public void CacheCannotBeNull() { var client = new KerberosClient { Cache = null }; }
internal static KerberosClient CreateClient(KdcListener listener, string kdc = null, bool caching = true, bool queryDns = false) { KerberosClient client; if (listener == null) { client = new KerberosClient(); client.PinKdc("corp.identityintervention.com", kdc); } else { IKerberosTransport transport = new InMemoryTransport(listener); client = new KerberosClient(transports: transport); } client.Configuration.Defaults.DnsLookupKdc = queryDns; client.CacheServiceTickets = caching; client.RenewTickets = caching; client.RenewTicketsThreshold = TimeSpan.MaxValue; client.RefreshPollInterval = TimeSpan.FromMilliseconds(10); return(client); }
private async Task S4u2Self(KerberosClient client) { var myTgtEntry = client.Cache.GetCacheItem <KerberosClientCacheEntry>($"krbtgt/{client.DefaultDomain}"); var myTgt = myTgtEntry.KdcResponse?.Ticket; if (myTgt == null) { this.IO.Writer.WriteLine(SR.Resource("CommandLine_WhoAmI_NoTgt")); return; } var result = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = client.UserPrincipalName, UserToUserTicket = myTgt, CacheTicket = false, } ); var authenticator = new KerberosAuthenticator(new KerberosValidator(myTgtEntry.SessionKey.AsKey())); var identity = await authenticator.Authenticate(result.ApReq.EncodeApplication()); this.DescribeTicket(identity as KerberosIdentity); }
private static async Task RequestAndValidateTickets( string user, string password, string overrideKdc, string s4u = null, bool encodeNego = false, bool caching = false, bool includePac = true ) { var kerbCred = new KerberosPasswordCredential(user, password); using (var client = new KerberosClient(overrideKdc) { CacheServiceTickets = caching }) { if (!includePac) { client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest; } await client.Authenticate(kerbCred); var spn = FakeAppServiceSpn; var ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = ApOptions.MutualRequired } ); await ValidateTicket(ticket, includePac : includePac); await client.RenewTicket(); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = FakeAppServiceSpn, ApOptions = ApOptions.MutualRequired } ); await ValidateTicket(ticket, encodeNego, includePac : includePac); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = FakeAppServiceSpn, ApOptions = ApOptions.MutualRequired, S4uTarget = s4u } ); await ValidateTicket(ticket, includePac : includePac); } }
public async Task ClientRequestsServiceTicketBeforeAuthentication() { using (var client = new KerberosClient()) { await client.GetServiceTicket("host/test.com"); } }
private async Task GetServiceTicket(KerberosClient client) { await ExecuteWithErrorHandling( client, async c => await c.GetServiceTicket(this.ServicePrincipalName) ); }
private static async Task RequestTickets(string user, string password, string overrideKdc) { var kerbCred = new KerberosPasswordCredential(user, password); KerberosClient client = new KerberosClient(overrideKdc); await client.Authenticate(kerbCred); var ticket = await client.GetServiceTicket( "host/appservice.corp.identityintervention.com", ApOptions.MutualRequired ); var encoded = ticket.EncodeApplication().ToArray(); var authenticator = new KerberosAuthenticator( new KeyTable( new KerberosKey( "P@ssw0rd!", principalName: new PrincipalName( PrincipalNameType.NT_PRINCIPAL, "CORP.IDENTITYINTERVENTION.com", new[] { "host/appservice.corp.identityintervention.com" } ), saltType: SaltType.ActiveDirectoryUser ) ) ); var validated = (KerberosIdentity)await authenticator.Authenticate(encoded); DumpClaims(validated); }
private async Task RenewServiceTicket(KerberosClient client) { await ExecuteWithErrorHandling( client, async c => await c.RenewTicket() ); }
/// Authenticates to the Kerberos domain and obtains /// a Service Ticket to the service identified by the /// configured Service Principal Name (SPN). public async Task AuthenticateToKerberosAsync() { var kCred = new KerberosPasswordCredential( _kerberosOptions.Username, _kerberosOptions.Password, _kerberosOptions.Domain); var kClient = _options.KerberosOptions?.Client; if (kClient == null) { kClient = new KerberosClient(); } try { await kClient.Authenticate(kCred); _serviceTicket = await kClient.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = _kerberosOptions.MapperServiceSpn, ApOptions = ApOptions.MutualRequired, }); _serviceTicketToken = ByteString.CopyFrom(_serviceTicket.ApReq.EncodeApplication().ToArray()); } finally { if (kClient != _options.KerberosOptions?.Client) { kClient.Dispose(); } } }
private async Task GetServiceTicket(KerberosClient client) { try { await client.GetServiceTicket(this.ServicePrincipalName); } catch (AggregateException aex) { ICollection <Exception> exceptions = aex.InnerExceptions?.Where(e => e != null)?.ToList(); if (exceptions == null) { exceptions = new List <Exception>(); if (aex.InnerException != null) { exceptions.Add(aex.InnerException); } } foreach (var ex in exceptions.Where(e => e != null)) { if (ex is KerberosProtocolException kex && kex?.Error?.ErrorCode == KerberosErrorCode.KRB_AP_ERR_TKT_EXPIRED) { await PurgeTickets(); await client.GetServiceTicket(this.ServicePrincipalName); break; } this.IO.Writer.WriteLine(ex?.Message ?? SR.Resource("Unknown Error")); } } }
public void CacheFileFormat4Supported() { using (var client = new KerberosClient()) { Assert.AreEqual(4, client.Configuration.Defaults.CCacheType); Assert.IsNotNull(client.Cache); } }
public void CacheCannotBeNull() { #pragma warning disable IDE0067 // Dispose objects before losing scope _ = new KerberosClient { Cache = null }; #pragma warning restore IDE0067 // Dispose objects before losing scope }
public void ServiceTicketsNotCached() { using (var client = new KerberosClient()) { Assert.IsNotNull(client.Cache); Assert.IsFalse(client.CacheServiceTickets); } }
public void KerberosClientStartup() { using (var client = new KerberosClient()) { Assert.IsNotNull(client); Assert.AreEqual(3, client.Transports.Count()); } }
private void DescribeClientDetails(KerberosClient client) { this.WriteLine(); this.WriteHeader(SR.Resource("CommandLine_KList_ClientDetails")); this.WriteLine(); this.IO.ListProperties(client); }
public void TcpClientEnabledByDefault() { var client = new KerberosClient(); var tcp = client.Transports.FirstOrDefault(t => t.Protocol == ProtocolType.Tcp); Assert.IsNotNull(tcp); Assert.IsTrue(tcp.Enabled); }
public void CacheFileFormatBelow4Supported() { using (var client = new KerberosClient()) { client.CacheInMemory = false; client.Configuration.Defaults.CCacheType = 3; Assert.IsNotNull(client.Cache); } }
public void UdpClientDisabledByDefault() { var client = new KerberosClient(); var udp = client.Transports.FirstOrDefault(t => t.Protocol == ProtocolType.Udp); Assert.IsNotNull(udp); Assert.IsFalse(udp.Enabled); }
public void TcpClientEnabledByDefault() { using (var client = new KerberosClient()) { var tcp = client.Transports.OfType <TcpKerberosTransport>().FirstOrDefault(); Assert.IsNotNull(tcp); Assert.IsTrue(tcp.Enabled); } }
public async Task ClientConnectsToServer_Withtimeout() { var port = NextPort(); var client = new KerberosClient($"127.0.0.1:{port}") { ConnectTimeout = TimeSpan.FromMilliseconds(1) }; await client.Authenticate(new KerberosPasswordCredential("test", "test", "test")); }
public void HttpsTransportEnabledByDefault() { using (var client = new KerberosClient()) { var https = client.Transports.OfType <HttpsKerberosTransport>().FirstOrDefault(); Assert.IsNotNull(https); Assert.IsTrue(https.Enabled); } }
public void UdpTransportEnabledByDefault() { using (var client = new KerberosClient()) { var udp = client.Transports.OfType <UdpKerberosTransport>().FirstOrDefault(); Assert.IsNotNull(udp); Assert.IsTrue(udp.Enabled); } }
public async Task RequestTgt(string algo) { var cred = new KerberosPasswordCredential(algo + user, password); var client = new KerberosClient($"{overrideKdc}:{port}"); for (var i = 0; i < AuthenticationAttempts; i++) { await client.Authenticate(cred); } }
private static async Task RequestAndValidateTickets( string user, string password, string overrideKdc, string s4u = null, bool encodeNego = false, bool caching = false ) { var kerbCred = new KerberosPasswordCredential(user, password); KerberosClient client = new KerberosClient(overrideKdc) { CacheServiceTickets = caching }; await client.Authenticate(kerbCred); var spn = "host/appservice.corp.identityintervention.com"; var ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = ApOptions.MutualRequired } ); await ValidateTicket(ticket); await client.RenewTicket(); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = "host/appservice.corp.identityintervention.com", ApOptions = ApOptions.MutualRequired } ); await ValidateTicket(ticket, encodeNego); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = "host/appservice.corp.identityintervention.com", ApOptions = ApOptions.MutualRequired, S4uTarget = s4u } ); await ValidateTicket(ticket); }
public void CacheSetDisposesCorrectly() { var disposableCache = new DisposableCache(); var client = new KerberosClient() { Cache = disposableCache }; client.Cache = new DisposableCache(); Assert.IsTrue(disposableCache.Disposed); }
public async Task ClientCannotGetExpiredCachedItem() { using (var client = new KerberosClient() { Cache = new Krb5TicketCache(FilePath) }) { await client.GetServiceTicket(new RequestServiceTicket { ServicePrincipalName = "krbtgt/IPA.IDENTITYINTERVENTION.COM" }); } }
private static async Task RequestTickets(string user, string password, string overrideKdc, string s4u, string spn) { var kerbCred = new KerberosPasswordCredential(user, password); using (KerberosClient client = new KerberosClient(overrideKdc)) { await client.Authenticate(kerbCred); spn = spn ?? "host/appservice.corp.identityintervention.com"; KrbTicket s4uTicket = null; if (!string.IsNullOrWhiteSpace(s4u)) { var s4uSelf = await client.GetServiceTicket( kerbCred.UserName, ApOptions.MutualRequired, s4u : s4u ); s4uTicket = s4uSelf.Ticket; } var ticket = await client.GetServiceTicket( spn, ApOptions.MutualRequired, s4uTicket : s4uTicket ); var encoded = ticket.EncodeApplication().ToArray(); var authenticator = new KerberosAuthenticator( new KeyTable( new KerberosKey( "P@ssw0rd!", principalName: new PrincipalName( PrincipalNameType.NT_PRINCIPAL, "CORP.IDENTITYINTERVENTION.com", new[] { spn } ), saltType: SaltType.ActiveDirectoryUser ) ) ); var validated = (KerberosIdentity)await authenticator.Authenticate(encoded); DumpClaims(validated); } }
public async Task U2U() { var port = new Random().Next(20000, 40000); var options = new ListenerOptions { ListeningOn = new IPEndPoint(IPAddress.Loopback, port), DefaultRealm = "corp2.identityintervention.com".ToUpper(), IsDebug = true, RealmLocator = realm => LocateRealm(realm), ReceiveTimeout = TimeSpan.FromHours(1) }; KdcServiceListener listener = new KdcServiceListener(options); _ = listener.Start(); var kerbClientCred = new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!"); var client = new KerberosClient($"127.0.0.1:{port}"); await client.Authenticate(kerbClientCred); var kerbServerCred = new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!"); var server = new KerberosClient($"127.0.0.1:{port}"); await server.Authenticate(kerbClientCred); var serverEntry = await server.Cache.Get <KerberosClientCacheEntry>($"krbtgt/{server.DefaultDomain}"); var serverTgt = serverEntry.Ticket.Ticket; var apReq = await client.GetServiceTicket("host/u2u", ApOptions.MutualRequired | ApOptions.UseSessionKey, u2uServerTicket : serverTgt); Assert.IsNotNull(apReq); var decrypted = new DecryptedKrbApReq(apReq); Assert.IsNull(decrypted.Ticket); decrypted.Decrypt(serverEntry.SessionKey.AsKey()); decrypted.Validate(ValidationActions.All); Assert.IsNotNull(decrypted.Ticket); Assert.AreEqual("host/u2u/CORP.IDENTITYINTERVENTION.COM", decrypted.SName.FullyQualifiedName); listener.Stop(); }
private async Task S4u2Self(KerberosClient client) { if (client.Cache is LsaCredentialCache) { this.WriteLineError("The whoami command isn't supported with the LSA Cache"); return; } var myTgtEntry = client.Cache.GetCacheItem <KerberosClientCacheEntry>($"krbtgt/{client.DefaultDomain}"); var myTgt = myTgtEntry.KdcResponse?.Ticket; if (myTgt == null) { this.WriteHeader(SR.Resource("CommandLine_WhoAmI_NoTgt")); return; } try { var result = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = client.UserPrincipalName, UserToUserTicket = myTgt, CacheTicket = false, S4uTarget = client.UserPrincipalName } ); var authenticator = new KerberosAuthenticator(new KerberosValidator(myTgtEntry.SessionKey.AsKey())); var identity = await authenticator.Authenticate(result.ApReq.EncodeApplication()); this.DescribeTicket(identity as KerberosIdentity); } catch (KerberosProtocolException kex) { this.WriteLine(); this.WriteLine(1, "{ErrorCode}: {ErrorText}", kex.Error.ErrorCode, kex.Error.ETextWithoutCode()); if (kex.Error.ErrorCode == KerberosErrorCode.KRB_AP_ERR_TKT_EXPIRED) { this.WriteLine(); this.WriteLine(1, SR.Resource("CommandLine_WhoAmI_NoTgt")); } } }
public async Task KrbCredImportsAndGets() { var krbCred = CreateKrbCredential(); using (var client = new KerberosClient()) { client.ImportCredential(krbCred); var serviceTicket = await client.GetServiceTicket("host/test.com"); Assert.IsNotNull(serviceTicket); Assert.IsNotNull(serviceTicket.Authenticator); Assert.IsNotNull(serviceTicket.Ticket); } }