public static IAuthDataElement ParseAuthDataElement(AuthorizationDataElement element)
{
IAuthDataElement authDataElement;
switch ((AuthorizationData_elementType)element.ad_type.Value)
{
case AuthorizationData_elementType.AD_IF_RELEVANT:
authDataElement = AdIfRelevent.Parse(element);
break;
case AuthorizationData_elementType.AD_WIN2K_PAC:
authDataElement = AdWin2KPac.Parse(element);
break;
case AuthorizationData_elementType.AD_FX_FAST_USED:
authDataElement = AdFxFastUsed.Parse(element);
break;
case AuthorizationData_elementType.KERB_AUTH_DATA_TOKEN_RESTRICTIONS:
authDataElement = KerbAuthDataTokenRestrictions.Parse(element);
break;
default:
return(null);
}
return(authDataElement);
}
public void TokenRestrictionSameMachineId_Http()
{
base.Logging();
client = new KerberosTestClient(
this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
//Create and send AS request
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
//Recieve preauthentication required error
METHOD_DATA methodData;
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
//Create sequence of PA data
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
PaPacRequest paPacRequest = new PaPacRequest(true);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });
//Create and send AS request
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");
//Create and send TGS request
KerbAuthDataTokenRestrictions krbAuthDataTokenRestictions = new KerbAuthDataTokenRestrictions(
0,
(uint)LSAP_TOKEN_INFO_INTEGRITY_Flags.FULL_TOKEN,
(uint)LSAP_TOKEN_INFO_INTEGRITY_TokenIL.High,
new Guid().ToString().Replace("-", ""));
AdIfRelevent adIfRelevent = new AdIfRelevent(new AD_IF_RELEVANT(new AuthorizationDataElement[] { krbAuthDataTokenRestictions.AuthDataElement }));
AuthorizationData data = new AuthorizationData(new AuthorizationDataElement[] { adIfRelevent.AuthDataElement });
client.SendTgsRequest(this.testConfig.LocalRealm.WebServer[0].HttpServiceName, options, null, null, null, data);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send TGS request");
KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();
BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve a TGS response.");
BaseTestSite.Assert.IsNotNull(tgsResponse.Response.ticket, "Service ticket should not be null.");
BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.WebServer[0].HttpServiceName,
KerberosUtility.PrincipalName2String(tgsResponse.Response.ticket.sname),
"Service principal name in service ticket should match expected.");
EncryptionKey key = testConfig.QueryKey(this.testConfig.LocalRealm.WebServer[0].HttpServiceName, this.testConfig.LocalRealm.RealmName, this.client.Context.SelectedEType);
tgsResponse.DecryptTicket(key);
//tgsResponse.DecryptTicket(testConfig.LocalRealm.WebServer[0].Password, testConfig.LocalRealm.WebServer[0].ServiceSalt);
BaseTestSite.Assert.IsNotNull(tgsResponse.EncPart, "The encrypted part of TGS-REP is decrypted.");
BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.RealmName.ToLower(),
tgsResponse.TicketEncPart.crealm.Value.ToLower(),
"Realm name in service ticket encrypted part should match expected.");
BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.User[1].Username,
KerberosUtility.PrincipalName2String(tgsResponse.TicketEncPart.cname),
"Realm name in service ticket encrypted part should match expected.");
//Assert authorization data
LinkedList<IAuthDataElement> authDataList = new LinkedList<IAuthDataElement>();
BaseTestSite.Assert.IsNotNull(tgsResponse.TicketEncPart.authorization_data, "The ticket contains Authorization data.");
KerbAuthDataTokenRestrictions tokenRestrictions = FindOneInAuthData<KerbAuthDataTokenRestrictions>(tgsResponse.TicketEncPart.authorization_data.Elements);
BaseTestSite.Assert.IsNotNull(tokenRestrictions, "KerbAuthDataTokenRestrictions is inside the authorization data.");
EncryptionKey subkey = KerberosUtility.GenerateKey(client.Context.SessionKey);
byte[] token = client.CreateGssApiToken(ApOptions.MutualRequired,
data,
subkey,
ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send Http request.");
KerberosApResponse apRep = client.GetApResponseFromToken(SendAndRecieveHttpAp(this.testConfig.LocalRealm.WebServer[0], token));
BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve Http response.");
}
public void ChannelBindingSuccess_Http()
{
base.Logging();
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
//Create and send AS request
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
//Recieve preauthentication required error
METHOD_DATA methodData;
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
//Create sequence of PA data
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
PaPacRequest paPacRequest = new PaPacRequest(true);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });
//Create and send AS request
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");
//Create and send TGS request
client.SendTgsRequest(this.testConfig.LocalRealm.WebServer[0].HttpServiceName, options);
KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();
BaseTestSite.Assert.IsNotNull(tgsResponse.Response.ticket, "Service ticket should not be null.");
//AP exchange part
AdAuthDataApOptions authApOptions = new AdAuthDataApOptions(KerberosConstValue.KERB_AP_OPTIONS_CBT);
AdIfRelevent adIfRelevent = new AdIfRelevent(new AD_IF_RELEVANT(new AuthorizationDataElement[] { authApOptions.AuthDataElement }));
AuthorizationData data = new AuthorizationData(new AuthorizationDataElement[] { adIfRelevent.AuthDataElement });
EncryptionKey subkey = KerberosUtility.GenerateKey(client.Context.SessionKey);
byte[] token = client.CreateGssApiToken(ApOptions.MutualRequired,
data,
subkey,
ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG);
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send Http request.");
KerberosApResponse apRep = client.GetApResponseFromToken(SendAndRecieveHttpAp(this.testConfig.LocalRealm.WebServer[0], token));
BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve Http response.");
}
