private async Task <bool> ParseKerberosHeader(OwinContext context)
{
string[] authzHeader = null;
if (!context.Request.Headers.TryGetValue("Authorization", out authzHeader) || authzHeader.Length != 1)
{
context.Response.Headers.Add("WWW-Authenticate", new[] { "Negotiate" });
context.Response.StatusCode = 401;
return(false);
}
var header = authzHeader.First();
try
{
var authenticator = new KerberosAuthenticator(validator);
var identity = await authenticator.Authenticate(header);
context.Request.User = new ClaimsPrincipal(identity);
return(true);
}
catch (Exception ex)
{
context.TraceOutput.WriteLine(ex);
return(false);
}
}
private async Task DecodeTicket(string ticket, string encryptedPassword, string name, string realm)
{
string decryptedKey = DecryptKey(encryptedPassword);
var keys = new KeyTable(
new KerberosKey(decryptedKey, new PrincipalName(PrincipalNameType.NT_PRINCIPAL, realm, new[] { name }))
);
var validator = new KerberosValidator(keys);
ticket = RemoveNegotiate(ticket);
var validated = await validator.Validate(Convert.FromBase64String(ticket));
var authenticator = new KerberosAuthenticator(keys);
var identity = await authenticator.Authenticate(ticket) as KerberosIdentity;
var formatted = FormatSerialize(new
{
Decrypted = validated,
Identity = new
{
identity.Name,
identity.Restrictions,
identity.ValidationMode,
Claims = identity.Claims.Select(c => new { c.Type, c.Value })
}
});
ViewData["Ticket"] = formatted;
}
private static async Task TryValidate(string spn, KrbApReq ticket, string servicePassword, string serviceSalt)
{
var encoded = ticket.EncodeApplication().ToArray();
KerberosKey kerbKey;
if (string.IsNullOrWhiteSpace(serviceSalt))
{
kerbKey = new KerberosKey(
"P@ssw0rd!",
principalName: new PrincipalName(
PrincipalNameType.NT_PRINCIPAL,
ticket.Ticket.Realm,
new[] { spn }
),
saltType: SaltType.ActiveDirectoryUser
);
}
else
{
kerbKey = new KerberosKey(
servicePassword,
salt: serviceSalt,
etype: ticket.Ticket.EncryptedPart.EType,
saltType: SaltType.ActiveDirectoryService
);
}
var authenticator = new KerberosAuthenticator(new KeyTable(kerbKey));
var validated = (KerberosIdentity)await authenticator.Authenticate(encoded);
DumpRestrictions(validated);
}
public async Task Authenticator_SerializedKeytab()
{
var key = new KerberosKey(
password: "******",
principalName: new PrincipalName(
PrincipalNameType.NT_SRV_INST,
"IDENTITYINTERVENTION.COM",
new[] { "host", "aadg.windows.net.nsatc.net" }
),
etype: EncryptionType.RC4_HMAC_NT
);
var keytab = new KeyTable(key);
var buffer = new MemoryStream();
keytab.Write(new BinaryWriter(buffer));
var secondKeytab = new KeyTable(buffer.ToArray());
var authenticator = new KerberosAuthenticator(
new KerberosValidator(secondKeytab)
{
ValidateAfterDecrypt = DefaultActions
});
Assert.IsNotNull(authenticator);
var result = await authenticator.Authenticate(RC4Header);
Assert.IsNotNull(result);
Assert.AreEqual("*****@*****.**", result.Name);
}
private static async Task RequestTickets(string user, string password, string overrideKdc)
{
var kerbCred = new KerberosPasswordCredential(user, password);
KerberosClient client = new KerberosClient(overrideKdc);
await client.Authenticate(kerbCred);
var ticket = await client.GetServiceTicket(
"host/appservice.corp.identityintervention.com",
ApOptions.MutualRequired
);
var encoded = ticket.EncodeApplication().ToArray();
var authenticator = new KerberosAuthenticator(
new KeyTable(
new KerberosKey(
"P@ssw0rd!",
principalName: new PrincipalName(
PrincipalNameType.NT_PRINCIPAL,
"CORP.IDENTITYINTERVENTION.com",
new[] { "host/appservice.corp.identityintervention.com" }
),
saltType: SaltType.ActiveDirectoryUser
)
)
);
var validated = (KerberosIdentity)await authenticator.Authenticate(encoded);
DumpClaims(validated);
}
private async Task S4u2Self(KerberosClient client)
{
var myTgtEntry = client.Cache.GetCacheItem <KerberosClientCacheEntry>($"krbtgt/{client.DefaultDomain}");
var myTgt = myTgtEntry.KdcResponse?.Ticket;
if (myTgt == null)
{
this.IO.Writer.WriteLine(SR.Resource("CommandLine_WhoAmI_NoTgt"));
return;
}
var result = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = client.UserPrincipalName,
UserToUserTicket = myTgt,
CacheTicket = false,
}
);
var authenticator = new KerberosAuthenticator(new KerberosValidator(myTgtEntry.SessionKey.AsKey()));
var identity = await authenticator.Authenticate(result.ApReq.EncodeApplication());
this.DescribeTicket(identity as KerberosIdentity);
}
public async Task KrbApReqWithoutPacLogonInfo()
{
var data = Convert.FromBase64String(ApReqWithoutPacLogonInfo);
var key = new KeyTable(
new KerberosKey(
"P@ssw0rd!",
principalName: new PrincipalName(
PrincipalNameType.NT_PRINCIPAL,
"corp.identityintervention.com",
new[] { "host/appservice.corp.identityintervention.com" }
),
saltType: SaltType.ActiveDirectoryUser
)
);
var authenticator = new KerberosAuthenticator(new KerberosValidator(key)
{
ValidateAfterDecrypt = DefaultActions
});
var result = await authenticator.Authenticate(data);
Assert.IsNotNull(result);
Assert.AreEqual(1, result.Claims.Count());
Assert.AreEqual("*****@*****.**", result.Name);
}
public async Task Authenticator_RoundtripKeytab()
{
var keytab = new KeyTable(ReadDataFile("sample.keytab"));
var buffer = new MemoryStream();
using (var writer = new BinaryWriter(buffer))
{
keytab.Write(writer);
var secondKeytab = new KeyTable(buffer.ToArray());
var authenticator = new KerberosAuthenticator(
new KerberosValidator(secondKeytab)
{
ValidateAfterDecrypt = DefaultActions
});
Assert.IsNotNull(authenticator);
var result = await authenticator.Authenticate(RC4Header);
Assert.IsNotNull(result);
Assert.AreEqual("*****@*****.**", result.Name);
}
}
private void CreateAuthenticator(SpnegoAuthenticationOptions options)
{
if (Options.PrincipalPassword != null)
{
_authenticator = new KerberosAuthenticator(new KerberosValidator(new KerberosKey(options.PrincipalPassword)));
}
else
{
_authenticator = new KerberosAuthenticator(new KeyTable(File.ReadAllBytes(Options.KeytabFile)));
}
_authenticator.UserNameFormat = UserNameFormat.DownLevelLogonName;
if (Options.Ldap.Server != null && Options.Ldap.Username != null && Options.Ldap.Password != null)
{
try
{
using var cn = new LdapConnection();
cn.Connect(Options.Ldap.Server, Options.Ldap.Port);
cn.Bind(Options.Ldap.Username, Options.Ldap.Password);
_sidsToGroupNames = cn.Search(Options.Ldap.GroupsQuery, LdapConnection.ScopeSub, options.Ldap.Filter, null, false)
.ToDictionary(x => new SecurityIdentifier(x.GetAttribute("objectSid").ByteValue, 0), x => x.GetAttribute("sAMAccountName").StringValue);
_groupsLoaded = true;
}
catch (Exception e)
{
throw new AuthenticationException("Failed to load groups from LDAP", e);
}
}
}
protected static async Task ValidateTicket(
ApplicationSessionContext context,
bool encodeNego = false,
bool includePac = true,
string spn = FakeAppServiceSpn
)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var ticket = context.ApReq;
byte[] encoded;
if (encodeNego)
{
encoded = ticket.EncodeGssApi().ToArray();
}
else
{
encoded = ticket.EncodeApplication().ToArray();
}
var authenticator = new KerberosAuthenticator(
new KeyTable(
new KerberosKey(
FakeAdminAtCorpPassword,
principalName: new PrincipalName(
PrincipalNameType.NT_PRINCIPAL,
"CORP.IDENTITYINTERVENTION.com",
new[] { spn }
),
saltType: SaltType.ActiveDirectoryUser
)
)
);
var validated = (KerberosIdentity)await authenticator.Authenticate(encoded);
Assert.IsNotNull(validated);
var sidClaim = validated.FindFirst(ClaimTypes.Sid);
if (includePac)
{
Assert.AreEqual("S-1-5-123-456-789-12-321-888", sidClaim?.Value);
}
else
{
Assert.IsNull(sidClaim);
}
var sessionKey = context.AuthenticateServiceResponse(validated.ApRep);
Assert.IsNotNull(sessionKey);
}
private KerberosAuthenticator CreateAuthenticator()
{
// This could be done with DI and a factory pattern, but we're keeping it simple here.
var principalName = new PrincipalName(PrincipalNameType.NT_PRINCIPAL, Options.Domain, new[] { Options.UserName });
var key = new KerberosKey(Options.Password, principalName, Options.Password);
var validator = new KerberosValidator(key);
var authenticator = new KerberosAuthenticator(validator);
return(authenticator);
}
private void CreateAuthenticator(SpnegoAuthenticationOptions options)
{
if (Options.PrincipalPassword != null)
{
_authenticator = new KerberosAuthenticator(new KerberosValidator(new KerberosKey(options.PrincipalPassword)));
}
else
{
_authenticator = new KerberosAuthenticator(new KeyTable(File.ReadAllBytes(Options.KeytabFile)));
}
_authenticator.UserNameFormat = UserNameFormat.DownLevelLogonName;
}
public async Task Authenticator_DownLevelNameFormat()
{
var authenticator = new KerberosAuthenticator(
new KerberosValidator(new KeyTable(ReadDataFile("sample.keytab")))
{
ValidateAfterDecrypt = DefaultActions
});
authenticator.UserNameFormat = UserNameFormat.DownLevelLogonName;
var result = await authenticator.Authenticate(RC4Header);
Assert.IsNotNull(result);
Assert.AreEqual(@"IDENTITYINTER\Administrator", result.Name);
}
private static async Task RequestTickets(string user, string password, string overrideKdc, string s4u, string spn)
{
var kerbCred = new KerberosPasswordCredential(user, password);
using (KerberosClient client = new KerberosClient(overrideKdc))
{
await client.Authenticate(kerbCred);
spn = spn ?? "host/appservice.corp.identityintervention.com";
KrbTicket s4uTicket = null;
if (!string.IsNullOrWhiteSpace(s4u))
{
var s4uSelf = await client.GetServiceTicket(
kerbCred.UserName,
ApOptions.MutualRequired,
s4u : s4u
);
s4uTicket = s4uSelf.Ticket;
}
var ticket = await client.GetServiceTicket(
spn,
ApOptions.MutualRequired,
s4uTicket : s4uTicket
);
var encoded = ticket.EncodeApplication().ToArray();
var authenticator = new KerberosAuthenticator(
new KeyTable(
new KerberosKey(
"P@ssw0rd!",
principalName: new PrincipalName(
PrincipalNameType.NT_PRINCIPAL,
"CORP.IDENTITYINTERVENTION.com",
new[] { spn }
),
saltType: SaltType.ActiveDirectoryUser
)
)
);
var validated = (KerberosIdentity)await authenticator.Authenticate(encoded);
DumpClaims(validated);
}
}
private async Task S4u2Self(KerberosClient client)
{
if (client.Cache is LsaCredentialCache)
{
this.WriteLineError("The whoami command isn't supported with the LSA Cache");
return;
}
var myTgtEntry = client.Cache.GetCacheItem <KerberosClientCacheEntry>($"krbtgt/{client.DefaultDomain}");
var myTgt = myTgtEntry.KdcResponse?.Ticket;
if (myTgt == null)
{
this.WriteHeader(SR.Resource("CommandLine_WhoAmI_NoTgt"));
return;
}
try
{
var result = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = client.UserPrincipalName,
UserToUserTicket = myTgt,
CacheTicket = false,
S4uTarget = client.UserPrincipalName
}
);
var authenticator = new KerberosAuthenticator(new KerberosValidator(myTgtEntry.SessionKey.AsKey()));
var identity = await authenticator.Authenticate(result.ApReq.EncodeApplication());
this.DescribeTicket(identity as KerberosIdentity);
}
catch (KerberosProtocolException kex)
{
this.WriteLine();
this.WriteLine(1, "{ErrorCode}: {ErrorText}", kex.Error.ErrorCode, kex.Error.ETextWithoutCode());
if (kex.Error.ErrorCode == KerberosErrorCode.KRB_AP_ERR_TKT_EXPIRED)
{
this.WriteLine();
this.WriteLine(1, SR.Resource("CommandLine_WhoAmI_NoTgt"));
}
}
}
public async Task TestAuthenticator()
{
var authenticator = new KerberosAuthenticator(new KerberosValidator(new KeyTable(File.ReadAllBytes("data\\sample.keytab")))
{
ValidateAfterDecrypt = ValidationActions.Replay
});
Assert.IsNotNull(authenticator);
var result = await authenticator.Authenticate(RC4Header);
Assert.IsNotNull(result);
Assert.AreEqual("*****@*****.**", result.Name);
}
public async Task Authenticator_Default()
{
var authenticator = new KerberosAuthenticator(
new KerberosValidator(new KeyTable(ReadDataFile("sample.keytab")))
{
ValidateAfterDecrypt = DefaultActions
});
Assert.IsNotNull(authenticator);
var result = await authenticator.Authenticate(RC4Header);
Assert.IsNotNull(result);
Assert.AreEqual("*****@*****.**", result.Name);
}
public async Task <ClaimsIdentity> Authenticate(IKeyIdentifier id, string token, string scheme = null)
{
var key = await storage.GetKey(id);
var kerbKey = key.RetrieveKey <byte[]>();
var validator = new KerberosValidator(
new KeyTable(
new KerberosKey(kerbKey)
)
);
var authenticator = new KerberosAuthenticator(validator);
return(await authenticator.Authenticate(token));
}
public async Task AuthenticatorGetsAsRep()
{
var authenticator = new KerberosAuthenticator(
new KerberosValidator(new KeyTable(ReadDataFile("sample.keytab")))
{
ValidateAfterDecrypt = DefaultActions
});
Assert.IsNotNull(authenticator);
var result = await authenticator.Authenticate(RC4Header) as KerberosIdentity;
Assert.IsNotNull(result);
Assert.IsNotNull(result.ApRep);
}
private async Task <KerberosIdentity> ProcessAsMiddleBox(Krb5Config config, ILoggerFactory logger, ApplicationSessionContext serviceTicket)
{
var serviceCred = new KerberosPasswordCredential(this.ServicePrincipalSamAccountName, this.ServicePrincipalNamePassword, serviceTicket.ApReq.Ticket.Realm);
var ping = await KerberosPing.Ping(serviceCred, config, logger);
serviceCred.IncludePreAuthenticationHints(ping.Error.DecodePreAuthentication());
var keytab = new KeyTable(serviceCred.CreateKey());
var authenticator = new KerberosAuthenticator(this.ServicePrincipalSamAccountName, keytab, config, logger);
var identity = await authenticator.Authenticate(serviceTicket.ApReq.EncodeGssApi()) as KerberosIdentity;
return(identity);
}
private static async Task <KerberosIdentity> GenerateAuthZ()
{
var authenticator = new KerberosAuthenticator(new KerberosValidator(new KerberosKey("P@ssw0rd!"))
{
ValidateAfterDecrypt = DefaultActions
});
var authenticated = await authenticator.Authenticate(Convert.FromBase64String(TicketContainingDelegation));
Assert.IsNotNull(authenticated);
var identity = authenticated as KerberosIdentity;
Assert.IsNotNull(identity);
return(identity);
}
private async Task ParseKerberosHeader(OwinContext context)
{
string[] authzHeader = null;
if (!context.Request.Headers.TryGetValue("Authorization", out authzHeader) || authzHeader.Length != 1)
{
return;
}
var header = authzHeader.First();
var authenticator = new KerberosAuthenticator(validator);
var identity = await authenticator.Authenticate(header);
context.Request.User = new ClaimsPrincipal(identity);
}
public async Task TestValidatorClaimsPresent()
{
var validator = new KerberosValidator(new KeyTable(ReadFile("sample.keytab")))
{
ValidateAfterDecrypt = DefaultActions
};
var authenticator = new KerberosAuthenticator(validator);
var result = await authenticator.Authenticate(RC4Ticket);
Assert.IsNotNull(result);
Assert.IsTrue(result.Claims.Count() > 0);
var validation = result.Claims.First(c => c.Type == "Validated");
Assert.AreEqual("ClientPrincipalIdentifier Realm Replay Pac", validation.Value);
}
public async Task TestParseClaims()
{
var validator = new KerberosValidator(new KeyTable(ReadDataFile("sample.keytab")))
{
ValidateAfterDecrypt = DefaultActions
};
var authenticator = new KerberosAuthenticator(validator);
var result = await authenticator.Authenticate(RC4Ticket_Claims);
Assert.IsNotNull(result);
Assert.IsTrue(result.Claims.Count() > 0);
Assert.IsTrue(result.Claims.Any(c => c.Type == "ad://ext/employeeType:88d4d68c56082042" && c.Value == "lazy"));
Assert.AreEqual(2, result.Claims.Count(c => c.Type == "ad://ext/localeID:88d4d68c6aa51687"));
}
private static async Task ValidateTicket(ApplicationSessionContext context, bool encodeNego = false)
{
var ticket = context.ApReq;
byte[] encoded;
if (encodeNego)
{
encoded = ticket.EncodeGssApi().ToArray();
}
else
{
encoded = ticket.EncodeApplication().ToArray();
}
var authenticator = new KerberosAuthenticator(
new KeyTable(
new KerberosKey(
"P@ssw0rd!",
principalName: new PrincipalName(
PrincipalNameType.NT_PRINCIPAL,
"CORP.IDENTITYINTERVENTION.com",
new[] { "host/appservice.corp.identityintervention.com" }
),
saltType: SaltType.ActiveDirectoryUser
)
)
);
var validated = (KerberosIdentity)await authenticator.Authenticate(encoded);
Assert.IsNotNull(validated);
Assert.AreEqual(validated.FindFirst(ClaimTypes.Sid).Value, "S-1-5-123-456-789-12-321-888");
var sessionKey = context.AuthenticateServiceResponse(validated.ApRep);
Assert.IsNotNull(sessionKey);
}
private static async Task TryValidate(string spn, KrbApReq ticket)
{
var encoded = ticket.EncodeApplication().ToArray();
var authenticator = new KerberosAuthenticator(
new KeyTable(
new KerberosKey(
"P@ssw0rd!",
principalName: new PrincipalName(
PrincipalNameType.NT_PRINCIPAL,
"CORP.IDENTITYINTERVENTION.com",
new[] { spn }
),
saltType: SaltType.ActiveDirectoryUser
)
)
);
var validated = (KerberosIdentity)await authenticator.Authenticate(encoded);
DumpClaims(validated);
}
public async Task KrbCredImportsAndPassesAuthenticatorValidation()
{
var krbCred = CreateKrbCredential();
using (var client = new KerberosClient())
{
client.ImportCredential(krbCred);
var serviceTicket = await client.GetServiceTicket("host/test.com");
Assert.IsNotNull(serviceTicket);
var encodedTicket = "Negotiate " + Convert.ToBase64String(serviceTicket.EncodeGssApi().ToArray());
var authenticator = new KerberosAuthenticator(new KeyTable(new KerberosKey(new byte[16], etype: EncryptionType.AES128_CTS_HMAC_SHA1_96)));
var result = await authenticator.Authenticate(encodedTicket);
Assert.IsNotNull(result);
Assert.AreEqual("*****@*****.**", result.Name);
}
}
private static async System.Threading.Tasks.Task MainAsync()
{
foreach (var f in Files)
{
var data = File.ReadAllBytes("data\\" + f.Key);
var key = File.ReadAllBytes("data\\" + f.Value);
W($"Decrypting {f.Key} with key {f.Value}", ConsoleColor.Green);
var validator = new KerberosValidator(key)
{
//Logger = W,
ValidateAfterDecrypt = ValidationActions.Replay
};
var authenticator = new KerberosAuthenticator(validator);
var result = await authenticator.Authenticate(data);
;
if (result == null)
{
throw new InvalidDataException("Could not decrypt token");
}
foreach (var c in result.Claims.OrderBy(c => c.Type))
{
W($"{c.Type}: {c.Value}");
}
W("");
;
}
;
}
private static async Task AssertDecode(byte[] data, byte[] key, EncryptionType etype)
{
var validator = new IntrospectiveValidator(key)
{
ValidateAfterDecrypt = DefaultActions
};
var authenticator = new KerberosAuthenticator(validator);
var result = await authenticator.Authenticate(data);
Assert.IsNotNull(result);
Assert.IsTrue(result.Claims.Count() > 0);
Assert.AreEqual("Kerberos", result.AuthenticationType);
Assert.AreEqual("*****@*****.**", result.Name);
Assert.IsNotNull(validator.Data);
Assert.AreEqual(etype, validator.Data.EType);
}
public async Task TestValidatorClaimsPresent()
{
var validator = new KerberosValidator(new KeyTable(ReadDataFile("sample.keytab")))
{
ValidateAfterDecrypt = DefaultActions
};
var authenticator = new KerberosAuthenticator(validator);
var result = await authenticator.Authenticate(RC4Ticket_Claims);
Assert.IsNotNull(result);
var kerbIdentity = result as KerberosIdentity;
Assert.IsNotNull(kerbIdentity);
Assert.IsTrue(result.Claims.Count() > 0);
Assert.IsFalse(result.Claims.Any(c => c.Type == "Validated"));
Assert.AreEqual(DefaultActions, kerbIdentity.ValidationMode);
}
