public void TryGettingSspiTicketTest() { using (var contextSender = new SspiContext($"host/{Environment.MachineName}", "negotiate")) using (var contextReceiver = new SspiContext($"host/{Environment.MachineName}", "negotiate")) { byte[] token = null; byte[] serverResponse = null; do { token = contextSender.RequestToken(serverResponse); Assert.IsNotNull(token); if (token != null && token.Length > 0) { contextReceiver.AcceptToken(token, out serverResponse); Assert.IsNotNull(serverResponse); } }while (token != null && token.Length > 0); var serverContext = NegotiationToken.Decode(serverResponse); Assert.IsNotNull(serverContext); Assert.IsNotNull(serverContext.ResponseToken); Assert.IsNull(serverContext.InitialToken); Assert.IsNotNull(contextSender.SessionKey); Assert.IsTrue(KerberosCryptoTransformer.AreEqualSlow(contextSender.SessionKey, contextReceiver.SessionKey)); } }
// https://github.com/SteveSyfuhs/Kerberos.NET/issues/89 // // "However, if you're looking to create a KerberosClient and just grab credentials // off the currently logged on user in Windows then you should just use SSPI. // There's no way to extract the credentials from Windows (by design) to use in the initial // authentication of the client, and it's not intended to be a wrapper around SSPI." // // and that same code works both for .NET Framework and .NET Core public byte[] GetToken(string spn, string username, string password, string domain) { SspiContext context; if (username == null) { context = new SspiContext(spn); } else { var credential = new SuppliedCredential(username, password, domain); context = new SspiContext(spn, credential); } using (context) { return(context.RequestToken()); } // kept for reference below, the way to do it that *only* works with .NET Framework /* * * using System.IdentityModel.Selectors; * using System.IdentityModel.Tokens; * using System.Net; * using System.Security; * using System.Security.Principal; * * var tokenProvider = _username == null * ? new KerberosSecurityTokenProvider(_spn, TokenImpersonationLevel.Identification) * : new KerberosSecurityTokenProvider(_spn, TokenImpersonationLevel.Identification, new NetworkCredential(_username, _password, _domain)); * * var timeout = TimeSpan.FromSeconds(30); * * byte[] tokenBytes; * try * { * if (!(tokenProvider.GetToken(timeout) is KerberosRequestorSecurityToken token)) * throw new InvalidOperationException("Token is not KerberosRequestorSecurityToken."); * tokenBytes = token.GetRequest(); * } * catch (Exception e) * { * throw new SecurityException("Failed to get a Kerberos token.", e); * } * * return _credentials = new KerberosCredentials(tokenBytes); * */ }
private static void RetrieveAndVerifyTicket() { using (SspiContext context = new SspiContext(RequestedSpn)) { var ticket = context.RequestToken(); var token = MessageParser.ParseKerberos(ticket); var decryptedToken = token.DecryptApReq(new KeyTable(Key)); Assert.AreEqual("*****@*****.**", decryptedToken.Ticket.CName.FullyQualifiedName); Assert.AreEqual("test.com", decryptedToken.Ticket.CRealm); } }
private void RequestLocalTicket() { if (string.IsNullOrWhiteSpace(hostName)) { SetHost(); txtHost.Text = hostName; } SspiContext context = new SspiContext(spn: hostName); byte[] tokenBytes = context.RequestToken(); txtTicket.Text = Convert.ToBase64String(tokenBytes); }
public void TryGettingSspiTicketTest() { using (var contextSender = new SspiContext($"host/{Environment.MachineName}", "Negotiate")) using (var contextReceiver = new SspiContext($"host/{Environment.MachineName}", "Negotiate")) { var token = contextSender.RequestToken(); Assert.IsNotNull(token); var contextToken = MessageParser.Parse <NegotiateContextToken>(token); Assert.IsNotNull(contextToken); contextReceiver.AcceptToken(token, out byte[] serverResponse); Assert.IsNotNull(serverResponse); var serverContext = NegotiationToken.Decode(serverResponse); Assert.IsNotNull(serverContext); Assert.IsNotNull(serverContext.ResponseToken); Assert.IsNull(serverContext.InitialToken); } }