public void DecryptReferralTgt()
{
var ticket = KrbApReq.DecodeApplication(Convert.FromBase64String(ReferralTicket));
var apreq = new DecryptedKrbApReq(ticket, MessageType.KRB_AS_REQ);
var key = new KerberosKey(
"P@ssw0rd!",
new PrincipalName(
PrincipalNameType.NT_SRV_INST,
CRealm,
new[] { "krbtgt", "TEST.IDENTITYINTERVENTION.COM" }
),
saltType: SaltType.Rfc4120
);
apreq.Decrypt(key);
Assert.IsNotNull(apreq.Ticket);
Assert.AreEqual("Administrator", apreq.Ticket.CName.FullyQualifiedName);
Assert.AreEqual(CRealm, apreq.Ticket.CRealm);
var adif = apreq.Ticket.AuthorizationData.FirstOrDefault(f => f.Type == AuthorizationDataType.AdIfRelevant).DecodeAdIfRelevant();
var pacStr = adif.FirstOrDefault(f => f.Type == AuthorizationDataType.AdWin2kPac);
var pac = new PrivilegedAttributeCertificate(pacStr);
Assert.IsNotNull(pac);
Assert.AreEqual(500u, pac.LogonInfo.UserId);
}
private static void DecodeAsApReq(byte[] bytes, TreeNode parentNode)
{
var apReq = KrbApReq.DecodeApplication(bytes);
ExplodeObject(apReq, "AP-REQ", parentNode);
}