public void LocateKey_NoSalts()
{
var cred = new KeytabCredential("*****@*****.**", new KeyTable(Aes128Key, RC4Key));
var key = cred.CreateKey();
Assert.IsNotNull(key);
Assert.AreEqual(EncryptionType.RC4_HMAC_NT, key.EncryptionType);
}
public void LocateKey_AesSalts()
{
var cred = new KeytabCredential("*****@*****.**", new KeyTable(Aes128Key, RC4Key))
{
Salts = new[] { KeyValuePair.Create(EncryptionType.AES128_CTS_HMAC_SHA1_96, "asfsdz") }
};
var key = cred.CreateKey();
Assert.IsNotNull(key);
Assert.AreEqual(EncryptionType.AES128_CTS_HMAC_SHA1_96, key.EncryptionType);
}
private static async Task RequestAndValidateTickets(
string user,
string password = null,
string overrideKdc = null,
KeyTable keytab = null,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true,
X509Certificate2 cert = null
)
{
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, user);
}
else if (keytab != null)
{
kerbCred = new KeytabCredential(user, keytab);
}
else
{
kerbCred = new KerberosPasswordCredential(user, password);
}
using (var client = new KerberosClient(overrideKdc)
{
CacheServiceTickets = caching
})
{
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
var spn = FakeAppServiceSpn;
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, includePac : includePac);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = FakeAppServiceSpn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, encodeNego, includePac : includePac);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = FakeAppServiceSpn,
ApOptions = ApOptions.MutualRequired,
S4uTarget = s4u
}
);
await ValidateTicket(ticket, includePac : includePac);
}
}
public void CreateKey()
{
var cred = new KeytabCredential("sdfsdf", new KeyTable(), "sdfsdf");
Assert.IsNotNull(cred);
}
internal static async Task RequestAndValidateTickets(
KdcListener listener,
string user,
string password = null,
string overrideKdc = null,
KeyTable keytab = null,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true,
X509Certificate2 cert = null,
string spn = FakeAppServiceSpn,
KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14
)
{
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, user)
{
KeyAgreement = keyAgreement
};
}
else if (keytab != null)
{
kerbCred = new KeytabCredential(user, keytab);
}
else
{
kerbCred = new KerberosPasswordCredential(user, password);
}
KerberosClient client = CreateClient(listener, overrideKdc, caching: caching);
using (client)
{
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired,
S4uTarget = s4u
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn);
}
}
static async Task Main(string[] args)
{
loggerFactory = LoggerFactory.Create(builder =>
{
builder
.AddFilter("Microsoft", LogLevel.Warning)
.AddFilter("System", LogLevel.Warning)
.AddFilter("RestNegotiateClient.Program", LogLevel.Debug)
.AddFilter("Kerberos.Net", LogLevel.Trace)
.AddConsole(delegate(ConsoleLoggerOptions d) { });
});
logger = loggerFactory.CreateLogger <Program>();
/*CommandLineArguments parsedArgs = new CommandLineArguments(args);
* String url = (String) parsedArgs.GetValueOrDefault("");
* if (!parsedArgs.ContainsKey("keytab")) {
* await Console.Error.WriteLineAsync("Syntax: RestNegotiateClient --keytab <keytab> --principal <principal> <url>");
* return;
* }
* String keytab = (String) parsedArgs.GetValueOrDefault("keytab", "krb5.keytab");
* String principal = (String) parsedArgs.GetValueOrDefault("principal", "cud/[email protected]");*/
String keytab = args[0];
String principal = args[1];
String url = args[2];
String outfile = args[3];
Console.Error.WriteLine("keytab={0}, principal={1}, url={2}", keytab, principal, url, outfile);
// Check URL is syntactically valid
Uri uri = null;
if (!Uri.TryCreate(url, UriKind.Absolute, out uri))
{
throw new ArgumentException(String.Format("Invalid URL: {0}", url));
}
var client = new KerberosClient("kdc0.ox.ac.uk", loggerFactory);
client.AuthenticationOptions ^= AuthenticationOptions.Canonicalize;
var udp = client.Transports.OfType <UdpKerberosTransport>().FirstOrDefault();
udp.Enabled = true;
var keyTable = new KeyTable(File.ReadAllBytes(keytab));
var kerbCred = new KeytabCredential(principal, keyTable, "OX.AC.UK");
logger.LogDebug("User name: {0}", kerbCred.UserName);
await client.Authenticate(kerbCred);
logger.LogDebug("Authenticated!");
// Now get a service ticket for the HTTP server and perform the request
String serverPrincipal = String.Format("HTTP/{0}", uri.DnsSafeHost);
var ticket = await client.GetServiceTicket(serverPrincipal);
String spnego = Convert.ToBase64String(ticket.EncodeGssApi().ToArray());
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Negotiate", spnego);
using (var outStream = File.Open(outfile, FileMode.Create)) {
var httpStream = await httpClient.GetStreamAsync(uri);
await httpStream.CopyToAsync(outStream);
}
}
internal static async Task RequestAndValidateTicketsWithCaches(
KdcListener listener,
string user,
string password = null,
string overrideKdc = null,
KeyTable keytab = null,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true,
X509Certificate2 cert = null,
string spn = FakeAppServiceSpn,
KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14,
bool allowWeakCrypto = false,
bool useWeakCrypto = false,
bool mutualAuth = true,
KrbTicket s4uTicket = null,
bool useKrb5TicketCache = false
)
{
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, user)
{
KeyAgreement = keyAgreement
};
}
else if (keytab != null)
{
kerbCred = new KeytabCredential(user, keytab);
}
else
{
kerbCred = new KerberosPasswordCredential(user, password);
}
KerberosClient client = CreateClient(
listener,
overrideKdc,
caching: caching,
allowWeakCrypto: allowWeakCrypto,
useWeakCrypto: useWeakCrypto,
useKrb5TicketCache: useKrb5TicketCache
);
using (kerbCred as IDisposable)
using (client)
{
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = mutualAuth ? ApOptions.MutualRequired : 0
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = mutualAuth ? ApOptions.MutualRequired : 0
}
);
await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn, mutualAuth : mutualAuth);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = mutualAuth ? ApOptions.MutualRequired : 0,
S4uTarget = s4u,
S4uTicket = s4uTicket
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth);
}
if (user.Contains("-fallback"))
{
Assert.AreEqual(PrincipalNameType.NT_PRINCIPAL, kerbCred.PrincipalNameType);
}
else
{
Assert.AreEqual(PrincipalNameType.NT_ENTERPRISE, kerbCred.PrincipalNameType);
}
}
