internal static KerberosClient CreateClient(KdcListener listener, string kdc = null, bool caching = true, bool queryDns = false)
{
KerberosClient client;
if (listener == null)
{
client = new KerberosClient();
client.PinKdc("corp.identityintervention.com", kdc);
}
else
{
IKerberosTransport transport = new InMemoryTransport(listener);
client = new KerberosClient(transports: transport);
}
client.Configuration.Defaults.DnsLookupKdc = queryDns;
client.CacheServiceTickets = caching;
client.RenewTickets = caching;
client.RenewTicketsThreshold = TimeSpan.MaxValue;
client.RefreshPollInterval = TimeSpan.FromMilliseconds(10);
return(client);
}
public void RequestTgt()
{
TcpKerberosTransport.MaxPoolSize = this.ConcurrentRequests * 2;
if (this.credential == null)
{
this.credential = Creds.GetOrAdd(this.AlgorithmType, a => new KerberosPasswordCredential(a + this.user, this.password));
}
var requestCounter = 0;
try
{
Task.WaitAll(Enumerable.Range(0, this.ConcurrentRequests).Select(taskNum => Task.Run(async() =>
{
var client = new KerberosClient();
client.Transports.OfType <UdpKerberosTransport>().FirstOrDefault().Enabled = false;
client.Transports.OfType <HttpsKerberosTransport>().FirstOrDefault().Enabled = false;
client.PinKdc(this.credential.Domain, $"{this.overrideKdc}:{this.Port}");
for (var i = 0; i < this.AuthenticationAttempts; i++)
{
try
{
await client.Authenticate(this.credential);
Interlocked.Increment(ref Successes);
if (this.DisplayProgress)
{
CountItOut(ref requestCounter);
}
}
catch (Exception)
{
}
}
})).ToArray());
}
catch
{
}
}
public async Task RequestServiceTicket(string algo)
{
var kerbCred = new KerberosPasswordCredential(algo + this.user, this.password);
using (var client = new KerberosClient())
{
client.PinKdc(kerbCred.Domain, $"{this.overrideKdc}:{this.port}");
await client.Authenticate(kerbCred);
for (var i = 0; i < this.AuthenticationAttempts; i++)
{
await client.GetServiceTicket(
"host/appservice.corp.identityintervention.com",
ApOptions.MutualRequired
);
}
}
}
public void RequestTgt()
{
var requestCounter = 0;
Task.WaitAll(Enumerable.Range(0, ConcurrentRequests).Select(taskNum => Task.Run(async() =>
{
var client = new KerberosClient();
client.PinKdc(credential.Domain, $"{overrideKdc}:{Port}");
for (var i = 0; i < AuthenticationAttempts; i++)
{
await client.Authenticate(credential);
if (DisplayProgress)
{
CountItOut(ref requestCounter);
}
}
})).ToArray());
}
public async Task ClientConnectsToServer_WithTimeout()
{
var port = NextPort();
using (var client = new KerberosClient()
{
ConnectTimeout = TimeSpan.FromMilliseconds(1)
})
{
client.Configuration.Defaults.DnsLookupKdc = false;
client.PinKdc("test", $"127.0.0.1:{port}");
try
{
await client.Authenticate(new KerberosPasswordCredential("test", "test", "test"));
}
catch (AggregateException agg)
{
throw agg.InnerExceptions.First();
}
}
}
private static async Task RequestTickets(
X509Certificate2 cert,
string user,
string password,
string overrideKdc,
string s4u,
string spn,
bool retryDH,
bool includeCNameHint,
string servicePassword,
string serviceSalt,
bool cacheToFile
)
{
KerberosCredential kerbCred;
if (cert == null)
{
kerbCred = new KerberosPasswordCredential(user, password);
}
else
{
var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.Build(cert);
var kdcCerts = new List <X509Certificate2>();
for (var i = 0; i < chain.ChainElements.Count; i++)
{
var c = chain.ChainElements[i].Certificate;
if (c.Thumbprint != cert.Thumbprint)
{
kdcCerts.Add(c);
}
}
if (retryDH)
{
kerbCred = new RandomDHAsymmetricCredential(cert, user);
}
else
{
kerbCred = new TrustedKdcAsymmetricCredential(cert, user);
}
}
var factory = LoggerFactory.Create(builder =>
{
builder.AddConsole(opt => opt.IncludeScopes = true);
builder.AddFilter <ConsoleLoggerProvider>(level => level >= LogLevel.Trace);
});
var client = new KerberosClient(logger: factory);
if (Uri.TryCreate(overrideKdc, UriKind.Absolute, out Uri kdcProxy))
{
client.Configuration.Realms[kdcProxy.DnsSafeHost].Kdc.Add(kdcProxy.OriginalString);
client.Configuration.Realms[kerbCred.Domain].Kdc.Add(kdcProxy.OriginalString);
client.Configuration.Defaults.DnsLookupKdc = false;
}
else if (!string.IsNullOrWhiteSpace(overrideKdc))
{
client.Configuration.Defaults.DnsLookupKdc = false;
client.PinKdc(kerbCred.Domain, overrideKdc);
}
if (cacheToFile)
{
client.Configuration.Defaults.DefaultCCacheName = "krb5cc";
}
KrbPrincipalName cnameHint = null;
if (includeCNameHint)
{
cnameHint = KrbPrincipalName.FromString(kerbCred.UserName, PrincipalNameType.NT_PRINCIPAL, kerbCred.Domain);
}
client.RenewTickets = true;
using (client)
using (kerbCred as IDisposable)
{
await client.Authenticate(kerbCred);
spn = spn ?? "host/appservice.corp.identityintervention.com";
KrbTicket s4uTicket = null;
if (!string.IsNullOrWhiteSpace(s4u))
{
var s4uSelf = await client.GetServiceTicket(
kerbCred.UserName,
ApOptions.MutualRequired,
s4u : s4u
);
s4uTicket = s4uSelf.Ticket;
}
var session = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired,
S4uTicket = s4uTicket,
CNameHint = cnameHint
}
);
DumpTicket(session.ApReq);
ResetColor();
if (!retryDH)
{
try
{
await TryValidate(spn, session.ApReq, servicePassword, serviceSalt, factory);
}
catch (Exception ex)
{
W(ex.Message, ConsoleColor.Yellow);
ResetColor();
}
}
}
}
internal static async Task <List <Exception> > MultithreadedRequests(
int threads,
int requests,
bool cacheTickets,
bool encodeNego,
bool includePac,
string kdc,
X509Certificate2 cert,
KdcListener listener
)
{
var exceptions = new List <Exception>();
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, TestAtCorpUserName);
}
else
{
kerbCred = new KerberosPasswordCredential(AdminAtCorpUserName, FakeAdminAtCorpPassword);
}
KerberosClient client = CreateClient(listener, kdc);
using (kerbCred as IDisposable)
using (client)
{
client.PinKdc(kerbCred.Domain, kdc);
client.CacheServiceTickets = cacheTickets;
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
Task.WaitAll(Enumerable.Range(0, threads).Select(taskNum => Task.Run(async() =>
{
for (var i = 0; i < requests; i++)
{
try
{
if (i % 2 == 0)
{
await client.Authenticate(kerbCred);
}
var ticket = await client.GetServiceTicket(new RequestServiceTicket
{
ServicePrincipalName = FakeAppServiceSpn,
ApOptions = ApOptions.MutualRequired
});
Assert.IsNotNull(ticket.ApReq);
await ValidateTicket(ticket, encodeNego: encodeNego, includePac: includePac);
}
#pragma warning disable CA1031 // Do not catch general exception types
catch (Exception ex)
#pragma warning restore CA1031 // Do not catch general exception types
{
exceptions.Add(ex);
}
}
})).ToArray());
}
return(exceptions);
}
