (int i = 0; i < length; i++)
{
attributesElementArray[i] = new SearchResponse_entry_attributes_element(
new AttributeType(attributes[i].Key),
CreateAttributeValueSet(attributes[i].Value));
}
Asn1SequenceOf <SearchResponse_entry_attributes_element> attributesElements = new Asn1SequenceOf <SearchResponse_entry_attributes_element>(attributesElementArray);
SearchResponse_entry entry = new SearchResponse_entry(
new LDAPDN(matchedDn ?? string.Empty),
attributesElements);
LDAPMessage_protocolOp operation = new LDAPMessage_protocolOp();
operation.SetData(LDAPMessage_protocolOp.searchResponse, new SearchResponse(SearchResponse.entry, entry));
LDAPMessage message = new LDAPMessage(new MessageID(context.MessageId), operation);
AdtsSearchResultEntryPacket packet = new AdtsSearchResultEntryPacket();
packet.ldapMessagev2 = message;
packet.messageId = context.MessageId;
return(packet);
}
private void SendTgsRequest(string sName, KdcOptions kdcOptions, Asn1SequenceOf <PA_DATA> seqPadata = null, AuthorizationData dataInAuthentiator = null, AuthorizationData dataInEncAuthData = null, MsgType msgType = MsgType.KRB_TGS_REQ)
{
if (string.IsNullOrEmpty(sName))
{
throw new ArgumentNullException("sName");
}
PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName.Split('/')));
KDC_REQ_BODY kdcReqBody = this.CreateKdcRequestBody(kdcOptions, sname, dataInEncAuthData); // almost same as AS request
Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
kdcReqBody.BerEncode(bodyBuffer);
ChecksumType checksumType = KerberosUtility.GetChecksumType(this.Context.SelectedEType);
PA_DATA paTgsReq = CreatePaTgsReqest(checksumType, bodyBuffer.Data, dataInAuthentiator); // use AS session key encrypt authenticator.
Asn1SequenceOf <PA_DATA> tempPaData = null;
if (seqPadata == null || seqPadata.Elements == null || seqPadata.Elements.Length == 0)
{
tempPaData = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paTgsReq });
}
else
{
PA_DATA[] paDatas = new PA_DATA[seqPadata.Elements.Length + 1];
Array.Copy(seqPadata.Elements, paDatas, seqPadata.Elements.Length);
paDatas[seqPadata.Elements.Length] = paTgsReq;
tempPaData = new Asn1SequenceOf <PA_DATA>(paDatas);
}
KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, tempPaData, Context.TransportType);
tgsRequest.Request.msg_type.Value = (long)msgType;
this.client.SendPdu(tgsRequest);
}
/// <summary>
/// Construct a Kerberos test client
/// </summary>
/// <param name="domain">The realm part of the client's principal identifier.
/// This argument cannot be null.</param>
/// <param name="cName">The account to logon the remote machine. Either user account or computer account
/// This argument cannot be null.</param>
/// <param name="password">The password of the user. This argument cannot be null.</param>
/// <param name="accountType">The type of the logon account. User or Computer</param>
public KerberosFunctionalClient(string domain, string cName, string password, KerberosAccountType accountType, string kdcAddress, int kdcPort, TransportType transportType, KerberosConstValue.OidPkt oidPkt, ITestSite baseTestSite,string salt = null)
: base(domain, cName, password, accountType, kdcAddress, kdcPort, transportType, oidPkt, salt)
{
testSite = baseTestSite;
if (accountType == KerberosAccountType.Device)
{
testSite.Log.Add(LogEntryKind.Debug, "Construct Kerberos client using computer account: {0}@{1}.",
cName, domain);
}
else
{
testSite.Log.Add(LogEntryKind.Debug, "Construct Kerberos client using user account: {0}@{1}.",
cName, domain);
}
EncryptionType[] encryptionTypes = new EncryptionType[]
{
EncryptionType.AES256_CTS_HMAC_SHA1_96,
EncryptionType.AES128_CTS_HMAC_SHA1_96,
EncryptionType.RC4_HMAC,
EncryptionType.RC4_HMAC_EXP,
EncryptionType.DES_CBC_CRC,
EncryptionType.DES_CBC_MD5
};
KerbInt32[] etypes = new KerbInt32[encryptionTypes.Length];
for (int i = 0; i < encryptionTypes.Length; i++)
{
etypes[i] = new KerbInt32((int)encryptionTypes[i]);
}
Asn1SequenceOf<KerbInt32> etype = new Asn1SequenceOf<KerbInt32>(etypes);
Context.SupportedEType = etype;
Context.Pvno = KerberosConstValue.KERBEROSV5;
}
public PrincipalName(
KerbInt32 param0,
Asn1SequenceOf <KerberosString> param1)
{
this.name_type = param0;
this.name_string = param1;
}
public SearchResponse_entry(
LDAPDN objectName,
Asn1SequenceOf <SearchResponse_entry_attributes_element> attributes)
{
this.objectName = objectName;
this.attributes = attributes;
}
public ModifyRequest(
LDAPDN object1,
Asn1SequenceOf <ModifyRequest_modification_element> modification)
{
this.object1 = object1;
this.modification = modification;
}
public EncASRepPart(
EncryptionKey param0,
LastReq param1,
KerbUInt32 param2,
KerberosTime param3,
TicketFlags param4,
KerberosTime param5,
KerberosTime param6,
KerberosTime param7,
KerberosTime param8,
Realm param9,
PrincipalName param10,
HostAddresses param11,
Asn1SequenceOf <PA_DATA> param12)
{
this.key = param0;
this.last_req = param1;
this.nonce = param2;
this.key_expiration = param3;
this.flags = param4;
this.authtime = param5;
this.starttime = param6;
this.endtime = param7;
this.renew_till = param8;
this.srealm = param9;
this.sname = param10;
this.caddr = param11;
this.pa_datas = param12;
}
protected void TypicalASExchange(KerberosTestClient client, KdcOptions options)
{
//Create and send AS request
PaPacRequest paPacRequest = new PaPacRequest(true);
PaPacOptions paPacOptions = new PaPacOptions(PacOptions.Claims);
Asn1SequenceOf <PA_DATA> paData = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paPacRequest.Data, paPacOptions.Data });
client.SendAsRequest(options, paData);
//Recieve preauthentication required error
METHOD_DATA methodData;
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
//Create pa-enc-timestamp
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
this.client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
paData = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data, paPacOptions.Data });
//Create and send AS request
client.SendAsRequest(options, paData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
}
/// <summary>
/// Creates an AddRequest packet.
/// </summary>
/// <param name="context">The user context which contains message ID.</param>
/// <param name="objectDn">The DN of the object to be added.</param>
/// <param name="attributes">Attributes to be set.</param>
/// <returns>The packet that contains the request.</returns>
internal override AdtsAddRequestPacket CreateAddRequest(
AdtsLdapContext context,
string objectDn,
params KeyValuePair <string, string[]>[] attributes)
{
int length = (attributes != null) ? attributes.Length : 0;
AddRequest_attrs_element[] addrequestAttrsArray = new AddRequest_attrs_element[length];
for (int i = 0; i < length; i++)
{
addrequestAttrsArray[i] = new AddRequest_attrs_element(
new AttributeType(attributes[i].Key),
CreateAttributeValueSet(attributes[i].Value));
}
Asn1SequenceOf <AddRequest_attrs_element> attributeList = new Asn1SequenceOf <AddRequest_attrs_element>(addrequestAttrsArray);
AddRequest addRequest = new AddRequest(
new LDAPDN(objectDn ?? string.Empty),
attributeList);
LDAPMessage_protocolOp operation = new LDAPMessage_protocolOp();
operation.SetData(LDAPMessage_protocolOp.addRequest, addRequest);
LDAPMessage message = new LDAPMessage(new MessageID(context.MessageId), operation);
AdtsAddRequestPacket packet = new AdtsAddRequestPacket();
packet.ldapMessagev2 = message;
packet.messageId = context.MessageId;
return(packet);
}
public SubstringFilter(
AttributeType type,
Asn1SequenceOf<SubstringFilter_substrings_element> substrings)
{
this.type = type;
this.substrings = substrings;
}
//*************************************************************************
// Constructor for ModifyRequest
//*************************************************************************
/// <summary> </summary>
public RfcModifyRequest(RfcLdapDN object_Renamed, Asn1SequenceOf modification)
: base(2)
{
add(object_Renamed);
add(modification);
return;
}
public PrincipalName(
KerbInt32 param0,
Asn1SequenceOf<KerberosString> param1)
{
this.name_type = param0;
this.name_string = param1;
}
/// <summary>
/// Constructs a sort control with multiple sort keys.
/// </summary>
/// <param name="keys An">
/// array of sort key objects, to be processed in
/// order.
/// </param>
/// <param name="critical True">
/// if the search operation is to fail if the
/// server does not support this control.
/// </param>
public LdapSortControl(LdapSortKey[] keys, bool critical) : base(requestOID, critical, null)
{
var sortKeyList = new Asn1SequenceOf();
for (var i = 0; i < keys.Length; i++)
{
var key = new Asn1Sequence();
key.add(new Asn1OctetString(keys[i].Key));
if ((object)keys[i].MatchRule != null)
{
key.add(new Asn1Tagged(new Asn1Identifier(Asn1Identifier.CONTEXT, false, ORDERING_RULE),
new Asn1OctetString(keys[i].MatchRule), false));
}
if (keys[i].Reverse)
{
// only add if true
key.add(new Asn1Tagged(new Asn1Identifier(Asn1Identifier.CONTEXT, false, REVERSE_ORDER),
new Asn1Boolean(true), false));
}
sortKeyList.add(key);
}
setValue(sortKeyList.getEncoding(new LBEREncoder()));
}
/// <summary>
/// Creates an AddRequest packet.
/// </summary>
/// <param name="context">The user context which contains message ID.</param>
/// <param name="objectDn">The DN of the object to be added.</param>
/// <param name="attributes">Attributes to be set.</param>
/// <returns>The packet that contains the request.</returns>
internal override AdtsAddRequestPacket CreateAddRequest(
AdtsLdapContext context,
string objectDn,
params KeyValuePair<string, string[]>[] attributes)
{
int length = (attributes != null) ? attributes.Length : 0;
AddRequest_attrs_element[] addrequestAttrsArray = new AddRequest_attrs_element[length];
for (int i = 0; i < length; i++)
{
addrequestAttrsArray[i] = new AddRequest_attrs_element(
new AttributeType(attributes[i].Key),
CreateAttributeValueSet(attributes[i].Value));
}
Asn1SequenceOf<AddRequest_attrs_element> attributeList = new Asn1SequenceOf<AddRequest_attrs_element>(addrequestAttrsArray);
AddRequest addRequest = new AddRequest(
new LDAPDN(objectDn ?? string.Empty),
attributeList);
LDAPMessage_protocolOp operation = new LDAPMessage_protocolOp();
operation.SetData(LDAPMessage_protocolOp.addRequest, addRequest);
LDAPMessage message = new LDAPMessage(new MessageID(context.MessageId), operation);
AdtsAddRequestPacket packet = new AdtsAddRequestPacket();
packet.ldapMessagev2 = message;
packet.messageId = context.MessageId;
return packet;
}
private static Asn1SequenceOf EncodeModifications(LdapModification[] mods)
{
var rfcMods = new Asn1SequenceOf(mods.Length);
foreach (var t in mods)
{
var attr = t.Attribute;
var vals = new Asn1SetOf(attr.Size());
if (attr.Size() > 0)
{
foreach (var val in attr.ByteValueArray)
{
vals.Add(new Asn1OctetString(val));
}
}
var rfcMod = new Asn1Sequence(2);
rfcMod.Add(new Asn1Enumerated((int)t.Op));
rfcMod.Add(new RfcAttributeTypeAndValues(attr.Name, vals));
rfcMods.Add(rfcMod);
}
return(rfcMods);
}
/// <summary>
/// Encode an array of LdapModifications to ASN.1.
/// </summary>
/// <param name="mods">
/// an array of LdapModification objects.
/// </param>
/// <returns>
/// an Asn1SequenceOf object containing the modifications.
/// </returns>
private static Asn1SequenceOf EncodeModifications(LdapModification[] mods)
{
// Convert Java-API LdapModification[] to RFC2251 SEQUENCE OF SEQUENCE
var rfcMods = new Asn1SequenceOf(mods.Length);
for (var i = 0; i < mods.Length; i++)
{
var attr = mods[i].Attribute;
// place modification attribute values in Asn1SetOf
var vals = new Asn1SetOf(attr.Size());
if (attr.Size() > 0)
{
var attrEnum = attr.ByteValues;
while (attrEnum.MoveNext())
{
vals.Add(new RfcAttributeValue(attrEnum.Current));
}
}
// create SEQUENCE containing mod operation and attr type and vals
var rfcMod = new Asn1Sequence(2);
rfcMod.Add(new Asn1Enumerated(mods[i].Op));
rfcMod.Add(new RfcAttributeTypeAndValues(new RfcAttributeDescription(attr.Name), vals));
// place SEQUENCE into SEQUENCE OF
rfcMods.Add(rfcMod);
}
return(rfcMods);
}
private CLAIMS_SET?GetADUserClaims_SingleRealm(string realm, string user, string userPwd, string server, string servicePwd, string serviceSpn)
{
base.Logging();
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[2].Username,
this.testConfig.LocalRealm.User[2].Password,
KerberosAccountType.User,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
METHOD_DATA methodData;
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with PaEncTimeStamp, PaPacRequest and paPacOptions.");
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
client.Context.SelectedEType,
client.Context.CName.Password,
this.client.Context.CName.Salt);
PaPacRequest paPacRequest = new PaPacRequest(true);
PaPacOptions paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc);
Asn1SequenceOf <PA_DATA> seqOfPaData = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data, paPacOptions.Data });
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send FAST armored TGS request: {0}.", this.testConfig.LocalRealm.FileServer[0].Smb2ServiceName);
Asn1SequenceOf <PA_DATA> seqOfPaData2 = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paPacRequest.Data, paPacOptions.Data });
client.SendTgsRequest(this.testConfig.LocalRealm.FileServer[0].Smb2ServiceName, options, seqOfPaData2);
KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();
EncryptionKey key = testConfig.QueryKey(this.testConfig.LocalRealm.FileServer[0].Smb2ServiceName, client.Context.Realm.ToString(), client.Context.SelectedEType);
tgsResponse.DecryptTicket(key);
BaseTestSite.Assert.IsNotNull(tgsResponse.EncPart, "The encrypted part of TGS-REP is decrypted.");
if (this.testConfig.IsKileImplemented)
{
BaseTestSite.Assert.IsNotNull(tgsResponse.TicketEncPart.authorization_data, "The ticket contains Authorization data.");
AdWin2KPac adWin2kPac = FindOneInAuthData <AdWin2KPac>(tgsResponse.TicketEncPart.authorization_data.Elements);
BaseTestSite.Assert.IsNotNull(adWin2kPac, "The Authorization data contains AdWin2KPac.");
foreach (PacInfoBuffer buf in adWin2kPac.Pac.PacInfoBuffers)
{
if (buf.GetType() == typeof(ClientClaimsInfo))
{
return(((ClientClaimsInfo)buf).NativeClaimSet);
}
}
}
return(null);
}
/// <summary>
/// Creates and addes a substrings filter component.
/// startSubstrings must be immediatly followed by at least one
/// <c>AddSubstring</c> method and one <c>EndSubstrings</c> method.
/// </summary>
/// <param name="attrName">Name of the attribute.</param>
public void StartSubstrings(string attrName)
{
_finalFound = false;
var seq = new Asn1SequenceOf(5);
AddObject(new Asn1Tagged(new Asn1Identifier((int)FilterOp.Substrings, true), new RfcSubstringFilter(attrName, seq), false));
_filterStack.Push(seq);
}
public KrbFastReq(
FastOptions param0,
Asn1SequenceOf <PA_DATA> param1,
KDC_REQ_BODY param2)
{
this.fast_options = param0;
this.padata = param1;
this.req_body = param2;
}
public KrbFastReq(
FastOptions param0,
Asn1SequenceOf<PA_DATA> param1,
KDC_REQ_BODY param2)
{
this.fast_options = param0;
this.padata = param1;
this.req_body = param2;
}
private KerberosAsRequest CreateAsRequest(KDC_REQ_BODY kdcReqBody, Asn1SequenceOf <PA_DATA> paDatas, long pvno = KerberosConstValue.KERBEROSV5)
{
KerberosAsRequest request = new KerberosAsRequest(
pvno,
kdcReqBody,
paDatas,
Context.TransportType);
return(request);
}
public CLAIMS_SET? GetADUserClaims_SingleRealm(string realm, string user, string userPwd, string server, string servicePwd, string serviceSpn)
{
base.Logging();
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[2].Username,
this.testConfig.LocalRealm.User[2].Password,
KerberosAccountType.User,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
METHOD_DATA methodData;
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with PaEncTimeStamp, PaPacRequest and paPacOptions.");
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
client.Context.SelectedEType,
client.Context.CName.Password,
this.client.Context.CName.Salt);
PaPacRequest paPacRequest = new PaPacRequest(true);
PaPacOptions paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data, paPacOptions.Data });
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send FAST armored TGS request: {0}.", this.testConfig.LocalRealm.FileServer[0].Smb2ServiceName);
Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paPacRequest.Data, paPacOptions.Data });
client.SendTgsRequest(this.testConfig.LocalRealm.FileServer[0].Smb2ServiceName, options, seqOfPaData2);
KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();
EncryptionKey key = testConfig.QueryKey(this.testConfig.LocalRealm.FileServer[0].Smb2ServiceName, client.Context.Realm.ToString(), client.Context.SelectedEType);
tgsResponse.DecryptTicket(key);
BaseTestSite.Assert.IsNotNull(tgsResponse.EncPart, "The encrypted part of TGS-REP is decrypted.");
if (this.testConfig.IsKileImplemented)
{
BaseTestSite.Assert.IsNotNull(tgsResponse.TicketEncPart.authorization_data, "The ticket contains Authorization data.");
AdWin2KPac adWin2kPac = FindOneInAuthData<AdWin2KPac>(tgsResponse.TicketEncPart.authorization_data.Elements);
BaseTestSite.Assert.IsNotNull(adWin2kPac, "The Authorization data contains AdWin2KPac.");
foreach (PacInfoBuffer buf in adWin2kPac.Pac.PacInfoBuffers)
{
if (buf.GetType() == typeof(ClientClaimsInfo))
{
return ((ClientClaimsInfo)buf).NativeClaimSet;
}
}
}
return null;
}
public void KrbErrorBadIntegrity()
{
base.Logging();
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
//Create and send AS request
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
//Recieve preauthentication required error
METHOD_DATA methodData;
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
//Create sequence of PA data
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
PaPacRequest paPacRequest = new PaPacRequest(true);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });
//Create and send AS request
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
// Modify ciphertext of TGT
byte originalFirstByte = (byte)client.Context.Ticket.Ticket.enc_part.cipher.ByteArrayValue.GetValue(0);
client.Context.Ticket.Ticket.enc_part.cipher.ByteArrayValue.SetValue((byte)(originalFirstByte + 1), 0);
//Create and send TGS request
client.SendTgsRequest(this.testConfig.LocalRealm.FileServer[0].Smb2ServiceName, options);
krbError = client.ExpectKrbError();
BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve Kerberos error.");
BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_BAD_INTEGRITY, krbError.ErrorCode,
"If decrypting the authenticator using the session key shows that it has been modified, " +
"the KRB_AP_ERR_BAD_INTEGRITY error is returned");
}
public KrbFastResponse(
Asn1SequenceOf <PA_DATA> param0,
EncryptionKey param1,
KrbFastFinished param2,
KerbUInt32 param3)
{
this.padata = param0;
this.strengthen_key = param1;
this.finished = param2;
this.nonce = param3;
}
public SearchRequest()
{
this.baseObject = null;
this.scope = null;
this.derefAliases = null;
this.sizeLimit = null;
this.timeLimit = null;
this.attrsOnly = null;
this.filter = null;
this.attributes = null;
}
public AS_REQ(
Asn1Integer param0,
Asn1Integer param1,
Asn1SequenceOf <PA_DATA> param2,
KDC_REQ_BODY param3)
{
this.pvno = param0;
this.msg_type = param1;
this.padata = param2;
this.req_body = param3;
}
public KRB_CRED(
Asn1Integer param0,
Asn1Integer param1,
Asn1SequenceOf<Ticket> param2,
EncryptedData param3)
{
this.pvno = param0;
this.msg_type = param1;
this.tickets = param2;
this.enc_part = param3;
}
public KrbFastResponse(
Asn1SequenceOf<PA_DATA> param0,
EncryptionKey param1,
KrbFastFinished param2,
KerbUInt32 param3)
{
this.padata = param0;
this.strengthen_key = param1;
this.finished = param2;
this.nonce = param3;
}
public TGS_REQ(
Asn1Integer param0,
Asn1Integer param1,
Asn1SequenceOf<PA_DATA> param2,
KDC_REQ_BODY param3)
{
this.pvno = param0;
this.msg_type = param1;
this.padata = param2;
this.req_body = param3;
}
public KRB_CRED(
Asn1Integer param0,
Asn1Integer param1,
Asn1SequenceOf <Ticket> param2,
EncryptedData param3)
{
this.pvno = param0;
this.msg_type = param1;
this.tickets = param2;
this.enc_part = param3;
}
public KileAsRequest CreateAsRequest(string sName,
KRBFlags kdcOptions,
Asn1SequenceOf <PA_DATA> paData,
params EncryptionType[] encryptionTypes)
{
KileAsRequest request = new KileAsRequest(context);
request.Request.msg_type = new Asn1Integer((int)MsgType.KRB_AS_REQ);
request.Request.pvno = new Asn1Integer(ConstValue.KERBEROSV5);
request.Request.padata = paData;
request.Request.req_body = new KDC_REQ_BODY();
request.Request.req_body.kdc_options = new KDCOptions(KileUtility.ConvertInt2Flags((int)kdcOptions));
request.Request.req_body.nonce = new KerbUInt32((uint)Math.Abs((int)DateTime.Now.Ticks));
request.Request.req_body.till = new KerberosTime(ConstValue.TGT_TILL_TIME);
request.Request.req_body.rtime = new KerberosTime(ConstValue.TGT_RTIME);
request.Request.req_body.addresses =
new HostAddresses(new HostAddress[1] {
new HostAddress(new KerbInt32((int)AddressType.NetBios),
new Asn1OctetString(Encoding.ASCII.GetBytes(System.Net.Dns.GetHostName())))
});
if (userName != null)
{
request.Request.req_body.cname =
new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(userName));
}
if (domain != null)
{
request.Request.req_body.realm = new Realm(domain);
}
if (sName != null)
{
request.Request.req_body.sname =
new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KileUtility.String2SeqKerbString(sName, domain));
}
if (encryptionTypes != null)
{
KerbInt32[] etypes = new KerbInt32[encryptionTypes.Length];
for (int i = 0; i < encryptionTypes.Length; i++)
{
etypes[i] = new KerbInt32((int)encryptionTypes[i]);
}
request.Request.req_body.etype = new Asn1SequenceOf <KerbInt32>(etypes);
}
return(request);
}
public void AdFxFastArmorInAuthenticator()
{
base.Logging();
client = new KerberosTestClient(
this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.ClientComputer.NetBiosName,
this.testConfig.LocalRealm.ClientComputer.Password,
KerberosAccountType.Device,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid,
testConfig.LocalRealm.ClientComputer.AccountSalt);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
// AS_REQ and KRB-ERROR using device principal
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
METHOD_DATA methodData;
KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData);
// AS_REQ and AS_REP using device principal
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(
timeStamp,
0,
client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data });
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
BaseTestSite.Log.Add(
LogEntryKind.Comment,
string.Format("The type of AS-REP encrypted part is {0}.", asResponse.EncPart.GetType().Name));
AdFxFastArmor adFxFastArmor = new AdFxFastArmor();
AuthorizationData authData = new AuthorizationData(new AuthorizationDataElement[] { adFxFastArmor.AuthDataElement });
client.SendTgsRequest(testConfig.LocalRealm.ClientComputer.DefaultServiceName, options, null, null, authData);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Receive TGS Error, KDC MUST reject the request.");
KerberosKrbError krbError = client.ExpectKrbError();
}
private KerberosAsRequest SendAsRequest(KdcOptions kdcOptions, Asn1SequenceOf <PA_DATA> seqPaData)
{
string sName = KerberosConstValue.KERBEROS_SNAME;
string domain = this.Context.Realm.Value;
PrincipalName sname =
new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname);
KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, seqPaData);
this.client.SendPdu(asRequest);
return(asRequest);
}
public EncKrbCredPart(
Asn1SequenceOf<KrbCredInfo> param0,
KerbUInt32 param1,
KerberosTime param2,
Microseconds param3,
HostAddress param4,
HostAddress param5)
{
this.ticket_info = param0;
this.nonce = param1;
this.timestamp = param2;
this.usec = param3;
this.s_address = param4;
this.r_address = param5;
}
public AS_REP(
Asn1Integer param0,
Asn1Integer param1,
Asn1SequenceOf<PA_DATA> param2,
Realm param3,
PrincipalName param4,
Ticket param5,
EncryptedData param6)
{
this.pvno = param0;
this.msg_type = param1;
this.padata = param2;
this.crealm = param3;
this.cname = param4;
this.ticket = param5;
this.enc_part = param6;
}
public SearchRequest(
LDAPDN baseObject,
SearchRequest_scope scope,
SearchRequest_derefAliases derefAliases,
Asn1Integer sizeLimit,
Asn1Integer timeLimit,
Asn1Boolean attrsOnly,
Filter filter,
Asn1SequenceOf<AttributeType> attributes)
{
this.baseObject = baseObject;
this.scope = scope;
this.derefAliases = derefAliases;
this.sizeLimit = sizeLimit;
this.timeLimit = timeLimit;
this.attrsOnly = attrsOnly;
this.filter = filter;
this.attributes = attributes;
}
public void CanonicalizeSpnInReferralTgt()
{
base.Logging();
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE | KdcOptions.RENEWABLEOK;
TypicalASExchange(client, options);
PaPacOptions paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc);
Asn1SequenceOf<PA_DATA> paData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paPacOptions.Data });
//Create and send TGS request
if (this.testConfig.TrustType == Adapter.TrustType.Forest)
{
client.SendTgsRequest(this.testConfig.TrustedRealm.FileServer[0].Smb2ServiceName, options, paData);
}
else
{
client.SendTgsRequest(this.testConfig.TrustedRealm.KDC[0].DefaultServiceName, options, paData);
}
KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();
EncryptionKey key = testConfig.QueryKey(
this.testConfig.TrustedRealm.KDC[0].DefaultServiceName + "@" + this.testConfig.LocalRealm.RealmName,
client.Context.Realm.ToString(),
client.Context.SelectedEType);
tgsResponse.DecryptTicket(key);
//assert sname
BaseTestSite.Assert.AreEqual(this.testConfig.TrustedRealm.KDC[0].DefaultServiceName,
KerberosUtility.PrincipalName2String(tgsResponse.Response.ticket.sname),
"The service principal name in referral TGT MUST be canonicalized.");
}
public void AdFxFastUsedInAuthenticator()
{
base.Logging();
client = new KerberosTestClient(
this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.ClientComputer.NetBiosName,
this.testConfig.LocalRealm.ClientComputer.Password,
KerberosAccountType.Device,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid,
testConfig.LocalRealm.ClientComputer.AccountSalt);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
// AS_REQ and KRB-ERROR using device principal
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
METHOD_DATA methodData;
KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData);
// AS_REQ and AS_REP using device principal
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(
timeStamp,
0,
client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data });
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");
BaseTestSite.Log.Add(
LogEntryKind.Comment,
string.Format("The type of AS-REP encrypted part is {0}.", asResponse.EncPart.GetType().Name));
// Switch to user principal
client = new KerberosTestClient(
this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
client.Context.Ticket,
client.Context.SessionKey,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
// FAST armored AS_REQ and KRB-ERROR using user principal
//Create a "random" key.
var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt");
var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0));
var apOptions = ApOptions.None;
Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { new PA_DATA(new KerbInt32((long)PaDataType.PA_FX_FAST), null) });
client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions);
KerberosKrbError krbError2 = client.ExpectKrbError();
BaseTestSite.Assert.AreEqual(krbError2.ErrorCode, KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, "Pre-authentication required.");
// FAST armored AS_REQ and AS_REP using user principal
var userKey = KerberosUtility.MakeKey(
client.Context.SelectedEType,
client.Context.CName.Password,
client.Context.CName.Salt);
PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge(
client.Context.SelectedEType,
KerberosUtility.CurrentKerberosTime.Value,
0,
client.Context.FastArmorkey,
userKey);
Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data });
client.SendAsRequestWithFast(options, seqOfPaData3, null, subkey, fastOptions, apOptions);
KerberosAsResponse userKrbAsRep = client.ExpectAsResponse();
BaseTestSite.Assert.IsNotNull(userKrbAsRep.Response.ticket, "AS response should contain a TGT.");
BaseTestSite.Log.Add(
LogEntryKind.Comment,
string.Format("The type of AS-REP encrypted part is {0}.", userKrbAsRep.EncPart.GetType().Name));
// FAST armored TGS_REQ and TGS_REP using user principal
subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password03!", "this is a salt");
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send unarmored TGS request with AD-fx-fast-used.");
AdFxFastUsed adFxFastUsed = new AdFxFastUsed();
AuthorizationData authData = new AuthorizationData(new AuthorizationDataElement[] { adFxFastUsed.AuthDataElement });
client.SendTgsRequest(testConfig.LocalRealm.ClientComputer.DefaultServiceName, options, null, null, authData);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Receive TGS Error, KDC MUST reject the request.");
KerberosKrbError krbError = client.ExpectKrbError();
}
/// <summary>
/// Creates a ModifyRequest packet.
/// </summary>
/// <param name="context">The user context which contains message ID.</param>
/// <param name="objectDn">The DN of object to be modified.</param>
/// <param name="modificationList">Modification list of attributes.</param>
/// <returns>The packet that contains the request.</returns>
internal override AdtsModifyRequestPacket CreateModifyRequest(
AdtsLdapContext context,
string objectDn,
params MsLdap.DirectoryAttributeModification[] modificationList)
{
int length = (modificationList != null) ? modificationList.Length : 0;
ModifyRequest_modification_element[] modificationElements = new ModifyRequest_modification_element[length];
for (int i = 0; i < length; i++)
{
byte[][] values = (byte[][])modificationList[i].GetValues(typeof(byte[]));
modificationElements[i] = new ModifyRequest_modification_element(
new ModifyRequest_modification_element_operation((long)modificationList[i].Operation),
new AttributeTypeAndValues(
new AttributeDescription(modificationList[i].Name),
CreateAttributeValueSet(values)));
}
Asn1SequenceOf<ModifyRequest_modification_element> modificationSequence =
new Asn1SequenceOf<ModifyRequest_modification_element>(modificationElements);
ModifyRequest modifyRequest = new ModifyRequest(
new LDAPDN(objectDn ?? string.Empty),
modificationSequence);
LDAPMessage_protocolOp operation = new LDAPMessage_protocolOp();
operation.SetData(LDAPMessage_protocolOp.modifyRequest, modifyRequest);
LDAPMessage message = new LDAPMessage(new MessageID(context.MessageId), operation, null);
AdtsModifyRequestPacket packet = new AdtsModifyRequestPacket();
packet.ldapMessagev3 = message;
packet.messageId = context.MessageId;
return packet;
}
public void KrbFastFinishedTgsRep()
{
base.Logging();
client = new KerberosTestClient(
this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.ClientComputer.NetBiosName,
this.testConfig.LocalRealm.ClientComputer.Password,
KerberosAccountType.Device,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid,
testConfig.LocalRealm.ClientComputer.AccountSalt);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
// AS_REQ and KRB-ERROR using device principal
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
METHOD_DATA methodData;
KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData);
// AS_REQ and AS_REP using device principal
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(
timeStamp,
0,
client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data });
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
BaseTestSite.Log.Add(
LogEntryKind.Comment,
string.Format("The type of AS-REP encrypted part is {0}.", asResponse.EncPart.GetType().Name));
// Switch to user principal
client = new KerberosTestClient(
this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
client.Context.Ticket,
client.Context.SessionKey,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
// FAST armored AS_REQ and KRB-ERROR using user principal
//Create a "random" key.
var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt");
var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0));
var apOptions = ApOptions.None;
Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { new PA_DATA(new KerbInt32((long)PaDataType.PA_FX_FAST), null) });
client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions);
KerberosKrbError krbError2 = client.ExpectKrbError();
BaseTestSite.Assert.AreEqual(krbError2.ErrorCode, KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, "Pre-authentication required.");
// FAST armored AS_REQ and AS_REP using user principal
var userKey = KerberosUtility.MakeKey(
client.Context.SelectedEType,
client.Context.CName.Password,
client.Context.CName.Salt);
PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge(
client.Context.SelectedEType,
KerberosUtility.CurrentKerberosTime.Value,
0,
client.Context.FastArmorkey,
userKey);
Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data });
client.SendAsRequestWithFast(options, seqOfPaData3, null, subkey, fastOptions, apOptions);
KerberosAsResponse userKrbAsRep = client.ExpectAsResponse();
BaseTestSite.Log.Add(
LogEntryKind.Comment,
string.Format("The type of AS-REP encrypted part is {0}.", userKrbAsRep.EncPart.GetType().Name));
// FAST armored TGS_REQ and TGS_REP using user principal
subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password03!", "this is a salt");
client.SendTgsRequestWithFast(testConfig.LocalRealm.ClientComputer.DefaultServiceName, options, null, null, subkey, fastOptions, apOptions);
KerberosTgsResponse userKrbTgsRep = client.ExpectTgsResponse(KeyUsageNumber.TGS_REP_encrypted_part_subkey);
BaseTestSite.Assert.IsNotNull(userKrbTgsRep.EncPart, "The encrypted part of TGS-REP is decrypted.");
//Verify KrbFastFinished.
KrbFastFinished fastFinishedTgs = null;
BaseTestSite.Assert.IsNotNull(userKrbAsRep.Response.padata, "The padata of AS-REP is not null.");
BaseTestSite.Assert.IsNotNull(userKrbAsRep.Response.padata.Elements, "The padata of AS-REP is not empty.");
foreach (PA_DATA paData in userKrbTgsRep.Response.padata.Elements)
{
var parsedPaData = PaDataParser.ParseRepPaData(paData);
if (parsedPaData is PaFxFastRep)
{
var armoredRep = ((PaFxFastRep)parsedPaData).GetArmoredRep();
var kerbFastRep = ((PaFxFastRep)parsedPaData).GetKerberosFastRep(client.Context.FastArmorkey);
fastFinishedTgs = kerbFastRep.FastResponse.finished;
break;
}
}
BaseTestSite.Assert.IsNotNull(fastFinishedTgs, "The finished field contains a KrbFastFinished structure.");
Asn1BerEncodingBuffer buf2 = new Asn1BerEncodingBuffer();
userKrbTgsRep.Response.ticket.BerEncode(buf2);
Checksum ticketChecksumTgs = new Checksum(new KerbInt32((long)KerberosUtility.GetChecksumType(client.Context.SelectedEType)), new Asn1OctetString(KerberosUtility.GetChecksum(
client.Context.FastArmorkey.keyvalue.ByteArrayValue,
buf2.Data,
(int)KeyUsageNumber.FAST_FINISHED,
KerberosUtility.GetChecksumType(client.Context.SelectedEType))));
BaseTestSite.Assert.IsTrue(
KerberosUtility.CompareChecksum(fastFinishedTgs.ticket_checksum, ticketChecksumTgs),
"The ticket checksum is correct.");
}
public void FastKrb_Error()
{
base.Logging();
client = new KerberosTestClient(
this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.ClientComputer.NetBiosName,
this.testConfig.LocalRealm.ClientComputer.Password,
KerberosAccountType.Device,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid,
testConfig.LocalRealm.ClientComputer.AccountSalt);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
// AS_REQ and KRB-ERROR using device principal
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with no PA data.");
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve preauthentication required error.");
METHOD_DATA methodData;
KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData);
// AS_REQ and AS_REP using device principal
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with PaEncTimeStamp.");
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(
timeStamp,
0,
client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data });
client.SendAsRequest(options, seqOfPaData);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve AS response.");
KerberosAsResponse asResponse = client.ExpectAsResponse();
BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");
BaseTestSite.Assert.IsNotNull(asResponse.EncPart, "The encrypted part of AS response is decrypted.");
BaseTestSite.Assert.IsNotNull(asResponse.EncPart.key, "AS response should contain a session key.");
BaseTestSite.Log.Add(
LogEntryKind.Comment,
string.Format("The type of AS-REP encrypted part is {0}.", asResponse.EncPart.GetType().Name));
// Switch to user principal
BaseTestSite.Log.Add(LogEntryKind.Comment, "Switch to user principal.");
BaseTestSite.Log.Add(
LogEntryKind.Comment,
string.Format("Construct Kerberos client using user account: {0}.",
this.testConfig.LocalRealm.User[1].Username));
client = new KerberosTestClient(
this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
client.Context.Ticket,
client.Context.SessionKey,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// FAST armored AS_REQ and KRB-ERROR using user principal
//Create a "random" key.
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send FAST armored AS request with no pre-authentication padata.");
var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt");
var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0));
var apOptions = ApOptions.None;
Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { new PA_DATA(new KerbInt32((long)PaDataType.PA_FX_FAST), null) });
client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions);
KerberosKrbError krbError2 = client.ExpectKrbError();
BaseTestSite.Assert.AreEqual(krbError2.ErrorCode, KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, "Pre-authentication required.");
// FAST armored AS_REQ and AS_REP using user principal
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with PaEncryptedChallenge.");
var userKey = KerberosUtility.MakeKey(
client.Context.SelectedEType,
client.Context.CName.Password,
client.Context.CName.Salt);
var invalidKey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Invalid", "this is a salt");
PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge(
client.Context.SelectedEType,
KerberosUtility.CurrentKerberosTime.ToString(),
0,
invalidKey,
userKey);
PaPacRequest paPacRequest = new PaPacRequest(true);
Asn1SequenceOf<PA_DATA> outerSeqPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paPacRequest.Data });
Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data });
client.SendAsRequestWithFast(options, seqOfPaData3, outerSeqPaData, subkey, fastOptions, apOptions);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve AS response.");
KerberosKrbError error = client.ExpectKrbError();
BaseTestSite.Assert.IsNotNull(error.KrbError.e_data, "E_data is not null");
Asn1SequenceOf<PA_DATA> seqOfPadata = new Asn1SequenceOf<PA_DATA>();
seqOfPadata.BerDecode(new Asn1DecodingBuffer(error.KrbError.e_data.ByteArrayValue));
var padataCount = seqOfPadata.Elements.Length;
PaFxFastRep paFxFastRep = null;
for (int i = 0; i < padataCount; i++)
{
var padata = PaDataParser.ParseRepPaData(seqOfPadata.Elements[i]);
//Fix me: PaETypeInfo is also possible
if (padata is PaFxFastRep)
{
paFxFastRep = padata as PaFxFastRep;
}
}
BaseTestSite.Assert.IsNotNull(paFxFastRep , "KDC must reply a PA-FX-Fast response.");
PaFxError paFxError = null;
var armoredRep = paFxFastRep.GetKerberosFastRep(client.Context.FastArmorkey);
foreach (var padata in armoredRep.PaData)
{
if (padata is PaFxError)
{
paFxError = padata as PaFxError;
break;
}
}
BaseTestSite.Assert.IsNotNull(paFxError , "KDC must include a PA-FX-ERROR padata.");
BaseTestSite.Assert.IsNull(paFxError.KrbError.KrbError.e_data, "E_data is null.");
}
public void PaFxFastAdvertise()
{
base.Logging();
//Create kerberos test client and connect
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password, KerberosAccountType.User, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType,
testConfig.SupportedOid);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Construct Kerberos client for testing."); //Create and send AS request
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with no PA data.");
//Recieve preauthentication required error
METHOD_DATA methodData;
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve preauthentication required error.");
var seqOfPadata = new Asn1SequenceOf<PA_DATA>();
BaseTestSite.Assert.IsNotNull(krbError.KrbError.e_data, "e_data is not null.");
seqOfPadata.BerDecode(new Asn1DecodingBuffer(krbError.KrbError.e_data.ByteArrayValue));
PaFxFastRep paFxFast = null;
var padataCount = seqOfPadata.Elements.Length;
for (int i = 0; i < padataCount; i++)
{
var padata = PaDataParser.ParseRepPaData(seqOfPadata.Elements[i]);
if (padata is PaFxFastRep)
{
paFxFast = padata as PaFxFastRep;
break;
}
}
BaseTestSite.Assert.IsNotNull(paFxFast, "The KDC SHOULD advertise PA-FX-FAST in a PREAUTH_REQUIRED error.");
BaseTestSite.Assert.IsNull(paFxFast.FastReply, "KDCs MUST send the advertisement of PA-FX-FAST with an empty pa-value.");
}
public void NetworkLogonLdapWithClaim_Ldap()
{
base.Logging();
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
//Create and send AS request
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
//Recieve preauthentication required error
METHOD_DATA methodData;
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
//Create sequence of PA data
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
this.client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
PaPacRequest paPacRequest = new PaPacRequest(true);
PaPacOptions paPacOptions = new PaPacOptions(PacOptions.Claims);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data, paPacOptions.Data });
//Create and send AS request
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");
//Create and send TGS request
client.SendTgsRequest(this.testConfig.LocalRealm.LdapServer[0].LdapServiceName, options);
KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();
AuthorizationData data = null;
EncryptionKey subkey = KerberosUtility.GenerateKey(client.Context.SessionKey);
byte[] token = client.CreateGssApiToken(ApOptions.MutualRequired,
data,
subkey,
ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG,
this.testConfig.LocalRealm.LdapServer[0].GssToken);
//AP exchange part
byte[] repToken = this.SendAndRecieveLdapAp(this.testConfig.LocalRealm.LdapServer[0], token, this.testConfig.TrustedRealm.LdapServer[0].GssToken);
KerberosApResponse apResponse = client.GetApResponseFromToken(repToken, this.testConfig.LocalRealm.LdapServer[0].GssToken);
}
public void StrengthenKey()
{
base.Logging();
client = new KerberosTestClient(
this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.ClientComputer.NetBiosName,
this.testConfig.LocalRealm.ClientComputer.Password,
KerberosAccountType.Device,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid,
testConfig.LocalRealm.ClientComputer.AccountSalt);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
// AS_REQ and KRB-ERROR using device principal
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with no PA data.");
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve preauthentication required error.");
METHOD_DATA methodData;
KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData);
// AS_REQ and AS_REP using device principal
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with PaEncTimeStamp.");
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(
timeStamp,
0,
client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data });
client.SendAsRequest(options, seqOfPaData);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve AS response.");
KerberosAsResponse asResponse = client.ExpectAsResponse();
BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");
BaseTestSite.Assert.IsNotNull(asResponse.EncPart, "The encrypted part of AS response is decrypted.");
BaseTestSite.Assert.IsNotNull(asResponse.EncPart.key, "AS response should contain a session key.");
BaseTestSite.Log.Add(
LogEntryKind.Comment,
string.Format("The type of AS-REP encrypted part is {0}.", asResponse.EncPart.GetType().Name));
// Switch to user principal
BaseTestSite.Log.Add(LogEntryKind.Comment, "Switch to user principal.");
BaseTestSite.Log.Add(
LogEntryKind.Comment,
string.Format("Construct Kerberos client using user account: {0}.",
this.testConfig.LocalRealm.User[1].Username));
client = new KerberosTestClient(
this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
client.Context.Ticket,
client.Context.SessionKey,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
// FAST armored AS_REQ and KRB-ERROR using user principal
//Create a "random" key.
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send FAST armored AS request with no pre-authentication padata.");
var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt");
var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0));
var apOptions = ApOptions.None;
Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { new PA_DATA(new KerbInt32((long)PaDataType.PA_FX_FAST), null) });
client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions);
KerberosKrbError krbError2 = client.ExpectKrbError();
BaseTestSite.Assert.AreEqual(krbError2.ErrorCode, KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, "Pre-authentication required.");
// FAST armored AS_REQ and AS_REP using user principal
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with PaEncryptedChallenge.");
var userKey = KerberosUtility.MakeKey(
client.Context.SelectedEType,
client.Context.CName.Password,
client.Context.CName.Salt);
PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge(
client.Context.SelectedEType,
KerberosUtility.CurrentKerberosTime.Value,
0,
client.Context.FastArmorkey,
userKey);
PaPacRequest paPacRequest = new PaPacRequest(true);
Asn1SequenceOf<PA_DATA> outerSeqPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paPacRequest.Data });
Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data });
client.SendAsRequestWithFast(options, seqOfPaData3, outerSeqPaData, subkey, fastOptions, apOptions);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve AS response.");
KerberosAsResponse userKrbAsRep = client.ExpectAsResponse();
BaseTestSite.Assert.IsNotNull(userKrbAsRep.Response.ticket, "AS response should contain a TGT.");
BaseTestSite.Assert.IsNotNull(userKrbAsRep.EncPart, "The encrypted part of AS response is decrypted.");
BaseTestSite.Assert.IsNotNull(userKrbAsRep.EncPart.key, "AS response should contain a session key.");
BaseTestSite.Log.Add(
LogEntryKind.Comment,
string.Format("The type of AS-REP encrypted part is {0}.", userKrbAsRep.EncPart.GetType().Name));
// FAST armored TGS_REQ and TGS_REP using user principal
subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password03!", "this is a salt");
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send FAST armored TGS request.");
client.SendTgsRequestWithFast(testConfig.LocalRealm.ClientComputer.DefaultServiceName, options, null, null, subkey, fastOptions, apOptions);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve TGS response.");
KerberosTgsResponse userKrbTgsRep = client.ExpectTgsResponse(KeyUsageNumber.TGS_REP_encrypted_part_subkey);
BaseTestSite.Assert.IsNotNull(userKrbTgsRep.Response, "The Response pare of TGS-REP is not null.");
BaseTestSite.Assert.IsNotNull(userKrbTgsRep.Response.padata, "The Padata of TGS-REP is not null.");
EncryptionKey strengthenKey = null;
foreach (PA_DATA paData in userKrbTgsRep.Response.padata.Elements)
{
var parsedPaData = PaDataParser.ParseRepPaData(paData);
if (parsedPaData is PaFxFastRep)
{
var armoredRep = ((PaFxFastRep)parsedPaData).GetArmoredRep();
var kerbRep = ((PaFxFastRep)parsedPaData).GetKerberosFastRep(client.Context.FastArmorkey);
strengthenKey = kerbRep.FastResponse.strengthen_key;
}
}
BaseTestSite.Assert.IsNotNull(strengthenKey, "Strengthen key field must be set in TGS-REP.");
BaseTestSite.Assert.IsNotNull(userKrbTgsRep.EncPart, "The encrypted part of TGS-REP is decrypted.");
}
public void UnsupportedFastArmorType()
{
base.Logging();
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.ClientComputer.NetBiosName,
this.testConfig.LocalRealm.ClientComputer.Password,
KerberosAccountType.Device,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
// AS_REQ and KRB-ERROR using device principal
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
METHOD_DATA methodData;
KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData);
// AS_REQ and AS_REP using device principal
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data });
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
// Switch to user principal
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[2].Username,
this.testConfig.LocalRealm.User[2].Password,
KerberosAccountType.User,
client.Context.Ticket,
client.Context.SessionKey,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// FAST armored AS_REQ and KRB-ERROR using user principal
//Create a "random" key.
var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt");
var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0));
var apOptions = ApOptions.None;
string timeStamp2 = KerberosUtility.CurrentKerberosTime.Value;
PaFxFastReq paFxReq = new PaFxFastReq(null);
Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { (paFxReq.Data) });
client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions);
KerberosKrbError krbError2 = client.ExpectKrbError();
BaseTestSite.Assert.AreEqual(krbError2.ErrorCode,
KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED,
"Pre-authentication required.");
// FAST armored AS_REQ and AS_REP using user principal
var userKey = KerberosUtility.MakeKey(
client.Context.SelectedEType,
client.Context.CName.Password,
client.Context.CName.Salt);
PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge(
client.Context.SelectedEType,
KerberosUtility.CurrentKerberosTime.Value,
0,
client.Context.FastArmorkey,
userKey);
Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data });
PaPacRequest paPacRequest = new PaPacRequest(true);
PaPacOptions paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc);
Asn1SequenceOf<PA_DATA> outerSeqPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paPacRequest.Data, paPacOptions.Data });
client.SendAsRequestWithFast(options, seqOfPaData3, outerSeqPaData, subkey, fastOptions, apOptions, 0);
KerberosKrbError krbError3 = client.ExpectKrbError();
BaseTestSite.Assert.AreEqual(krbError3.ErrorCode,
KRB_ERROR_CODE.KDC_ERR_PREAUTH_FAILED,
"Pre-authentication failed.");
}
public void ChangePasswordError()
{
base.Logging();
if (!this.testConfig.UseProxy)
{
BaseTestSite.Assert.Inconclusive("This case is only applicable when Kerberos Proxy Service is in use.");
}
#region KRB5_KPASSWD_SOFTERROR
//Create kerberos test client and connect
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[22].Username,
this.testConfig.LocalRealm.User[22].Password,
KerberosAccountType.User,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends AS_REQ without Pre-Authentication data for password change");
client.SendAsRequestForPwdChange(options, null);
//Recieve preauthentication required error
METHOD_DATA methodData;
BaseTestSite.Log.Add(LogEntryKind.TestStep, "KDC returns KRB_ERROR: KDC_ERR_PREAUTH_REQUIRED");
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
//Create sequence of PA data
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends AS_REQ with PA-ENC-TIMESTAMP and PA-PAC-REQUEST for password change");
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
this.client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
PaPacRequest paPacRequest = new PaPacRequest(true);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });
//Create and send AS request
client.SendAsRequestForPwdChange(options, seqOfPaData);
BaseTestSite.Log.Add(LogEntryKind.TestStep, "KDC returns AS_REP");
KerberosAsResponse asResponse = client.ExpectAsResponse();
BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");
//Create kpassword test client and connect
KpasswdTestClient kpassClient = new KpasswdTestClient(
testConfig.LocalRealm.KDC[0].IPAddress,
KerberosConstValue.KPASSWORD_PORT,
testConfig.TransportType,
client.Context.Ticket);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
kpassClient.UseProxy = true;
kpassClient.ProxyClient = proxyClient;
}
//Specify a new password which doesn't meet the complexity requirements
string newPwd = "123";
//Create and send Kpassword request
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends KpasswordRequest");
kpassClient.SendKpasswordRequest(newPwd);
BaseTestSite.Log.Add(LogEntryKind.TestStep, "KDC returns KpasswordResponse");
KpasswordResponse kpassResponse = kpassClient.ExpectKpasswordResponse();
//Verify the result code
BaseTestSite.Assert.AreEqual(KpasswdError.KRB5_KPASSWD_SOFTERROR, (KpasswdError)kpassClient.GetResultCode(kpassResponse),
"The result code should be KRB5_KPASSWD_SOFTERROR when the new password doesn't meet the complexity requirements.");
#endregion KRB5_KPASSWD_SOFTERROR
#region KRB5_KPASSWD_MALFORMED
newPwd = this.testConfig.LocalRealm.User[22].Password;
//Create and send Kpassword request
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends KpasswordRequest");
kpassClient.SendMalformedKpasswordRequest(newPwd);
BaseTestSite.Log.Add(LogEntryKind.TestStep, "KDC returns KpasswordResponse");
kpassResponse = kpassClient.ExpectKpasswordResponse();
//Verify the result code
BaseTestSite.Assert.AreEqual(KpasswdError.KRB5_KPASSWD_MALFORMED, (KpasswdError)kpassClient.GetResultCode(kpassResponse),
"The result code should be KRB5_KPASSWD_MALFORMED when the request is malformed.");
#endregion KRB5_KPASSWD_MALFORMED
#region KRB5_KPASSWD_AUTHERROR
//Create and send Kpassword request
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends KpasswordRequest");
kpassClient.SendAuthErrorKpasswordRequest(newPwd);
BaseTestSite.Log.Add(LogEntryKind.TestStep, "KDC returns KpasswordResponse");
kpassResponse = kpassClient.ExpectKpasswordResponse();
//Verify the result code
BaseTestSite.Assert.AreEqual(KpasswdError.KRB5_KPASSWD_AUTHERROR, (KpasswdError)kpassClient.GetResultCode(kpassResponse),
"The result code should be KRB5_KPASSWD_AUTHERROR when the request fails due to an error in authentication processing.");
#endregion KRB5_KPASSWD_AUTHERROR
#region KRB5_KPASSWD_ACCESSDENIED
//Create kerberos test client and connect
//Use the user who can't change the password
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends AS_REQ without Pre-Authentication data for password change");
client.SendAsRequestForPwdChange(options, null);
//Recieve preauthentication required error
BaseTestSite.Log.Add(LogEntryKind.TestStep, "KDC returns KRB_ERROR: KDC_ERR_PREAUTH_REQUIRED");
krbError = client.ExpectPreauthRequiredError(out methodData);
//Create sequence of PA data
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends AS_REQ with PA-ENC-TIMESTAMP and PA-PAC-REQUEST for password change");
timeStamp = KerberosUtility.CurrentKerberosTime.Value;
paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
this.client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
paPacRequest = new PaPacRequest(true);
seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });
//Create and send AS request
client.SendAsRequestForPwdChange(options, seqOfPaData);
BaseTestSite.Log.Add(LogEntryKind.TestStep, "KDC returns AS_REP");
asResponse = client.ExpectAsResponse();
BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");
//Create kpassword test client and connect
kpassClient = new KpasswdTestClient(
testConfig.LocalRealm.KDC[0].IPAddress,
KerberosConstValue.KPASSWORD_PORT,
testConfig.TransportType,
client.Context.Ticket);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
kpassClient.UseProxy = true;
kpassClient.ProxyClient = proxyClient;
}
newPwd = this.testConfig.LocalRealm.User[1].Password;
//Create and send Kpassword request
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends KpasswordRequest");
kpassClient.SendKpasswordRequest(newPwd);
BaseTestSite.Log.Add(LogEntryKind.TestStep, "KDC returns KpasswordResponse");
kpassResponse = kpassClient.ExpectKpasswordResponse();
//Verify the result code
BaseTestSite.Assert.AreEqual(KpasswdError.KRB5_KPASSWD_ACCESSDENIED, (KpasswdError)kpassClient.GetResultCode(kpassResponse),
"The result code should be KRB5_KPASSWD_ACCESSDENIED when the user has no access to change the password.");
#endregion KRB5_KPASSWD_ACCESSDENIED
}
