public void UnsupportedFastArmorType() { base.Logging(); client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.ClientComputer.NetBiosName, this.testConfig.LocalRealm.ClientComputer.Password, KerberosAccountType.Device, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // AS_REQ and KRB-ERROR using device principal KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); METHOD_DATA methodData; KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData); // AS_REQ and AS_REP using device principal string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp, 0, client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data }); client.SendAsRequest(options, seqOfPaData); KerberosAsResponse asResponse = client.ExpectAsResponse(); // Switch to user principal client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[2].Username, this.testConfig.LocalRealm.User[2].Password, KerberosAccountType.User, client.Context.Ticket, client.Context.SessionKey, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // FAST armored AS_REQ and KRB-ERROR using user principal //Create a "random" key. var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt"); var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0)); var apOptions = ApOptions.None; string timeStamp2 = KerberosUtility.CurrentKerberosTime.Value; PaFxFastReq paFxReq = new PaFxFastReq(null); Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { (paFxReq.Data) }); client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions); KerberosKrbError krbError2 = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(krbError2.ErrorCode, KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, "Pre-authentication required."); // FAST armored AS_REQ and AS_REP using user principal var userKey = KerberosUtility.MakeKey( client.Context.SelectedEType, client.Context.CName.Password, client.Context.CName.Salt); PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge( client.Context.SelectedEType, KerberosUtility.CurrentKerberosTime.Value, 0, client.Context.FastArmorkey, userKey); Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data }); PaPacRequest paPacRequest = new PaPacRequest(true); PaPacOptions paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc); Asn1SequenceOf<PA_DATA> outerSeqPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paPacRequest.Data, paPacOptions.Data }); client.SendAsRequestWithFast(options, seqOfPaData3, outerSeqPaData, subkey, fastOptions, apOptions, 0); KerberosKrbError krbError3 = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(krbError3.ErrorCode, KRB_ERROR_CODE.KDC_ERR_PREAUTH_FAILED, "Pre-authentication failed."); }
public void KrbFastFinishedTgsRep() { base.Logging(); client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.ClientComputer.NetBiosName, this.testConfig.LocalRealm.ClientComputer.Password, KerberosAccountType.Device, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid, testConfig.LocalRealm.ClientComputer.AccountSalt); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // AS_REQ and KRB-ERROR using device principal KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); METHOD_DATA methodData; KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData); // AS_REQ and AS_REP using device principal string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp( timeStamp, 0, client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data }); client.SendAsRequest(options, seqOfPaData); KerberosAsResponse asResponse = client.ExpectAsResponse(); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", asResponse.EncPart.GetType().Name)); // Switch to user principal client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[1].Username, this.testConfig.LocalRealm.User[1].Password, KerberosAccountType.User, client.Context.Ticket, client.Context.SessionKey, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // FAST armored AS_REQ and KRB-ERROR using user principal //Create a "random" key. var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt"); var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0)); var apOptions = ApOptions.None; Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { new PA_DATA(new KerbInt32((long)PaDataType.PA_FX_FAST), null) }); client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions); KerberosKrbError krbError2 = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(krbError2.ErrorCode, KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, "Pre-authentication required."); // FAST armored AS_REQ and AS_REP using user principal var userKey = KerberosUtility.MakeKey( client.Context.SelectedEType, client.Context.CName.Password, client.Context.CName.Salt); PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge( client.Context.SelectedEType, KerberosUtility.CurrentKerberosTime.Value, 0, client.Context.FastArmorkey, userKey); Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data }); client.SendAsRequestWithFast(options, seqOfPaData3, null, subkey, fastOptions, apOptions); KerberosAsResponse userKrbAsRep = client.ExpectAsResponse(); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", userKrbAsRep.EncPart.GetType().Name)); // FAST armored TGS_REQ and TGS_REP using user principal subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password03!", "this is a salt"); client.SendTgsRequestWithFast(testConfig.LocalRealm.ClientComputer.DefaultServiceName, options, null, null, subkey, fastOptions, apOptions); KerberosTgsResponse userKrbTgsRep = client.ExpectTgsResponse(KeyUsageNumber.TGS_REP_encrypted_part_subkey); BaseTestSite.Assert.IsNotNull(userKrbTgsRep.EncPart, "The encrypted part of TGS-REP is decrypted."); //Verify KrbFastFinished. KrbFastFinished fastFinishedTgs = null; BaseTestSite.Assert.IsNotNull(userKrbAsRep.Response.padata, "The padata of AS-REP is not null."); BaseTestSite.Assert.IsNotNull(userKrbAsRep.Response.padata.Elements, "The padata of AS-REP is not empty."); foreach (PA_DATA paData in userKrbTgsRep.Response.padata.Elements) { var parsedPaData = PaDataParser.ParseRepPaData(paData); if (parsedPaData is PaFxFastRep) { var armoredRep = ((PaFxFastRep)parsedPaData).GetArmoredRep(); var kerbFastRep = ((PaFxFastRep)parsedPaData).GetKerberosFastRep(client.Context.FastArmorkey); fastFinishedTgs = kerbFastRep.FastResponse.finished; break; } } BaseTestSite.Assert.IsNotNull(fastFinishedTgs, "The finished field contains a KrbFastFinished structure."); Asn1BerEncodingBuffer buf2 = new Asn1BerEncodingBuffer(); userKrbTgsRep.Response.ticket.BerEncode(buf2); Checksum ticketChecksumTgs = new Checksum(new KerbInt32((long)KerberosUtility.GetChecksumType(client.Context.SelectedEType)), new Asn1OctetString(KerberosUtility.GetChecksum( client.Context.FastArmorkey.keyvalue.ByteArrayValue, buf2.Data, (int)KeyUsageNumber.FAST_FINISHED, KerberosUtility.GetChecksumType(client.Context.SelectedEType)))); BaseTestSite.Assert.IsTrue( KerberosUtility.CompareChecksum(fastFinishedTgs.ticket_checksum, ticketChecksumTgs), "The ticket checksum is correct."); }
public void StrengthenKey() { base.Logging(); client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.ClientComputer.NetBiosName, this.testConfig.LocalRealm.ClientComputer.Password, KerberosAccountType.Device, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid, testConfig.LocalRealm.ClientComputer.AccountSalt); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // AS_REQ and KRB-ERROR using device principal BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with no PA data."); KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve preauthentication required error."); METHOD_DATA methodData; KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData); // AS_REQ and AS_REP using device principal BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with PaEncTimeStamp."); string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp( timeStamp, 0, client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data }); client.SendAsRequest(options, seqOfPaData); BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve AS response."); KerberosAsResponse asResponse = client.ExpectAsResponse(); BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT."); BaseTestSite.Assert.IsNotNull(asResponse.EncPart, "The encrypted part of AS response is decrypted."); BaseTestSite.Assert.IsNotNull(asResponse.EncPart.key, "AS response should contain a session key."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", asResponse.EncPart.GetType().Name)); // Switch to user principal BaseTestSite.Log.Add(LogEntryKind.Comment, "Switch to user principal."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("Construct Kerberos client using user account: {0}.", this.testConfig.LocalRealm.User[1].Username)); client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[1].Username, this.testConfig.LocalRealm.User[1].Password, KerberosAccountType.User, client.Context.Ticket, client.Context.SessionKey, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // FAST armored AS_REQ and KRB-ERROR using user principal //Create a "random" key. BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send FAST armored AS request with no pre-authentication padata."); var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt"); var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0)); var apOptions = ApOptions.None; Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { new PA_DATA(new KerbInt32((long)PaDataType.PA_FX_FAST), null) }); client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions); KerberosKrbError krbError2 = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(krbError2.ErrorCode, KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, "Pre-authentication required."); // FAST armored AS_REQ and AS_REP using user principal BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with PaEncryptedChallenge."); var userKey = KerberosUtility.MakeKey( client.Context.SelectedEType, client.Context.CName.Password, client.Context.CName.Salt); PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge( client.Context.SelectedEType, KerberosUtility.CurrentKerberosTime.Value, 0, client.Context.FastArmorkey, userKey); PaPacRequest paPacRequest = new PaPacRequest(true); Asn1SequenceOf<PA_DATA> outerSeqPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paPacRequest.Data }); Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data }); client.SendAsRequestWithFast(options, seqOfPaData3, outerSeqPaData, subkey, fastOptions, apOptions); BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve AS response."); KerberosAsResponse userKrbAsRep = client.ExpectAsResponse(); BaseTestSite.Assert.IsNotNull(userKrbAsRep.Response.ticket, "AS response should contain a TGT."); BaseTestSite.Assert.IsNotNull(userKrbAsRep.EncPart, "The encrypted part of AS response is decrypted."); BaseTestSite.Assert.IsNotNull(userKrbAsRep.EncPart.key, "AS response should contain a session key."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", userKrbAsRep.EncPart.GetType().Name)); // FAST armored TGS_REQ and TGS_REP using user principal subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password03!", "this is a salt"); BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send FAST armored TGS request."); client.SendTgsRequestWithFast(testConfig.LocalRealm.ClientComputer.DefaultServiceName, options, null, null, subkey, fastOptions, apOptions); BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve TGS response."); KerberosTgsResponse userKrbTgsRep = client.ExpectTgsResponse(KeyUsageNumber.TGS_REP_encrypted_part_subkey); BaseTestSite.Assert.IsNotNull(userKrbTgsRep.Response, "The Response pare of TGS-REP is not null."); BaseTestSite.Assert.IsNotNull(userKrbTgsRep.Response.padata, "The Padata of TGS-REP is not null."); EncryptionKey strengthenKey = null; foreach (PA_DATA paData in userKrbTgsRep.Response.padata.Elements) { var parsedPaData = PaDataParser.ParseRepPaData(paData); if (parsedPaData is PaFxFastRep) { var armoredRep = ((PaFxFastRep)parsedPaData).GetArmoredRep(); var kerbRep = ((PaFxFastRep)parsedPaData).GetKerberosFastRep(client.Context.FastArmorkey); strengthenKey = kerbRep.FastResponse.strengthen_key; } } BaseTestSite.Assert.IsNotNull(strengthenKey, "Strengthen key field must be set in TGS-REP."); BaseTestSite.Assert.IsNotNull(userKrbTgsRep.EncPart, "The encrypted part of TGS-REP is decrypted."); }
public void AdFxFastUsedInAuthenticator() { base.Logging(); client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.ClientComputer.NetBiosName, this.testConfig.LocalRealm.ClientComputer.Password, KerberosAccountType.Device, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid, testConfig.LocalRealm.ClientComputer.AccountSalt); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // AS_REQ and KRB-ERROR using device principal KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); METHOD_DATA methodData; KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData); // AS_REQ and AS_REP using device principal string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp( timeStamp, 0, client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data }); client.SendAsRequest(options, seqOfPaData); KerberosAsResponse asResponse = client.ExpectAsResponse(); BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", asResponse.EncPart.GetType().Name)); // Switch to user principal client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[1].Username, this.testConfig.LocalRealm.User[1].Password, KerberosAccountType.User, client.Context.Ticket, client.Context.SessionKey, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // FAST armored AS_REQ and KRB-ERROR using user principal //Create a "random" key. var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt"); var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0)); var apOptions = ApOptions.None; Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { new PA_DATA(new KerbInt32((long)PaDataType.PA_FX_FAST), null) }); client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions); KerberosKrbError krbError2 = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(krbError2.ErrorCode, KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, "Pre-authentication required."); // FAST armored AS_REQ and AS_REP using user principal var userKey = KerberosUtility.MakeKey( client.Context.SelectedEType, client.Context.CName.Password, client.Context.CName.Salt); PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge( client.Context.SelectedEType, KerberosUtility.CurrentKerberosTime.Value, 0, client.Context.FastArmorkey, userKey); Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data }); client.SendAsRequestWithFast(options, seqOfPaData3, null, subkey, fastOptions, apOptions); KerberosAsResponse userKrbAsRep = client.ExpectAsResponse(); BaseTestSite.Assert.IsNotNull(userKrbAsRep.Response.ticket, "AS response should contain a TGT."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", userKrbAsRep.EncPart.GetType().Name)); // FAST armored TGS_REQ and TGS_REP using user principal subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password03!", "this is a salt"); BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send unarmored TGS request with AD-fx-fast-used."); AdFxFastUsed adFxFastUsed = new AdFxFastUsed(); AuthorizationData authData = new AuthorizationData(new AuthorizationDataElement[] { adFxFastUsed.AuthDataElement }); client.SendTgsRequest(testConfig.LocalRealm.ClientComputer.DefaultServiceName, options, null, null, authData); BaseTestSite.Log.Add(LogEntryKind.Comment, "Receive TGS Error, KDC MUST reject the request."); KerberosKrbError krbError = client.ExpectKrbError(); }
public void FastKrb_Error() { base.Logging(); client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.ClientComputer.NetBiosName, this.testConfig.LocalRealm.ClientComputer.Password, KerberosAccountType.Device, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid, testConfig.LocalRealm.ClientComputer.AccountSalt); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // AS_REQ and KRB-ERROR using device principal BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with no PA data."); KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve preauthentication required error."); METHOD_DATA methodData; KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData); // AS_REQ and AS_REP using device principal BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with PaEncTimeStamp."); string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp( timeStamp, 0, client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data }); client.SendAsRequest(options, seqOfPaData); BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve AS response."); KerberosAsResponse asResponse = client.ExpectAsResponse(); BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT."); BaseTestSite.Assert.IsNotNull(asResponse.EncPart, "The encrypted part of AS response is decrypted."); BaseTestSite.Assert.IsNotNull(asResponse.EncPart.key, "AS response should contain a session key."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", asResponse.EncPart.GetType().Name)); // Switch to user principal BaseTestSite.Log.Add(LogEntryKind.Comment, "Switch to user principal."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("Construct Kerberos client using user account: {0}.", this.testConfig.LocalRealm.User[1].Username)); client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[1].Username, this.testConfig.LocalRealm.User[1].Password, KerberosAccountType.User, client.Context.Ticket, client.Context.SessionKey, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // FAST armored AS_REQ and KRB-ERROR using user principal //Create a "random" key. BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send FAST armored AS request with no pre-authentication padata."); var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt"); var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0)); var apOptions = ApOptions.None; Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { new PA_DATA(new KerbInt32((long)PaDataType.PA_FX_FAST), null) }); client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions); KerberosKrbError krbError2 = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(krbError2.ErrorCode, KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, "Pre-authentication required."); // FAST armored AS_REQ and AS_REP using user principal BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with PaEncryptedChallenge."); var userKey = KerberosUtility.MakeKey( client.Context.SelectedEType, client.Context.CName.Password, client.Context.CName.Salt); var invalidKey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Invalid", "this is a salt"); PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge( client.Context.SelectedEType, KerberosUtility.CurrentKerberosTime.ToString(), 0, invalidKey, userKey); PaPacRequest paPacRequest = new PaPacRequest(true); Asn1SequenceOf<PA_DATA> outerSeqPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paPacRequest.Data }); Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data }); client.SendAsRequestWithFast(options, seqOfPaData3, outerSeqPaData, subkey, fastOptions, apOptions); BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve AS response."); KerberosKrbError error = client.ExpectKrbError(); BaseTestSite.Assert.IsNotNull(error.KrbError.e_data, "E_data is not null"); Asn1SequenceOf<PA_DATA> seqOfPadata = new Asn1SequenceOf<PA_DATA>(); seqOfPadata.BerDecode(new Asn1DecodingBuffer(error.KrbError.e_data.ByteArrayValue)); var padataCount = seqOfPadata.Elements.Length; PaFxFastRep paFxFastRep = null; for (int i = 0; i < padataCount; i++) { var padata = PaDataParser.ParseRepPaData(seqOfPadata.Elements[i]); //Fix me: PaETypeInfo is also possible if (padata is PaFxFastRep) { paFxFastRep = padata as PaFxFastRep; } } BaseTestSite.Assert.IsNotNull(paFxFastRep , "KDC must reply a PA-FX-Fast response."); PaFxError paFxError = null; var armoredRep = paFxFastRep.GetKerberosFastRep(client.Context.FastArmorkey); foreach (var padata in armoredRep.PaData) { if (padata is PaFxError) { paFxError = padata as PaFxError; break; } } BaseTestSite.Assert.IsNotNull(paFxError , "KDC must include a PA-FX-ERROR padata."); BaseTestSite.Assert.IsNull(paFxError.KrbError.KrbError.e_data, "E_data is null."); }
public void RC4_InteractiveLogonUseExplicitFast() { base.Logging(); client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.ClientComputer.NetBiosName, this.testConfig.LocalRealm.ClientComputer.Password, KerberosAccountType.Device, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid, testConfig.LocalRealm.ClientComputer.AccountSalt); EncryptionType[] rc4HmacType = new EncryptionType[] { EncryptionType.RC4_HMAC }; // Define device principal client supported encryption type BaseTestSite.Log.Add(LogEntryKind.Comment, "Set device principal client supported encryption type as RC4_HMAC."); client.SetSupportedEType(rc4HmacType); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // AS_REQ and KRB-ERROR using device principal BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with no PA data."); KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve preauthentication required error."); METHOD_DATA methodData; KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); // AS_REQ and AS_REP using device principal BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with PaEncTimeStamp."); string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp( timeStamp, 0, client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data }); client.SendAsRequest(options, seqOfPaData); BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve AS response."); KerberosAsResponse asResponse = client.ExpectAsResponse(); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT."); BaseTestSite.Assert.IsNotNull(asResponse.EncPart, "The encrypted part of AS response is decrypted."); BaseTestSite.Assert.IsNotNull(asResponse.EncPart.key, "AS response should contain a session key."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", asResponse.EncPart.GetType().Name)); // Switch to user principal BaseTestSite.Log.Add(LogEntryKind.Comment, "Switch to user principal."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("Construct kerberos client using user account: {0}.", this.testConfig.LocalRealm.User[1].Username)); client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[1].Username, this.testConfig.LocalRealm.User[1].Password, KerberosAccountType.User, client.Context.Ticket, client.Context.SessionKey, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // Define user principal client supported encryption type BaseTestSite.Log.Add(LogEntryKind.Comment, "Set user principal client supported encryption type as RC4_HMAC."); client.SetSupportedEType(rc4HmacType); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // FAST armored AS_REQ and KRB-ERROR using user principal //Create a "random" key. BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send FAST armored AS request with no pre-authentication padata."); var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt"); var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0)); var apOptions = ApOptions.None; Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { new PA_DATA(new KerbInt32((long)PaDataType.PA_FX_FAST), null) }); client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions); KerberosKrbError krbError2 = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, krbError2.ErrorCode, "Pre-authentication required."); // FAST armored AS_REQ and AS_REP using user principal BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with PaEncryptedChallenge."); var userKey = KerberosUtility.MakeKey( client.Context.SelectedEType, client.Context.CName.Password, client.Context.CName.Salt); PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge( client.Context.SelectedEType, KerberosUtility.CurrentKerberosTime.Value, 0, client.Context.FastArmorkey, userKey); Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data }); client.SendAsRequestWithFast(options, seqOfPaData3, null, subkey, fastOptions, apOptions); BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve AS response."); KerberosAsResponse userKrbAsRep = client.ExpectAsResponse(); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); BaseTestSite.Assert.IsNotNull(userKrbAsRep.Response.ticket, "AS response should contain a TGT."); BaseTestSite.Assert.IsNotNull(userKrbAsRep.EncPart, "The encrypted part of AS response is decrypted."); BaseTestSite.Assert.IsNotNull(userKrbAsRep.EncPart.key, "AS response should contain a session key."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", userKrbAsRep.EncPart.GetType().Name)); // FAST armored TGS_REQ and TGS_REP using user principal subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password03!", "this is a salt"); BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send explicit FAST armored TGS request."); client.SendTgsRequestWithExplicitFast(testConfig.LocalRealm.ClientComputer.DefaultServiceName, options, null, null, subkey, fastOptions, apOptions); BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve TGS response."); KerberosTgsResponse userKrbTgsRep = client.ExpectTgsResponse(KeyUsageNumber.TGS_REP_encrypted_part_subkey); BaseTestSite.Assert.IsNotNull(userKrbTgsRep.EncPart, "The encrypted part of TGS-REP is decrypted."); BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.RealmName.ToLower(), userKrbTgsRep.Response.ticket.realm.Value.ToLower(), "The realm in ticket should match expected."); BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.ClientComputer.DefaultServiceName, KerberosUtility.PrincipalName2String(userKrbTgsRep.Response.ticket.sname), "The Service principal name in ticket should match expected."); EncryptionKey key = testConfig.QueryKey(this.testConfig.LocalRealm.ClientComputer.DefaultServiceName, this.testConfig.LocalRealm.RealmName, this.client.Context.SelectedEType); userKrbTgsRep.DecryptTicket(key); //userKrbTgsRep.DecryptTicket(this.testConfig.LocalRealm.ClientComputer.Password, this.testConfig.LocalRealm.ClientComputer.ServiceSalt); BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.RealmName.ToLower(), userKrbTgsRep.TicketEncPart.crealm.Value.ToLower(), "The realm in ticket encrypted part should match expected."); BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.User[1].Username.ToLower(), KerberosUtility.PrincipalName2String(userKrbTgsRep.TicketEncPart.cname).ToLower(), "The client principal name in ticket encrypted part should match expected."); }
public void PAC_DEVICE_INFO() { base.Logging(); client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.ClientComputer.NetBiosName, this.testConfig.LocalRealm.ClientComputer.Password, KerberosAccountType.Device, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid, testConfig.LocalRealm.ClientComputer.AccountSalt); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // AS_REQ and KRB-ERROR using device principal KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); METHOD_DATA methodData; KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData); // AS_REQ and AS_REP using device principal string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp, 0, client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data }); client.SendAsRequest(options, seqOfPaData); KerberosAsResponse asResponse = client.ExpectAsResponse(); // Switch to user principal client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[2].Username, this.testConfig.LocalRealm.User[2].Password, KerberosAccountType.User, client.Context.Ticket, client.Context.SessionKey, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // FAST armored AS_REQ and KRB-ERROR using user principal //Create a "random" key. var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt"); var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0)); var apOptions = ApOptions.None; PaFxFastReq paFxFastReq = new PaFxFastReq(null); Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { (paFxFastReq.Data) }); client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions); KerberosKrbError krbError2 = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, krbError2.ErrorCode, "Pre-authentication required."); // FAST armored AS_REQ and AS_REP using user principal var userKey = KerberosUtility.MakeKey( client.Context.SelectedEType, client.Context.CName.Password, client.Context.CName.Salt); PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge( client.Context.SelectedEType, KerberosUtility.CurrentKerberosTime.Value, 0, client.Context.FastArmorkey, userKey); PaPacRequest paPacRequest = new PaPacRequest(true); PaPacOptions paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc); Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data, paPacRequest.Data, paPacOptions.Data }); client.SendAsRequestWithFast(options, seqOfPaData3, null, subkey, fastOptions, apOptions); KerberosAsResponse userKrbAsRep = client.ExpectAsResponse(); if (testConfig.IsClaimSupported) { PaSupportedEncTypes paSupportedEncTypes = null; BaseTestSite.Assert.IsNotNull(userKrbAsRep.EncPart.pa_datas, "The encrypted padata of AS-REP is not null."); foreach (var padata in userKrbAsRep.EncPart.pa_datas.Elements) { var parsedPadata = PaDataParser.ParseRepPaData(padata); if (parsedPadata is PaSupportedEncTypes) paSupportedEncTypes = parsedPadata as PaSupportedEncTypes; } BaseTestSite.Assert.IsNotNull(paSupportedEncTypes, "The encrypted padata of AS-REP contains PA_SUPPORTED_ENCTYPES."); BaseTestSite.Assert.IsTrue( paSupportedEncTypes.SupportedEncTypes.HasFlag(SupportedEncryptionTypes.Claims_Supported), "Claims is supported."); BaseTestSite.Assert.IsTrue( paSupportedEncTypes.SupportedEncTypes.HasFlag(SupportedEncryptionTypes.FAST_Supported), "FAST is supported."); } // FAST armored TGS_REQ and TGS_REP using user principal subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password03!", "this is a salt"); client.Context.ArmorSessionKey = client.Context.Ticket.SessionKey; client.Context.ArmorTicket = client.Context.Ticket; client.SendTgsRequestWithExplicitFast(testConfig.LocalRealm.FileServer[0].Smb2ServiceName, options, null, null, subkey, fastOptions, apOptions); KerberosTgsResponse userKrbTgsRep = client. ExpectTgsResponse(KeyUsageNumber.TGS_REP_encrypted_part_subkey); if (testConfig.IsClaimSupported) { PaSupportedEncTypes paSupportedEncTypes = null; BaseTestSite.Assert.IsNotNull(asResponse.EncPart, "The encrypted part of AS-REP is decrypted."); BaseTestSite.Assert.IsNotNull(asResponse.EncPart.pa_datas, "The encrypted padata is not null."); foreach (var padata in userKrbTgsRep.EncPart.pa_datas.Elements) { var parsedPadata = PaDataParser.ParseRepPaData(padata); if (parsedPadata is PaSupportedEncTypes) paSupportedEncTypes = parsedPadata as PaSupportedEncTypes; } BaseTestSite.Assert.IsNotNull(paSupportedEncTypes, "The encrypted padata of AS-REP contains PA_SUPPORTED_ENCTYPES."); BaseTestSite.Assert.IsTrue( paSupportedEncTypes.SupportedEncTypes.HasFlag(SupportedEncryptionTypes.CompoundIdentity_Supported), "Compound identity is supported."); EncryptionKey key = testConfig.QueryKey(this.testConfig.LocalRealm.FileServer[0].Smb2ServiceName, this.testConfig.LocalRealm.RealmName, this.client.Context.SelectedEType); userKrbTgsRep.DecryptTicket(key); //userKrbTgsRep.DecryptTicket(testConfig.LocalRealm.FileServer[0].Password, testConfig.LocalRealm.FileServer[0].ServiceSalt); //Verify PAC BaseTestSite.Assert.IsNotNull(userKrbTgsRep.TicketEncPart.authorization_data, "The ticket contains Authorization data."); AdWin2KPac adWin2kPac = FindOneInAuthData<AdWin2KPac>(userKrbTgsRep.TicketEncPart.authorization_data.Elements); BaseTestSite.Assert.IsNotNull(adWin2kPac, "The Authorization data contains AdWin2KPac."); PacDeviceInfo pacDeviceInfo = null; foreach (var buf in adWin2kPac.Pac.PacInfoBuffers) { if (buf is PacDeviceInfo) { pacDeviceInfo = buf as PacDeviceInfo; break; } } BaseTestSite.Assert.IsNotNull(pacDeviceInfo, "PAC_DEVICE_INFO is generated."); } }
public void RC4_CrossRealm_PAC_DEVICE_CLAIMS_INFO() { base.Logging(); // Clear trust realm encryption type IClientControlAdapter adapter = BaseTestSite.GetAdapter<IClientControlAdapter>(); adapter.ClearTrustRealmEncType(); try { client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.ClientComputer.NetBiosName, this.testConfig.LocalRealm.ClientComputer.Password, KerberosAccountType.Device, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid, testConfig.LocalRealm.ClientComputer.AccountSalt); EncryptionType[] rc4HmacType = new EncryptionType[] { EncryptionType.RC4_HMAC }; // Define device principal client supported encryption type BaseTestSite.Log.Add(LogEntryKind.Comment, "Set device principal client supported encryption type as RC4_HMAC."); client.SetSupportedEType(rc4HmacType); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); //Recieve preauthentication required error METHOD_DATA methodData; KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); //Create sequence of PA data string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp, 0, this.client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); PaPacRequest paPacRequest = new PaPacRequest(true); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data }); //Create and send AS request client.SendAsRequest(options, seqOfPaData); KerberosAsResponse asResponse = client.ExpectAsResponse(); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); //Create and send TGS request client.SendTgsRequest(this.testConfig.TrustedRealm.KDC[0].DefaultServiceName, options); KerberosTgsResponse tgsResponse = client.ExpectTgsResponse(); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); KerberosTicket referralComputerTicket = client.Context.Ticket; EncryptionKey referralComputerSessionKey = client.Context.Ticket.SessionKey; //start client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.ClientComputer.NetBiosName, this.testConfig.LocalRealm.ClientComputer.Password, KerberosAccountType.Device, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid, testConfig.LocalRealm.ClientComputer.AccountSalt); // Define device principal client supported encryption type BaseTestSite.Log.Add(LogEntryKind.Comment, "Set device principal client supported encryption type as RC4_HMAC."); client.SetSupportedEType(rc4HmacType); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // AS_REQ and KRB-ERROR using device principal options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); // AS_REQ and AS_REP using device principal timeStamp = KerberosUtility.CurrentKerberosTime.Value; paEncTimeStamp = new PaEncTimeStamp(timeStamp, 0, client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data }); client.SendAsRequest(options, seqOfPaData); asResponse = client.ExpectAsResponse(); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); // Switch to user principal client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[2].Username, this.testConfig.LocalRealm.User[2].Password, KerberosAccountType.User, client.Context.Ticket, client.Context.SessionKey, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // Define user principal client supported encryption type BaseTestSite.Log.Add(LogEntryKind.Comment, "Set user principal client supported encryption type as RC4_HMAC."); client.SetSupportedEType(rc4HmacType); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // FAST armored AS_REQ and KRB-ERROR using user principal //Create a "random" key. var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt"); var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0)); var apOptions = ApOptions.None; string timeStamp2 = KerberosUtility.CurrentKerberosTime.Value; PaFxFastReq paFxFastReq = new PaFxFastReq(null); Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { (paFxFastReq.Data) }); client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions); KerberosKrbError krbError2 = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(krbError2.ErrorCode, KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, "Pre-authentication required."); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); // FAST armored AS_REQ and AS_REP using user principal var userKey = KerberosUtility.MakeKey( client.Context.SelectedEType, client.Context.CName.Password, client.Context.CName.Salt); PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge( client.Context.SelectedEType, KerberosUtility.CurrentKerberosTime.Value, 0, client.Context.FastArmorkey, userKey); Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data }); paPacRequest = new PaPacRequest(true); PaPacOptions paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc); Asn1SequenceOf<PA_DATA> outerSeqPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paPacRequest.Data, paPacOptions.Data }); client.SendAsRequestWithFast(options, seqOfPaData3, outerSeqPaData, subkey, fastOptions, apOptions); KerberosAsResponse userKrbAsRep = client.ExpectAsResponse(); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); if (testConfig.IsClaimSupported) { PaSupportedEncTypes paSupportedEncTypes = null; foreach (var padata in userKrbAsRep.EncPart.pa_datas.Elements) { var parsedPadata = PaDataParser.ParseRepPaData(padata); if (parsedPadata is PaSupportedEncTypes) paSupportedEncTypes = parsedPadata as PaSupportedEncTypes; } BaseTestSite.Assert.IsNotNull(paSupportedEncTypes, "The encrypted padata of AS-REP contains PA_SUPPORTED_ENCTYPES."); BaseTestSite.Assert.IsTrue( paSupportedEncTypes.SupportedEncTypes.HasFlag(SupportedEncryptionTypes.Claims_Supported), "Claims is supported."); BaseTestSite.Assert.IsTrue( paSupportedEncTypes.SupportedEncTypes.HasFlag(SupportedEncryptionTypes.FAST_Supported), "FAST is supported."); } // FAST armored TGS_REQ and TGS_REP using user principal subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password03!", "this is a salt"); client.Context.ArmorSessionKey = client.Context.Ticket.SessionKey; client.Context.ArmorTicket = client.Context.Ticket; if (this.testConfig.TrustType == Adapter.TrustType.Forest) { client.SendTgsRequestWithExplicitFast(testConfig.TrustedRealm.FileServer[0].Smb2ServiceName, options, null, null, subkey, fastOptions, apOptions); } else if (this.testConfig.TrustType == Adapter.TrustType.Realm) { client.SendTgsRequestWithExplicitFast(testConfig.TrustedRealm.KDC[0].DefaultServiceName, options, null, null, subkey, fastOptions, apOptions); } KerberosTgsResponse userKrbTgsRep = client.ExpectTgsResponse(KeyUsageNumber.TGS_REP_encrypted_part_subkey); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); client.ChangeRealm(this.testConfig.TrustedRealm.RealmName, this.testConfig.TrustedRealm.KDC[0].IPAddress, this.testConfig.TrustedRealm.KDC[0].Port, this.testConfig.TransportType); //Create and send referral TGS request client.Context.ArmorTicket = referralComputerTicket; client.Context.ArmorSessionKey = referralComputerTicket.SessionKey; client.SendTgsRequestWithExplicitFast(this.testConfig.TrustedRealm.FileServer[0].Smb2ServiceName, options, null, null, subkey, fastOptions, apOptions); KerberosTgsResponse refTgsResponse = client.ExpectTgsResponse(KeyUsageNumber.TGS_REP_encrypted_part_subkey); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); EncryptionKey key = testConfig.QueryKey(this.testConfig.TrustedRealm.FileServer[0].Smb2ServiceName, client.Context.Realm.ToString(), client.Context.SelectedEType); refTgsResponse.DecryptTicket(key); //Verify PAC if (testConfig.IsKileImplemented && testConfig.IsClaimSupported) { BaseTestSite.Assert.IsNotNull(refTgsResponse.TicketEncPart.authorization_data, "The ticket contains Authorization data."); AdWin2KPac adWin2kPac = FindOneInAuthData<AdWin2KPac>(refTgsResponse.TicketEncPart.authorization_data.Elements); BaseTestSite.Assert.IsNotNull(adWin2kPac, "The Authorization data contains AdWin2KPac."); DeviceClaimsInfo deviceClaimsInfo = null; foreach (var buf in adWin2kPac.Pac.PacInfoBuffers) { if (buf is DeviceClaimsInfo) { deviceClaimsInfo = buf as DeviceClaimsInfo; break; } } BaseTestSite.Assert.IsNotNull(deviceClaimsInfo, "PAC_DEVICE_CLAIM_INFO should be generated."); } } finally { adapter.SetTrustRealmEncTypeAsAes(); } }
public void RC4_UsingFAST_Smb2() { base.Logging(); client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.ClientComputer.NetBiosName, this.testConfig.LocalRealm.ClientComputer.Password, KerberosAccountType.Device, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); EncryptionType[] rc4HmacType = new EncryptionType[] { EncryptionType.RC4_HMAC }; // Define device principal client supported encryption type BaseTestSite.Log.Add(LogEntryKind.Comment, "Set device principal client supported encryption type as RC4_HMAC."); client.SetSupportedEType(rc4HmacType); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // AS_REQ and KRB-ERROR using device principal KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); METHOD_DATA methodData; KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); // AS_REQ and AS_REP using device principal string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp, 0, client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data }); client.SendAsRequest(options, seqOfPaData); KerberosAsResponse asResponse = client.ExpectAsResponse(); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); // Switch to user principal client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[2].Username, this.testConfig.LocalRealm.User[2].Password, KerberosAccountType.User, client.Context.Ticket, client.Context.SessionKey, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // Define user principal client supported encryption type BaseTestSite.Log.Add(LogEntryKind.Comment, "Set user principal client supported encryption type as RC4_HMAC."); client.SetSupportedEType(rc4HmacType); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // FAST armored AS_REQ and KRB-ERROR using user principal //Create a "random" key. var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt"); var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0)); var apOptions = ApOptions.None; string timeStamp2 = KerberosUtility.CurrentKerberosTime.Value; PaFxFastReq paFxReq = new PaFxFastReq(null); Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { (paFxReq.Data) }); client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions); KerberosKrbError krbError2 = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(krbError2.ErrorCode, KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, "Pre-authentication required."); // FAST armored AS_REQ and AS_REP using user principal var userKey = KerberosUtility.MakeKey( client.Context.SelectedEType, client.Context.CName.Password, client.Context.CName.Salt); PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge( client.Context.SelectedEType, KerberosUtility.CurrentKerberosTime.Value, 0, client.Context.FastArmorkey, userKey); PaPacRequest paPacRequest = new PaPacRequest(true); PaPacOptions paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc); Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data, paPacRequest.Data, paPacOptions.Data }); client.SendAsRequestWithFast(options, seqOfPaData3, null, subkey, fastOptions, apOptions); KerberosAsResponse userKrbAsRep = client.ExpectAsResponse(); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); // FAST armored TGS_REQ and TGS_REP using user principal subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password03!", "this is a salt"); client.SendTgsRequestWithFast(testConfig.LocalRealm.FileServer[0].Smb2ServiceName, options, null, null, subkey, fastOptions, apOptions); KerberosTgsResponse userKrbTgsRep = client.ExpectTgsResponse(KeyUsageNumber.TGS_REP_encrypted_part_subkey); BaseTestSite.Assert.AreEqual(EncryptionType.RC4_HMAC, client.Context.SelectedEType, "Client selected encryption type should be RC4_HMAC."); AuthorizationData data = null; subkey = KerberosUtility.GenerateKey(client.Context.SessionKey); byte[] token = client.CreateGssApiToken(ApOptions.MutualRequired, data, subkey, ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG); KerberosApResponse apRep = client.GetApResponseFromToken(SendAndRecieveSmb2Ap(this.testConfig.LocalRealm.FileServer[0], token)); }
public void Protected_Users_Network_Logon_Computer_A2A2_Fail() { base.Logging(); //Section 3.3.5.6: Authentication Policies are not supported by Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 KDCs. if (int.Parse(this.testConfig.LocalRealm.DomainControllerFunctionality) < 6) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Section 3.3.5.6: Authentication Policies are not supported by Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 KDCs."); BaseTestSite.Log.Add(LogEntryKind.Comment, "Will exit the case immediately."); return; } client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.ClientComputer.NetBiosName, this.testConfig.LocalRealm.ClientComputer.Password, KerberosAccountType.Device, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid, testConfig.LocalRealm.ClientComputer.AccountSalt); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // AS_REQ and KRB-ERROR using device principal KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); METHOD_DATA methodData; KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData); // AS_REQ and AS_REP using device principal string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp( timeStamp, 0, client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); PaPacRequest paPacRequest = new PaPacRequest(true); PaPacOptions paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data, paPacOptions.Data }); client.SendAsRequest(options, seqOfPaData); KerberosAsResponse asResponse = client.ExpectAsResponse(); BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", asResponse.EncPart.GetType().Name)); // Switch to user principal client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[17].Username, this.testConfig.LocalRealm.User[17].Password, KerberosAccountType.User, client.Context.Ticket, client.Context.SessionKey, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // FAST armored AS_REQ and KRB-ERROR using user principal //Create a "random" key. var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt"); var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0)); var apOptions = ApOptions.None; Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paPacRequest.Data, paPacOptions.Data }); client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions); KerberosKrbError krbError = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, krbError.ErrorCode, "Pre-authentication required."); // FAST armored AS_REQ and AS_REP using user principal var userKey = KerberosUtility.MakeKey( client.Context.SelectedEType, client.Context.CName.Password, client.Context.CName.Salt); PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge( client.Context.SelectedEType, KerberosUtility.CurrentKerberosTime.Value, 0, client.Context.FastArmorkey, userKey); Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data, paPacRequest.Data, paPacOptions.Data }); client.SendAsRequestWithFast(options, seqOfPaData3, null, subkey, fastOptions, apOptions); //receive as response KerberosAsResponse userKrbAsRep = client.ExpectAsResponse(); BaseTestSite.Assert.IsNotNull(userKrbAsRep.Response.ticket, "AS response should contain a TGT."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", userKrbAsRep.EncPart.GetType().Name)); // verify the PA-DATA of AS_REP: asResponse.EncPart.pa_datas as PA_SUPPORTED_ENCTYPES bool isExistPaSupportedEncTypes = false; bool isExistPadataValue = false; var padataCount = userKrbAsRep.EncPart.pa_datas.Elements.Length; for (int i = 0; i < padataCount; i++) { var padata = PaDataParser.ParseRepPaData(userKrbAsRep.EncPart.pa_datas.Elements[i]); if ((PaDataType)padata.Data.padata_type.Value == PaDataType.PA_SUPPORTED_ENCTYPES) { isExistPaSupportedEncTypes = true; for (int j = 0; j < padata.Data.padata_value.Value.Length; j++) { if (padata.Data.padata_value.Value[j] == 0x1F) { isExistPadataValue = true; } } } } BaseTestSite.Assert.IsTrue(isExistPaSupportedEncTypes, "If domainControllerFunctionality returns a value >= 3:" + "the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the AS-REP message, " + "include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165)."); BaseTestSite.Assert.IsTrue(isExistPadataValue, "If domainControllerFunctionality returns a value >= 3: " + "the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the AS-REP message, " + "include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165), and the padata-value set to 0x1F (section 2.2.6)."); if (testConfig.IsClaimSupported) { PaSupportedEncTypes paSupportedEncTypes = null; // userKrbAsRep.EncPart.pa_datas.GetType foreach (var padata in userKrbAsRep.EncPart.pa_datas.Elements) { var parsedPadata = PaDataParser.ParseRepPaData(padata); if (parsedPadata is PaSupportedEncTypes) paSupportedEncTypes = parsedPadata as PaSupportedEncTypes; } BaseTestSite.Assert.IsNotNull(paSupportedEncTypes, "The encrypted padata of AS-REP contains PA_SUPPORTED_ENCTYPES."); BaseTestSite.Assert.IsTrue( paSupportedEncTypes.SupportedEncTypes.HasFlag(SupportedEncryptionTypes.Claims_Supported), "Claims is supported."); BaseTestSite.Assert.IsTrue( paSupportedEncTypes.SupportedEncTypes.HasFlag(SupportedEncryptionTypes.FAST_Supported), "FAST is supported."); } // FAST armored TGS_REQ and TGS_REP using user principal subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password03!", "this is a salt"); BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send FAST armored TGS request."); client.SendTgsRequestWithFast(testConfig.LocalRealm.FileServer[0].Smb2ServiceName, options, null, null, subkey, fastOptions, apOptions); BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve TGS response."); krbError = client.ExpectKrbError(); // Access check with Computer's A2A2 failed, KDC will return the KDC_ERR_POLICY error. BaseTestSite.Assert.AreEqual( KRB_ERROR_CODE.KDC_ERR_POLICY, krbError.ErrorCode, "Section 3.3.5.7 TGS Exchange: " + "If AllowedToAuthenticateFrom is not NULL, the PAC of the armor TGT MUST be used to perform an access check for the ACTRL_DS_CONTROL_ACCESS right with additional rights GUID against the AllowedToAuthenticateFrom." + "If the access check fails, the KDC MUST return KDC_ERR_POLICY." ); }
public void Protected_Users_Interactive_Logon_User_A2AF_Succeed() { base.Logging(); //Section 3.3.5.6: Authentication Policies are not supported by Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 KDCs. if (int.Parse(this.testConfig.LocalRealm.DomainControllerFunctionality) < 6) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Section 3.3.5.6: Authentication Policies are not supported by Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 KDCs."); BaseTestSite.Log.Add(LogEntryKind.Comment, "Will exit the case immediately."); return; } client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.ClientComputer.NetBiosName, this.testConfig.LocalRealm.ClientComputer.Password, KerberosAccountType.Device, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid, testConfig.LocalRealm.ClientComputer.AccountSalt); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } //AS_REQ and KRB-ERROR using device principal KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); METHOD_DATA methodData; KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData); // AS_REQ and AS_REP using device principal string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp( timeStamp, 0, client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); PaPacRequest paPacRequest = new PaPacRequest(true); PaPacOptions paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data, paPacOptions.Data }); client.SendAsRequest(options, seqOfPaData); KerberosAsResponse asResponse = client.ExpectAsResponse(); BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", asResponse.EncPart.GetType().Name)); // Switch to user principal client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[16].Username, this.testConfig.LocalRealm.User[16].Password, KerberosAccountType.User, client.Context.Ticket, client.Context.SessionKey, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // FAST armored AS_REQ and KRB-ERROR using user principal //Create a "random" key. var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt"); var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0)); var apOptions = ApOptions.None; Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paPacRequest.Data, paPacOptions.Data }); client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions); KerberosKrbError krbError2 = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, krbError2.ErrorCode, "Pre-authentication required."); // FAST armored AS_REQ and AS_REP using user principal var userKey = KerberosUtility.MakeKey( client.Context.SelectedEType, client.Context.CName.Password, client.Context.CName.Salt); PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge( client.Context.SelectedEType, KerberosUtility.CurrentKerberosTime.Value, 0, client.Context.FastArmorkey, userKey); Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data, paPacRequest.Data, paPacOptions.Data }); client.SendAsRequestWithFast(options, seqOfPaData3, null, subkey, fastOptions, apOptions); KerberosAsResponse userKrbAsRep = client.ExpectAsResponse(); BaseTestSite.Assert.IsNotNull(userKrbAsRep.Response.ticket, "AS response should contain a TGT."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", userKrbAsRep.EncPart.GetType().Name)); //verify flags in as reponse int flags = KerberosUtility.ConvertFlags2Int(asResponse.EncPart.flags.ByteArrayValue); BaseTestSite.Assert.AreEqual((EncTicketFlags)0, EncTicketFlags.FORWARDABLE & EncTicketFlags.PROXIABLE & (EncTicketFlags)flags, "Section 3.3.5.1: " + "If DelegationNotAllowed is set to TRUE on the principal, " + "(or if domainControllerFunctionality returns a value >= 6 ([MS-ADTS] section 3.1.1.3.2.25) and the principal is a member of PROTECTED_USERS ([MS-DTYP] section 2.4.2.4)), " + "the KILE KDC MUST NOT set the PROXIABLE or FORWARDABLE ticket flags ([RFC4120] sections 2.5 and 2.6)." ); //Get user linked authentication policy attribute string attributeDN = this.sutController.getAccountAttributeDN( this.testConfig.LocalRealm.RealmName.ToLower().Substring(0, this.testConfig.LocalRealm.RealmName.Length - 4), this.testConfig.LocalRealm.User[16].Username, "Users", "msDS-AssignedAuthNPolicy", this.testConfig.LocalRealm.Admin.Username, this.testConfig.LocalRealm.Admin.Password ); //Get authentication policy TGT lifetime // if policy not config the TGT life time, use the default value 4 hours for protected users. // if not a protected user, use the default value 10 hours by DC group policy defined. double? policyTGTLifetime4User = 4 * 36000000000; if (attributeDN != null) { char seperator = ','; string userLinkedPolicyName = attributeDN.Substring(3, attributeDN.IndexOf(seperator) - 3); //Get Authentication Policy User's TGT lifetime policyTGTLifetime4User = this.sutController.getAuthPolicyTGTLifeTime( this.testConfig.LocalRealm.RealmName.ToLower().Substring(0, this.testConfig.LocalRealm.RealmName.Length - 4), userLinkedPolicyName, "msds-UserTGTLifetime", this.testConfig.LocalRealm.Admin.Username, this.testConfig.LocalRealm.Admin.Password ); if (policyTGTLifetime4User == null) { // if policy not config the TGT life time, use the default value 4 hours for protected users. // if not a protected user, use the default value 10 hours by DC group policy defined. policyTGTLifetime4User = 4 * 36000000000; } } // if policy not config the TGT life time, use the default value 4 hours for protected users. // if not a protected user, use the default value 10 hours by DC group policy defined. double? policyTGTLifetime4Computer = 4 * 36000000000; attributeDN = this.sutController.getAccountAttributeDN( this.testConfig.LocalRealm.RealmName.ToLower().Substring(0, this.testConfig.LocalRealm.RealmName.Length - 4), this.testConfig.LocalRealm.ClientComputer.NetBiosName.Substring(0, this.testConfig.LocalRealm.ClientComputer.NetBiosName.Length - 1), "Computers", "msDS-AssignedAuthNPolicy", this.testConfig.LocalRealm.Admin.Username, this.testConfig.LocalRealm.Admin.Password ); if (attributeDN != null) { char seperator = ','; string userLinkedPolicyName = attributeDN.Substring(3, attributeDN.IndexOf(seperator) - 3); //Get Authentication Policy Computer's TGT lifetime policyTGTLifetime4Computer = this.sutController.getAuthPolicyTGTLifeTime( this.testConfig.LocalRealm.RealmName.ToLower().Substring(0, this.testConfig.LocalRealm.RealmName.Length - 4), userLinkedPolicyName, "msds-ComputerTGTLifetime", this.testConfig.LocalRealm.Admin.Username, this.testConfig.LocalRealm.Admin.Password ); if (policyTGTLifetime4Computer == null) { policyTGTLifetime4Computer = 4 * 36000000000; } } //Get TGTlifetime from ticket received DateTime startTime = DateTime.ParseExact( asResponse.EncPart.starttime.ToString(), "yyyyMMddHHmmssZ", System.Globalization.CultureInfo.InvariantCulture ); DateTime endTime = DateTime.ParseExact( asResponse.EncPart.endtime.ToString(), "yyyyMMddHHmmssZ", System.Globalization.CultureInfo.InvariantCulture ); DateTime renewTime = DateTime.ParseExact( asResponse.EncPart.renew_till.ToString(), "yyyyMMddHHmmssZ", System.Globalization.CultureInfo.InvariantCulture ); //get timespan TimeSpan maxTGTlife = endTime - startTime; TimeSpan maxRenewTime = renewTime - startTime; double? maxTGTlifeTimeSpan = maxTGTlife.Ticks; double? maxRenewTimeSpan = maxRenewTime.Ticks; //verify MaxRenewAge and MaxTicketAge for the TGT BaseTestSite.Assert.AreEqual( policyTGTLifetime4Computer, // as response is encrypted by computer's key maxTGTlifeTimeSpan, "Section 3.3.5.6 MaxTicketAge (section 3.3.1) for the TGT is 4 hours unless specified by policy. " + "If TGTLifetime is not 0: MaxTicketAge for the TGT is TGTLifetime." ); BaseTestSite.Assert.AreEqual( policyTGTLifetime4Computer, maxRenewTimeSpan, "Section 3.3.5.6 MaxRenewAge (section 3.3.1) for the TGT is 4 hours unless specified by policy. " + "If TGTLifetime is not 0: MaxRenewAge for the TGT is TGTLifetime." ); // verify the PA-DATA of AS_REP: asResponse.EncPart.pa_datas as PA_SUPPORTED_ENCTYPES bool isExistPaSupportedEncTypes = false; bool isExistPadataValue = false; var padataCount = userKrbAsRep.EncPart.pa_datas.Elements.Length; for (int i = 0; i < padataCount; i++) { var padata = PaDataParser.ParseRepPaData(userKrbAsRep.EncPart.pa_datas.Elements[i]); if ((PaDataType)padata.Data.padata_type.Value == PaDataType.PA_SUPPORTED_ENCTYPES) { isExistPaSupportedEncTypes = true; for (int j = 0; j < padata.Data.padata_value.Value.Length; j++) { if (padata.Data.padata_value.Value[j]==0x1F) { isExistPadataValue = true; } } } } BaseTestSite.Assert.IsTrue(isExistPaSupportedEncTypes, "If domainControllerFunctionality returns a value >= 3:" + "the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the AS-REP message, " + "include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165)."); BaseTestSite.Assert.IsTrue(isExistPadataValue, "If domainControllerFunctionality returns a value >= 3: " + "the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the AS-REP message, " + "include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165), and the padata-value set to 0x1F (section 2.2.6)."); if (testConfig.IsClaimSupported) { PaSupportedEncTypes paSupportedEncTypes = null; // userKrbAsRep.EncPart.pa_datas.GetType foreach (var padata in userKrbAsRep.EncPart.pa_datas.Elements) { var parsedPadata = PaDataParser.ParseRepPaData(padata); if (parsedPadata is PaSupportedEncTypes) paSupportedEncTypes = parsedPadata as PaSupportedEncTypes; } BaseTestSite.Assert.IsNotNull(paSupportedEncTypes, "The encrypted padata of AS-REP contains PA_SUPPORTED_ENCTYPES."); BaseTestSite.Assert.IsTrue( paSupportedEncTypes.SupportedEncTypes.HasFlag(SupportedEncryptionTypes.Claims_Supported), "Claims is supported."); BaseTestSite.Assert.IsTrue( paSupportedEncTypes.SupportedEncTypes.HasFlag(SupportedEncryptionTypes.FAST_Supported), "FAST is supported."); } // FAST armored TGS_REQ and TGS_REP using user principal subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password03!", "this is a salt"); BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send FAST armored TGS request."); client.SendTgsRequestWithFast(testConfig.LocalRealm.ClientComputer.DefaultServiceName, options, null, null, subkey, fastOptions, apOptions); BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve TGS response."); KerberosTgsResponse userKrbTgsRep = client.ExpectTgsResponse(KeyUsageNumber.TGS_REP_encrypted_part_subkey); BaseTestSite.Assert.IsNotNull(userKrbTgsRep.Response, "The Response pare of TGS-REP is not null."); BaseTestSite.Assert.IsNotNull(userKrbTgsRep.Response.padata, "The Padata of TGS-REP is not null."); EncryptionKey strengthenKey = null; foreach (PA_DATA paData in userKrbTgsRep.Response.padata.Elements) { var parsedPaData = PaDataParser.ParseRepPaData(paData); if (parsedPaData is PaFxFastRep) { var armoredRep = ((PaFxFastRep)parsedPaData).GetArmoredRep(); var kerbRep = ((PaFxFastRep)parsedPaData).GetKerberosFastRep(client.Context.FastArmorkey); strengthenKey = kerbRep.FastResponse.strengthen_key; } } BaseTestSite.Assert.IsNotNull(strengthenKey, "Strengthen key field must be set in TGS-REP."); BaseTestSite.Assert.IsNotNull(userKrbTgsRep.EncPart, "The encrypted part of TGS-REP is decrypted."); }
public void Protected_Users_Interactive_Logon_User_A2AF_Fail() { base.Logging(); //Section 3.3.5.6: Authentication Policies are not supported by Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 KDCs. if (int.Parse(this.testConfig.LocalRealm.DomainControllerFunctionality) < 6) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Section 3.3.5.6: Authentication Policies are not supported by Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 KDCs."); BaseTestSite.Log.Add(LogEntryKind.Comment, "Will exit the case immediately."); return; } //TODO: Consider to udpate Client computer's department attribute and then interactive log on to client computer client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.FileServer[0].NetBiosName, this.testConfig.LocalRealm.FileServer[0].Password, KerberosAccountType.Device, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid, testConfig.LocalRealm.FileServer[0].AccountSalt); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // AS_REQ and KRB-ERROR using device principal KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); METHOD_DATA methodData; KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData); // AS_REQ and AS_REP using device principal string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp( timeStamp, 0, client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); PaPacRequest paPacRequest = new PaPacRequest(true); PaPacOptions paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data, paPacOptions.Data }); client.SendAsRequest(options, seqOfPaData); KerberosAsResponse asResponse = client.ExpectAsResponse(); BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", asResponse.EncPart.GetType().Name)); // Switch to user principal client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[16].Username, this.testConfig.LocalRealm.User[16].Password, KerberosAccountType.User, client.Context.Ticket, client.Context.SessionKey, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // FAST armored AS_REQ and KRB-ERROR using user principal //Create a "random" key. var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt"); var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0)); var apOptions = ApOptions.None; Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paPacRequest.Data, paPacOptions.Data }); client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions); KerberosKrbError krbError2 = client.ExpectKrbError(); // Access check with User's A2AF failed, KDC will return the KDC_ERR_POLICY error. BaseTestSite.Assert.AreEqual( KRB_ERROR_CODE.KDC_ERR_POLICY, krbError2.ErrorCode, "Section 3.3.5.6 As Exchange " + "If AllowedToAuthenticateFrom is not NULL, the PAC of the armor TGT MUST be used to perform an access check for the ACTRL_DS_CONTROL_ACCESS right with additional rights GUID against the AllowedToAuthenticateFrom. " + "If the access check fails, the KDC MUST return KDC_ERR_POLICY." ); }
public void Protected_Users_Network_Logon_Computer_A2A2_Succeed() { base.Logging(); client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.ClientComputer.NetBiosName, this.testConfig.LocalRealm.ClientComputer.Password, KerberosAccountType.Device, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid, testConfig.LocalRealm.ClientComputer.AccountSalt); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // AS_REQ and KRB-ERROR using device principal KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); METHOD_DATA methodData; KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData); // AS_REQ and AS_REP using device principal string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp( timeStamp, 0, client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); PaPacRequest paPacRequest = new PaPacRequest(true); PaPacOptions paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data, paPacOptions.Data }); client.SendAsRequest(options, seqOfPaData); KerberosAsResponse asResponse = client.ExpectAsResponse(); BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", asResponse.EncPart.GetType().Name)); // Switch to user principal client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[16].Username, this.testConfig.LocalRealm.User[16].Password, KerberosAccountType.User, client.Context.Ticket, client.Context.SessionKey, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // FAST armored AS_REQ and KRB-ERROR using user principal //Create a "random" key. var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt"); var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0)); var apOptions = ApOptions.None; Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paPacRequest.Data, paPacOptions.Data }); client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions); KerberosKrbError krbError2 = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, krbError2.ErrorCode, "Pre-authentication required."); // FAST armored AS_REQ and AS_REP using user principal var userKey = KerberosUtility.MakeKey( client.Context.SelectedEType, client.Context.CName.Password, client.Context.CName.Salt); PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge( client.Context.SelectedEType, KerberosUtility.CurrentKerberosTime.Value, 0, client.Context.FastArmorkey, userKey); Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data, paPacRequest.Data, paPacOptions.Data}); client.SendAsRequestWithFast(options, seqOfPaData3, null, subkey, fastOptions, apOptions); KerberosAsResponse userKrbAsRep = client.ExpectAsResponse(); BaseTestSite.Assert.IsNotNull(userKrbAsRep.Response.ticket, "AS response should contain a TGT."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", userKrbAsRep.EncPart.GetType().Name)); // verify the PA-DATA of AS_REP: asResponse.EncPart.pa_datas as PA_SUPPORTED_ENCTYPES bool isExistPaSupportedEncTypes = false; bool isExistPadataValue = false; var padataCount = userKrbAsRep.EncPart.pa_datas.Elements.Length; for (int i = 0; i < padataCount; i++) { var padata = PaDataParser.ParseRepPaData(userKrbAsRep.EncPart.pa_datas.Elements[i]); if ((PaDataType)padata.Data.padata_type.Value == PaDataType.PA_SUPPORTED_ENCTYPES) { isExistPaSupportedEncTypes = true; for (int j = 0; j < padata.Data.padata_value.Value.Length; j++) { if (padata.Data.padata_value.Value[j] == 0x1F) { isExistPadataValue = true; } } } } BaseTestSite.Assert.IsTrue(isExistPaSupportedEncTypes, "If domainControllerFunctionality returns a value >= 3:" + "the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the AS-REP message, " + "include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165)."); BaseTestSite.Assert.IsTrue(isExistPadataValue, "If domainControllerFunctionality returns a value >= 3: " + "the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the AS-REP message, " + "include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165), and the padata-value set to 0x1F (section 2.2.6)."); if (testConfig.IsClaimSupported) { PaSupportedEncTypes paSupportedEncTypes = null; // userKrbAsRep.EncPart.pa_datas.GetType foreach (var padata in userKrbAsRep.EncPart.pa_datas.Elements) { var parsedPadata = PaDataParser.ParseRepPaData(padata); if (parsedPadata is PaSupportedEncTypes) paSupportedEncTypes = parsedPadata as PaSupportedEncTypes; } BaseTestSite.Assert.IsNotNull(paSupportedEncTypes, "The encrypted padata of AS-REP contains PA_SUPPORTED_ENCTYPES."); BaseTestSite.Assert.IsTrue( paSupportedEncTypes.SupportedEncTypes.HasFlag(SupportedEncryptionTypes.Claims_Supported), "Claims is supported."); BaseTestSite.Assert.IsTrue( paSupportedEncTypes.SupportedEncTypes.HasFlag(SupportedEncryptionTypes.FAST_Supported), "FAST is supported."); } // FAST armored TGS_REQ and TGS_REP using user principal subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password03!", "this is a salt"); BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send FAST armored TGS request."); client.SendTgsRequestWithFast(testConfig.LocalRealm.FileServer[0].Smb2ServiceName, options, null, null, subkey, fastOptions, apOptions); BaseTestSite.Log.Add(LogEntryKind.Comment, "Recieve TGS response."); KerberosTgsResponse userKrbTgsRep = client.ExpectTgsResponse(KeyUsageNumber.TGS_REP_encrypted_part_subkey); BaseTestSite.Assert.IsNotNull(userKrbTgsRep.Response, "The Response pare of TGS-REP is not null."); BaseTestSite.Assert.IsNotNull(userKrbTgsRep.Response.padata, "The Padata of TGS-REP is not null."); EncryptionKey strengthenKey = null; foreach (PA_DATA paData in userKrbTgsRep.Response.padata.Elements) { var parsedPaData = PaDataParser.ParseRepPaData(paData); if (parsedPaData is PaFxFastRep) { var armoredRep = ((PaFxFastRep)parsedPaData).GetArmoredRep(); var kerbRep = ((PaFxFastRep)parsedPaData).GetKerberosFastRep(client.Context.FastArmorkey); strengthenKey = kerbRep.FastResponse.strengthen_key; } } BaseTestSite.Assert.IsNotNull(strengthenKey, "Strengthen key field must be set in TGS-REP."); BaseTestSite.Assert.IsNotNull(userKrbTgsRep.EncPart, "The encrypted part of TGS-REP is decrypted."); }
public void NetworkLogonCompoundIdentitySmb2() { base.Logging(); client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.ClientComputer.NetBiosName, this.testConfig.LocalRealm.ClientComputer.Password, KerberosAccountType.Device, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid, testConfig.LocalRealm.ClientComputer.AccountSalt); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // AS_REQ and KRB-ERROR using device principal KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); METHOD_DATA methodData; KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData); // AS_REQ and AS_REP using device principal string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp, 0, client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data }); client.SendAsRequest(options, seqOfPaData); KerberosAsResponse asResponse = client.ExpectAsResponse(); // Switch to user principal client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[2].Username, this.testConfig.LocalRealm.User[2].Password, KerberosAccountType.User, client.Context.Ticket, client.Context.SessionKey, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // FAST armored AS_REQ and KRB-ERROR using user principal //Create a "random" key. var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt"); var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0)); var apOptions = ApOptions.None; string timeStamp2 = KerberosUtility.CurrentKerberosTime.Value; PaFxFastReq paFxFastReq = new PaFxFastReq(null); //PaEncTimeStamp paEncTimeStamp2 = new PaEncTimeStamp(timeStamp2, 0, client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { (paFxFastReq.Data) }); client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions); KerberosKrbError krbError2 = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(krbError2.ErrorCode, KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, "Pre-authentication required."); // FAST armored AS_REQ and AS_REP using user principal var userKey = KerberosUtility.MakeKey( client.Context.SelectedEType, client.Context.CName.Password, client.Context.CName.Salt); PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge( client.Context.SelectedEType, KerberosUtility.CurrentKerberosTime.Value, 0, client.Context.FastArmorkey, userKey); Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data }); PaPacRequest paPacRequest = new PaPacRequest(true); PaPacOptions paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc); Asn1SequenceOf<PA_DATA> outerSeqPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paPacRequest.Data, paPacOptions.Data }); client.SendAsRequestWithFast(options, seqOfPaData3, outerSeqPaData, subkey, fastOptions, apOptions); KerberosAsResponse userKrbAsRep = client.ExpectAsResponse(); PaSupportedEncTypes paSupportedEncTypes = null; if (this.testConfig.IsKileImplemented) { foreach (var padata in userKrbAsRep.EncPart.pa_datas.Elements) { var parsedPadata = PaDataParser.ParseRepPaData(padata); if (parsedPadata is PaSupportedEncTypes) paSupportedEncTypes = parsedPadata as PaSupportedEncTypes; } BaseTestSite.Assert.IsNotNull(paSupportedEncTypes, "The encrypted padata of AS-REP contains PA_SUPPORTED_ENCTYPES."); if (testConfig.IsClaimSupported) { BaseTestSite.Assert.IsTrue( paSupportedEncTypes.SupportedEncTypes.HasFlag(SupportedEncryptionTypes.Claims_Supported), "Claims is supported."); } BaseTestSite.Assert.IsTrue( paSupportedEncTypes.SupportedEncTypes.HasFlag(SupportedEncryptionTypes.FAST_Supported), "FAST is supported."); } // FAST armored TGS_REQ and TGS_REP using user principal subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password03!", "this is a salt"); client.Context.ArmorSessionKey = client.Context.Ticket.SessionKey; client.Context.ArmorTicket = client.Context.Ticket; client.SendTgsRequestWithExplicitFast(testConfig.LocalRealm.FileServer[0].Smb2ServiceName, options, null, null, subkey, fastOptions, apOptions); KerberosTgsResponse userKrbTgsRep = client. ExpectTgsResponse(KeyUsageNumber.TGS_REP_encrypted_part_subkey); paSupportedEncTypes = null; BaseTestSite.Assert.IsNotNull(asResponse.EncPart, "The encrypted part of AS-REP is decrypted."); BaseTestSite.Assert.IsNotNull(asResponse.EncPart.pa_datas, "The encrypted padata is not null."); if (this.testConfig.IsKileImplemented) { foreach (var padata in userKrbTgsRep.EncPart.pa_datas.Elements) { var parsedPadata = PaDataParser.ParseRepPaData(padata); if (parsedPadata is PaSupportedEncTypes) paSupportedEncTypes = parsedPadata as PaSupportedEncTypes; } BaseTestSite.Assert.IsNotNull(paSupportedEncTypes, "The encrypted padata of AS-REP contains PA_SUPPORTED_ENCTYPES."); if (this.testConfig.IsClaimSupported) { BaseTestSite.Assert.IsTrue( paSupportedEncTypes.SupportedEncTypes.HasFlag(SupportedEncryptionTypes.CompoundIdentity_Supported), "Compound identity is supported."); } } AuthorizationData data = null; subkey = KerberosUtility.GenerateKey(client.Context.SessionKey); byte[] token = client.CreateGssApiToken(ApOptions.MutualRequired, data, subkey, ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG); KerberosApResponse apRep = client.GetApResponseFromToken(SendAndRecieveSmb2Ap(this.testConfig.LocalRealm.FileServer[0], token)); ; }