internal static KerberosClient CreateClient(KdcListener listener, string kdc = null, bool caching = true, bool queryDns = false) { KerberosClient client; if (listener == null) { client = new KerberosClient(); client.PinKdc("corp.identityintervention.com", kdc); } else { IKerberosTransport transport = new InMemoryTransport(listener); client = new KerberosClient(transports: transport); } client.Configuration.Defaults.DnsLookupKdc = queryDns; client.CacheServiceTickets = caching; client.RenewTickets = caching; client.RenewTicketsThreshold = TimeSpan.MaxValue; client.RefreshPollInterval = TimeSpan.FromMilliseconds(10); return(client); }
public void RequestTgt() { TcpKerberosTransport.MaxPoolSize = this.ConcurrentRequests * 2; if (this.credential == null) { this.credential = Creds.GetOrAdd(this.AlgorithmType, a => new KerberosPasswordCredential(a + this.user, this.password)); } var requestCounter = 0; try { Task.WaitAll(Enumerable.Range(0, this.ConcurrentRequests).Select(taskNum => Task.Run(async() => { var client = new KerberosClient(); client.Transports.OfType <UdpKerberosTransport>().FirstOrDefault().Enabled = false; client.Transports.OfType <HttpsKerberosTransport>().FirstOrDefault().Enabled = false; client.PinKdc(this.credential.Domain, $"{this.overrideKdc}:{this.Port}"); for (var i = 0; i < this.AuthenticationAttempts; i++) { try { await client.Authenticate(this.credential); Interlocked.Increment(ref Successes); if (this.DisplayProgress) { CountItOut(ref requestCounter); } } catch (Exception) { } } })).ToArray()); } catch { } }
public async Task RequestServiceTicket(string algo) { var kerbCred = new KerberosPasswordCredential(algo + this.user, this.password); using (var client = new KerberosClient()) { client.PinKdc(kerbCred.Domain, $"{this.overrideKdc}:{this.port}"); await client.Authenticate(kerbCred); for (var i = 0; i < this.AuthenticationAttempts; i++) { await client.GetServiceTicket( "host/appservice.corp.identityintervention.com", ApOptions.MutualRequired ); } } }
public void RequestTgt() { var requestCounter = 0; Task.WaitAll(Enumerable.Range(0, ConcurrentRequests).Select(taskNum => Task.Run(async() => { var client = new KerberosClient(); client.PinKdc(credential.Domain, $"{overrideKdc}:{Port}"); for (var i = 0; i < AuthenticationAttempts; i++) { await client.Authenticate(credential); if (DisplayProgress) { CountItOut(ref requestCounter); } } })).ToArray()); }
public async Task ClientConnectsToServer_WithTimeout() { var port = NextPort(); using (var client = new KerberosClient() { ConnectTimeout = TimeSpan.FromMilliseconds(1) }) { client.Configuration.Defaults.DnsLookupKdc = false; client.PinKdc("test", $"127.0.0.1:{port}"); try { await client.Authenticate(new KerberosPasswordCredential("test", "test", "test")); } catch (AggregateException agg) { throw agg.InnerExceptions.First(); } } }
private static async Task RequestTickets( X509Certificate2 cert, string user, string password, string overrideKdc, string s4u, string spn, bool retryDH, bool includeCNameHint, string servicePassword, string serviceSalt, bool cacheToFile ) { KerberosCredential kerbCred; if (cert == null) { kerbCred = new KerberosPasswordCredential(user, password); } else { var chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.Build(cert); var kdcCerts = new List <X509Certificate2>(); for (var i = 0; i < chain.ChainElements.Count; i++) { var c = chain.ChainElements[i].Certificate; if (c.Thumbprint != cert.Thumbprint) { kdcCerts.Add(c); } } if (retryDH) { kerbCred = new RandomDHAsymmetricCredential(cert, user); } else { kerbCred = new TrustedKdcAsymmetricCredential(cert, user); } } var factory = LoggerFactory.Create(builder => { builder.AddConsole(opt => opt.IncludeScopes = true); builder.AddFilter <ConsoleLoggerProvider>(level => level >= LogLevel.Trace); }); var client = new KerberosClient(logger: factory); if (Uri.TryCreate(overrideKdc, UriKind.Absolute, out Uri kdcProxy)) { client.Configuration.Realms[kdcProxy.DnsSafeHost].Kdc.Add(kdcProxy.OriginalString); client.Configuration.Realms[kerbCred.Domain].Kdc.Add(kdcProxy.OriginalString); client.Configuration.Defaults.DnsLookupKdc = false; } else if (!string.IsNullOrWhiteSpace(overrideKdc)) { client.Configuration.Defaults.DnsLookupKdc = false; client.PinKdc(kerbCred.Domain, overrideKdc); } if (cacheToFile) { client.Configuration.Defaults.DefaultCCacheName = "krb5cc"; } KrbPrincipalName cnameHint = null; if (includeCNameHint) { cnameHint = KrbPrincipalName.FromString(kerbCred.UserName, PrincipalNameType.NT_PRINCIPAL, kerbCred.Domain); } client.RenewTickets = true; using (client) using (kerbCred as IDisposable) { await client.Authenticate(kerbCred); spn = spn ?? "host/appservice.corp.identityintervention.com"; KrbTicket s4uTicket = null; if (!string.IsNullOrWhiteSpace(s4u)) { var s4uSelf = await client.GetServiceTicket( kerbCred.UserName, ApOptions.MutualRequired, s4u : s4u ); s4uTicket = s4uSelf.Ticket; } var session = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = ApOptions.MutualRequired, S4uTicket = s4uTicket, CNameHint = cnameHint } ); DumpTicket(session.ApReq); ResetColor(); if (!retryDH) { try { await TryValidate(spn, session.ApReq, servicePassword, serviceSalt, factory); } catch (Exception ex) { W(ex.Message, ConsoleColor.Yellow); ResetColor(); } } } }
internal static async Task <List <Exception> > MultithreadedRequests( int threads, int requests, bool cacheTickets, bool encodeNego, bool includePac, string kdc, X509Certificate2 cert, KdcListener listener ) { var exceptions = new List <Exception>(); KerberosCredential kerbCred; if (cert != null) { kerbCred = new TrustedAsymmetricCredential(cert, TestAtCorpUserName); } else { kerbCred = new KerberosPasswordCredential(AdminAtCorpUserName, FakeAdminAtCorpPassword); } KerberosClient client = CreateClient(listener, kdc); using (kerbCred as IDisposable) using (client) { client.PinKdc(kerbCred.Domain, kdc); client.CacheServiceTickets = cacheTickets; if (!includePac) { client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest; } await client.Authenticate(kerbCred); Task.WaitAll(Enumerable.Range(0, threads).Select(taskNum => Task.Run(async() => { for (var i = 0; i < requests; i++) { try { if (i % 2 == 0) { await client.Authenticate(kerbCred); } var ticket = await client.GetServiceTicket(new RequestServiceTicket { ServicePrincipalName = FakeAppServiceSpn, ApOptions = ApOptions.MutualRequired }); Assert.IsNotNull(ticket.ApReq); await ValidateTicket(ticket, encodeNego: encodeNego, includePac: includePac); } #pragma warning disable CA1031 // Do not catch general exception types catch (Exception ex) #pragma warning restore CA1031 // Do not catch general exception types { exceptions.Add(ex); } } })).ToArray()); } return(exceptions); }