Esempio n. 1
0
        private static async Task RequestTickets(
            X509Certificate2 cert,
            string user,
            string password,
            string overrideKdc,
            string s4u,
            string spn,
            bool retryDH,
            bool includeCNameHint,
            string servicePassword,
            string serviceSalt
            )
        {
            KerberosCredential kerbCred;

            if (cert == null)
            {
                kerbCred = new KerberosPasswordCredential(user, password);
            }
            else
            {
                var chain = new X509Chain();
                chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
                chain.Build(cert);

                var kdcCerts = new List <X509Certificate2>();

                for (var i = 0; i < chain.ChainElements.Count; i++)
                {
                    var c = chain.ChainElements[i].Certificate;

                    if (c.Thumbprint != cert.Thumbprint)
                    {
                        kdcCerts.Add(c);
                    }
                }

                if (retryDH)
                {
                    kerbCred = new RandomDHAsymmetricCredential(cert, user);
                }
                else
                {
                    kerbCred = new TrustedKdcAsymmetricCredential(cert, user);
                }
            }

            KerberosClient client;

            if (Uri.TryCreate(overrideKdc, UriKind.Absolute, out Uri kdcProxy))
            {
                var kdcProxyTransport = new HttpsKerberosTransport()
                {
                    DomainPaths = new Dictionary <string, Uri>
                    {
                        { kdcProxy.DnsSafeHost.ToLowerInvariant(), kdcProxy },
                        { kerbCred.Domain.ToLowerInvariant(), kdcProxy }
                    }
                };

                client = new KerberosClient(null, kdcProxyTransport);
            }
            else
            {
                client = new KerberosClient(overrideKdc);
            }

            if (includeCNameHint)
            {
                client.CNameHint = KrbPrincipalName.FromString(kerbCred.UserName, PrincipalNameType.NT_PRINCIPAL, kerbCred.Domain);
            }

            using (client)
                using (kerbCred as IDisposable)
                {
                    await client.Authenticate(kerbCred);

                    W("AS-REQ Succeeded", ConsoleColor.Green);

                    spn = spn ?? "host/appservice.corp.identityintervention.com";

                    KrbTicket s4uTicket = null;

                    if (!string.IsNullOrWhiteSpace(s4u))
                    {
                        var s4uSelf = await client.GetServiceTicket(
                            kerbCred.UserName,
                            ApOptions.MutualRequired,
                            s4u : s4u
                            );

                        s4uTicket = s4uSelf.Ticket;
                    }

                    var ticket = await client.GetServiceTicket(
                        spn,
                        ApOptions.MutualRequired,
                        s4uTicket : s4uTicket
                        );

                    DumpTicket(ticket);

                    ResetColor();

                    if (!retryDH)
                    {
                        try
                        {
                            await TryValidate(spn, ticket, servicePassword, serviceSalt);
                        }
                        catch (Exception ex)
                        {
                            W(ex.Message, ConsoleColor.Yellow);

                            ResetColor();
                        }
                    }
                }
        }
Esempio n. 2
0
        private static async Task RequestTickets(
            X509Certificate2 cert,
            string user,
            string password,
            string overrideKdc,
            string s4u,
            string spn,
            bool retryDH,
            bool includeCNameHint,
            string servicePassword,
            string serviceSalt,
            bool cacheToFile
            )
        {
            KerberosCredential kerbCred;

            if (cert == null)
            {
                kerbCred = new KerberosPasswordCredential(user, password);
            }
            else
            {
                var chain = new X509Chain();
                chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
                chain.Build(cert);

                var kdcCerts = new List <X509Certificate2>();

                for (var i = 0; i < chain.ChainElements.Count; i++)
                {
                    var c = chain.ChainElements[i].Certificate;

                    if (c.Thumbprint != cert.Thumbprint)
                    {
                        kdcCerts.Add(c);
                    }
                }

                if (retryDH)
                {
                    kerbCred = new RandomDHAsymmetricCredential(cert, user);
                }
                else
                {
                    kerbCred = new TrustedKdcAsymmetricCredential(cert, user);
                }
            }

            var factory = LoggerFactory.Create(builder =>
            {
                builder.AddConsole(opt => opt.IncludeScopes = true);
                builder.AddFilter <ConsoleLoggerProvider>(level => level >= LogLevel.Trace);
            });

            var client = new KerberosClient(logger: factory);

            if (Uri.TryCreate(overrideKdc, UriKind.Absolute, out Uri kdcProxy))
            {
                client.Configuration.Realms[kdcProxy.DnsSafeHost].Kdc.Add(kdcProxy.OriginalString);
                client.Configuration.Realms[kerbCred.Domain].Kdc.Add(kdcProxy.OriginalString);
                client.Configuration.Defaults.DnsLookupKdc = false;
            }
            else if (!string.IsNullOrWhiteSpace(overrideKdc))
            {
                client.Configuration.Defaults.DnsLookupKdc = false;
                client.PinKdc(kerbCred.Domain, overrideKdc);
            }

            if (cacheToFile)
            {
                client.Configuration.Defaults.DefaultCCacheName = "krb5cc";
            }

            KrbPrincipalName cnameHint = null;

            if (includeCNameHint)
            {
                cnameHint = KrbPrincipalName.FromString(kerbCred.UserName, PrincipalNameType.NT_PRINCIPAL, kerbCred.Domain);
            }

            client.RenewTickets = true;

            using (client)
                using (kerbCred as IDisposable)
                {
                    await client.Authenticate(kerbCred);

                    spn = spn ?? "host/appservice.corp.identityintervention.com";

                    KrbTicket s4uTicket = null;

                    if (!string.IsNullOrWhiteSpace(s4u))
                    {
                        var s4uSelf = await client.GetServiceTicket(
                            kerbCred.UserName,
                            ApOptions.MutualRequired,
                            s4u : s4u
                            );

                        s4uTicket = s4uSelf.Ticket;
                    }

                    var session = await client.GetServiceTicket(
                        new RequestServiceTicket
                    {
                        ServicePrincipalName = spn,
                        ApOptions            = ApOptions.MutualRequired,
                        S4uTicket            = s4uTicket,
                        CNameHint            = cnameHint
                    }
                        );

                    DumpTicket(session.ApReq);

                    ResetColor();

                    if (!retryDH)
                    {
                        try
                        {
                            await TryValidate(spn, session.ApReq, servicePassword, serviceSalt, factory);
                        }
                        catch (Exception ex)
                        {
                            W(ex.Message, ConsoleColor.Yellow);

                            ResetColor();
                        }
                    }
                }
        }