private async Task DecodeTicket(string ticket, string encryptedPassword, string name, string realm) { string decryptedKey = DecryptKey(encryptedPassword); var keys = new KeyTable( new KerberosKey(decryptedKey, new PrincipalName(PrincipalNameType.NT_PRINCIPAL, realm, new[] { name })) ); var validator = new KerberosValidator(keys); ticket = RemoveNegotiate(ticket); var validated = await validator.Validate(Convert.FromBase64String(ticket)); var authenticator = new KerberosAuthenticator(keys); var identity = await authenticator.Authenticate(ticket) as KerberosIdentity; var formatted = FormatSerialize(new { Decrypted = validated, Identity = new { identity.Name, identity.Restrictions, identity.ValidationMode, Claims = identity.Claims.Select(c => new { c.Type, c.Value }) } }); ViewData["Ticket"] = formatted; }
public async Task Authenticator_SerializedKeytab() { var key = new KerberosKey( password: "******", principalName: new PrincipalName( PrincipalNameType.NT_SRV_INST, "IDENTITYINTERVENTION.COM", new[] { "host", "aadg.windows.net.nsatc.net" } ), etype: EncryptionType.RC4_HMAC_NT ); var keytab = new KeyTable(key); var buffer = new MemoryStream(); keytab.Write(new BinaryWriter(buffer)); var secondKeytab = new KeyTable(buffer.ToArray()); var authenticator = new KerberosAuthenticator( new KerberosValidator(secondKeytab) { ValidateAfterDecrypt = DefaultActions }); Assert.IsNotNull(authenticator); var result = await authenticator.Authenticate(RC4Header); Assert.IsNotNull(result); Assert.AreEqual("*****@*****.**", result.Name); }
private async Task <bool> ParseKerberosHeader(OwinContext context) { string[] authzHeader = null; if (!context.Request.Headers.TryGetValue("Authorization", out authzHeader) || authzHeader.Length != 1) { context.Response.Headers.Add("WWW-Authenticate", new[] { "Negotiate" }); context.Response.StatusCode = 401; return(false); } var header = authzHeader.First(); try { var authenticator = new KerberosAuthenticator(validator); var identity = await authenticator.Authenticate(header); context.Request.User = new ClaimsPrincipal(identity); return(true); } catch (Exception ex) { context.TraceOutput.WriteLine(ex); return(false); } }
private static async Task RequestTickets(string user, string password, string overrideKdc) { var kerbCred = new KerberosPasswordCredential(user, password); KerberosClient client = new KerberosClient(overrideKdc); await client.Authenticate(kerbCred); var ticket = await client.GetServiceTicket( "host/appservice.corp.identityintervention.com", ApOptions.MutualRequired ); var encoded = ticket.EncodeApplication().ToArray(); var authenticator = new KerberosAuthenticator( new KeyTable( new KerberosKey( "P@ssw0rd!", principalName: new PrincipalName( PrincipalNameType.NT_PRINCIPAL, "CORP.IDENTITYINTERVENTION.com", new[] { "host/appservice.corp.identityintervention.com" } ), saltType: SaltType.ActiveDirectoryUser ) ) ); var validated = (KerberosIdentity)await authenticator.Authenticate(encoded); DumpClaims(validated); }
private async Task S4u2Self(KerberosClient client) { var myTgtEntry = client.Cache.GetCacheItem <KerberosClientCacheEntry>($"krbtgt/{client.DefaultDomain}"); var myTgt = myTgtEntry.KdcResponse?.Ticket; if (myTgt == null) { this.IO.Writer.WriteLine(SR.Resource("CommandLine_WhoAmI_NoTgt")); return; } var result = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = client.UserPrincipalName, UserToUserTicket = myTgt, CacheTicket = false, } ); var authenticator = new KerberosAuthenticator(new KerberosValidator(myTgtEntry.SessionKey.AsKey())); var identity = await authenticator.Authenticate(result.ApReq.EncodeApplication()); this.DescribeTicket(identity as KerberosIdentity); }
public async Task KrbApReqWithoutPacLogonInfo() { var data = Convert.FromBase64String(ApReqWithoutPacLogonInfo); var key = new KeyTable( new KerberosKey( "P@ssw0rd!", principalName: new PrincipalName( PrincipalNameType.NT_PRINCIPAL, "corp.identityintervention.com", new[] { "host/appservice.corp.identityintervention.com" } ), saltType: SaltType.ActiveDirectoryUser ) ); var authenticator = new KerberosAuthenticator(new KerberosValidator(key) { ValidateAfterDecrypt = DefaultActions }); var result = await authenticator.Authenticate(data); Assert.IsNotNull(result); Assert.AreEqual(1, result.Claims.Count()); Assert.AreEqual("*****@*****.**", result.Name); }
public async Task Authenticator_RoundtripKeytab() { var keytab = new KeyTable(ReadDataFile("sample.keytab")); var buffer = new MemoryStream(); using (var writer = new BinaryWriter(buffer)) { keytab.Write(writer); var secondKeytab = new KeyTable(buffer.ToArray()); var authenticator = new KerberosAuthenticator( new KerberosValidator(secondKeytab) { ValidateAfterDecrypt = DefaultActions }); Assert.IsNotNull(authenticator); var result = await authenticator.Authenticate(RC4Header); Assert.IsNotNull(result); Assert.AreEqual("*****@*****.**", result.Name); } }
private static async Task TryValidate(string spn, KrbApReq ticket, string servicePassword, string serviceSalt) { var encoded = ticket.EncodeApplication().ToArray(); KerberosKey kerbKey; if (string.IsNullOrWhiteSpace(serviceSalt)) { kerbKey = new KerberosKey( "P@ssw0rd!", principalName: new PrincipalName( PrincipalNameType.NT_PRINCIPAL, ticket.Ticket.Realm, new[] { spn } ), saltType: SaltType.ActiveDirectoryUser ); } else { kerbKey = new KerberosKey( servicePassword, salt: serviceSalt, etype: ticket.Ticket.EncryptedPart.EType, saltType: SaltType.ActiveDirectoryService ); } var authenticator = new KerberosAuthenticator(new KeyTable(kerbKey)); var validated = (KerberosIdentity)await authenticator.Authenticate(encoded); DumpRestrictions(validated); }
protected static async Task ValidateTicket( ApplicationSessionContext context, bool encodeNego = false, bool includePac = true, string spn = FakeAppServiceSpn ) { if (context == null) { throw new ArgumentNullException(nameof(context)); } var ticket = context.ApReq; byte[] encoded; if (encodeNego) { encoded = ticket.EncodeGssApi().ToArray(); } else { encoded = ticket.EncodeApplication().ToArray(); } var authenticator = new KerberosAuthenticator( new KeyTable( new KerberosKey( FakeAdminAtCorpPassword, principalName: new PrincipalName( PrincipalNameType.NT_PRINCIPAL, "CORP.IDENTITYINTERVENTION.com", new[] { spn } ), saltType: SaltType.ActiveDirectoryUser ) ) ); var validated = (KerberosIdentity)await authenticator.Authenticate(encoded); Assert.IsNotNull(validated); var sidClaim = validated.FindFirst(ClaimTypes.Sid); if (includePac) { Assert.AreEqual("S-1-5-123-456-789-12-321-888", sidClaim?.Value); } else { Assert.IsNull(sidClaim); } var sessionKey = context.AuthenticateServiceResponse(validated.ApRep); Assert.IsNotNull(sessionKey); }
public async Task Authenticator_DownLevelNameFormat() { var authenticator = new KerberosAuthenticator( new KerberosValidator(new KeyTable(ReadDataFile("sample.keytab"))) { ValidateAfterDecrypt = DefaultActions }); authenticator.UserNameFormat = UserNameFormat.DownLevelLogonName; var result = await authenticator.Authenticate(RC4Header); Assert.IsNotNull(result); Assert.AreEqual(@"IDENTITYINTER\Administrator", result.Name); }
public AuthenticationTicket Authenticate(string base64Token) { if (string.IsNullOrWhiteSpace(configuration[AuthConstants.PRINCIPAL_PASSWORD_NM])) { throw new ArgumentNullException($"{AuthConstants.PRINCIPAL_PASSWORD_NM} is not set! Set as an environment variable or via any configuration sources"); } var identity = authenticator.Authenticate(base64Token).Result; return(new AuthenticationTicket( new ClaimsPrincipal(identity), new AuthenticationProperties(), AuthConstants.SPNEGO_DEFAULT_SCHEME)); }
private static async Task RequestTickets(string user, string password, string overrideKdc, string s4u, string spn) { var kerbCred = new KerberosPasswordCredential(user, password); using (KerberosClient client = new KerberosClient(overrideKdc)) { await client.Authenticate(kerbCred); spn = spn ?? "host/appservice.corp.identityintervention.com"; KrbTicket s4uTicket = null; if (!string.IsNullOrWhiteSpace(s4u)) { var s4uSelf = await client.GetServiceTicket( kerbCred.UserName, ApOptions.MutualRequired, s4u : s4u ); s4uTicket = s4uSelf.Ticket; } var ticket = await client.GetServiceTicket( spn, ApOptions.MutualRequired, s4uTicket : s4uTicket ); var encoded = ticket.EncodeApplication().ToArray(); var authenticator = new KerberosAuthenticator( new KeyTable( new KerberosKey( "P@ssw0rd!", principalName: new PrincipalName( PrincipalNameType.NT_PRINCIPAL, "CORP.IDENTITYINTERVENTION.com", new[] { spn } ), saltType: SaltType.ActiveDirectoryUser ) ) ); var validated = (KerberosIdentity)await authenticator.Authenticate(encoded); DumpClaims(validated); } }
protected override async Task <AuthenticateResult> HandleAuthenticateAsync() { string authorizationHeader = Request.Headers["Authorization"]; if (string.IsNullOrEmpty(authorizationHeader)) { return(AuthenticateResult.NoResult()); } if (!authorizationHeader.StartsWith("Negotiate ", StringComparison.OrdinalIgnoreCase)) { return(AuthenticateResult.NoResult()); } var base64Token = authorizationHeader.Substring(SchemeName.Length).Trim(); if (string.IsNullOrEmpty(base64Token)) { const string noCredentialsMessage = "No credentials"; Logger.LogInformation(noCredentialsMessage); return(AuthenticateResult.Fail(noCredentialsMessage)); } try { try { Logger.LogTrace("===SPNEGO Token==="); Logger.LogTrace(base64Token); var identity = await _authenticator.Authenticate(base64Token); MapSidsToGroupNames(identity); var ticket = new AuthenticationTicket( new ClaimsPrincipal(identity), new AuthenticationProperties(), SpnegoAuthenticationDefaults.AuthenticationScheme); return(AuthenticateResult.Success(ticket)); } catch (KerberosValidationException e) { return(AuthenticateResult.Fail(e)); } } catch (Exception) { return(AuthenticateResult.Fail("Access denied")); } }
private async Task S4u2Self(KerberosClient client) { if (client.Cache is LsaCredentialCache) { this.WriteLineError("The whoami command isn't supported with the LSA Cache"); return; } var myTgtEntry = client.Cache.GetCacheItem <KerberosClientCacheEntry>($"krbtgt/{client.DefaultDomain}"); var myTgt = myTgtEntry.KdcResponse?.Ticket; if (myTgt == null) { this.WriteHeader(SR.Resource("CommandLine_WhoAmI_NoTgt")); return; } try { var result = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = client.UserPrincipalName, UserToUserTicket = myTgt, CacheTicket = false, S4uTarget = client.UserPrincipalName } ); var authenticator = new KerberosAuthenticator(new KerberosValidator(myTgtEntry.SessionKey.AsKey())); var identity = await authenticator.Authenticate(result.ApReq.EncodeApplication()); this.DescribeTicket(identity as KerberosIdentity); } catch (KerberosProtocolException kex) { this.WriteLine(); this.WriteLine(1, "{ErrorCode}: {ErrorText}", kex.Error.ErrorCode, kex.Error.ETextWithoutCode()); if (kex.Error.ErrorCode == KerberosErrorCode.KRB_AP_ERR_TKT_EXPIRED) { this.WriteLine(); this.WriteLine(1, SR.Resource("CommandLine_WhoAmI_NoTgt")); } } }
public async Task TestAuthenticator() { var authenticator = new KerberosAuthenticator(new KerberosValidator(new KeyTable(File.ReadAllBytes("data\\sample.keytab"))) { ValidateAfterDecrypt = ValidationActions.Replay }); Assert.IsNotNull(authenticator); var result = await authenticator.Authenticate(RC4Header); Assert.IsNotNull(result); Assert.AreEqual("*****@*****.**", result.Name); }
public async Task <ClaimsIdentity> Authenticate(IKeyIdentifier id, string token, string scheme = null) { var key = await storage.GetKey(id); var kerbKey = key.RetrieveKey <byte[]>(); var validator = new KerberosValidator( new KeyTable( new KerberosKey(kerbKey) ) ); var authenticator = new KerberosAuthenticator(validator); return(await authenticator.Authenticate(token)); }
public async Task AuthenticatorGetsAsRep() { var authenticator = new KerberosAuthenticator( new KerberosValidator(new KeyTable(ReadDataFile("sample.keytab"))) { ValidateAfterDecrypt = DefaultActions }); Assert.IsNotNull(authenticator); var result = await authenticator.Authenticate(RC4Header) as KerberosIdentity; Assert.IsNotNull(result); Assert.IsNotNull(result.ApRep); }
public async Task Authenticator_Default() { var authenticator = new KerberosAuthenticator( new KerberosValidator(new KeyTable(ReadDataFile("sample.keytab"))) { ValidateAfterDecrypt = DefaultActions }); Assert.IsNotNull(authenticator); var result = await authenticator.Authenticate(RC4Header); Assert.IsNotNull(result); Assert.AreEqual("*****@*****.**", result.Name); }
private async Task <KerberosIdentity> ProcessAsMiddleBox(Krb5Config config, ILoggerFactory logger, ApplicationSessionContext serviceTicket) { var serviceCred = new KerberosPasswordCredential(this.ServicePrincipalSamAccountName, this.ServicePrincipalNamePassword, serviceTicket.ApReq.Ticket.Realm); var ping = await KerberosPing.Ping(serviceCred, config, logger); serviceCred.IncludePreAuthenticationHints(ping.Error.DecodePreAuthentication()); var keytab = new KeyTable(serviceCred.CreateKey()); var authenticator = new KerberosAuthenticator(this.ServicePrincipalSamAccountName, keytab, config, logger); var identity = await authenticator.Authenticate(serviceTicket.ApReq.EncodeGssApi()) as KerberosIdentity; return(identity); }
private static async Task <KerberosIdentity> GenerateAuthZ() { var authenticator = new KerberosAuthenticator(new KerberosValidator(new KerberosKey("P@ssw0rd!")) { ValidateAfterDecrypt = DefaultActions }); var authenticated = await authenticator.Authenticate(Convert.FromBase64String(TicketContainingDelegation)); Assert.IsNotNull(authenticated); var identity = authenticated as KerberosIdentity; Assert.IsNotNull(identity); return(identity); }
private async Task ParseKerberosHeader(OwinContext context) { string[] authzHeader = null; if (!context.Request.Headers.TryGetValue("Authorization", out authzHeader) || authzHeader.Length != 1) { return; } var header = authzHeader.First(); var authenticator = new KerberosAuthenticator(validator); var identity = await authenticator.Authenticate(header); context.Request.User = new ClaimsPrincipal(identity); }
public async Task TestValidatorClaimsPresent() { var validator = new KerberosValidator(new KeyTable(ReadFile("sample.keytab"))) { ValidateAfterDecrypt = DefaultActions }; var authenticator = new KerberosAuthenticator(validator); var result = await authenticator.Authenticate(RC4Ticket); Assert.IsNotNull(result); Assert.IsTrue(result.Claims.Count() > 0); var validation = result.Claims.First(c => c.Type == "Validated"); Assert.AreEqual("ClientPrincipalIdentifier Realm Replay Pac", validation.Value); }
public async Task TestParseClaims() { var validator = new KerberosValidator(new KeyTable(ReadDataFile("sample.keytab"))) { ValidateAfterDecrypt = DefaultActions }; var authenticator = new KerberosAuthenticator(validator); var result = await authenticator.Authenticate(RC4Ticket_Claims); Assert.IsNotNull(result); Assert.IsTrue(result.Claims.Count() > 0); Assert.IsTrue(result.Claims.Any(c => c.Type == "ad://ext/employeeType:88d4d68c56082042" && c.Value == "lazy")); Assert.AreEqual(2, result.Claims.Count(c => c.Type == "ad://ext/localeID:88d4d68c6aa51687")); }
private static async Task ValidateTicket(ApplicationSessionContext context, bool encodeNego = false) { var ticket = context.ApReq; byte[] encoded; if (encodeNego) { encoded = ticket.EncodeGssApi().ToArray(); } else { encoded = ticket.EncodeApplication().ToArray(); } var authenticator = new KerberosAuthenticator( new KeyTable( new KerberosKey( "P@ssw0rd!", principalName: new PrincipalName( PrincipalNameType.NT_PRINCIPAL, "CORP.IDENTITYINTERVENTION.com", new[] { "host/appservice.corp.identityintervention.com" } ), saltType: SaltType.ActiveDirectoryUser ) ) ); var validated = (KerberosIdentity)await authenticator.Authenticate(encoded); Assert.IsNotNull(validated); Assert.AreEqual(validated.FindFirst(ClaimTypes.Sid).Value, "S-1-5-123-456-789-12-321-888"); var sessionKey = context.AuthenticateServiceResponse(validated.ApRep); Assert.IsNotNull(sessionKey); }
private static async Task TryValidate(string spn, KrbApReq ticket) { var encoded = ticket.EncodeApplication().ToArray(); var authenticator = new KerberosAuthenticator( new KeyTable( new KerberosKey( "P@ssw0rd!", principalName: new PrincipalName( PrincipalNameType.NT_PRINCIPAL, "CORP.IDENTITYINTERVENTION.com", new[] { spn } ), saltType: SaltType.ActiveDirectoryUser ) ) ); var validated = (KerberosIdentity)await authenticator.Authenticate(encoded); DumpClaims(validated); }
public async Task KrbCredImportsAndPassesAuthenticatorValidation() { var krbCred = CreateKrbCredential(); using (var client = new KerberosClient()) { client.ImportCredential(krbCred); var serviceTicket = await client.GetServiceTicket("host/test.com"); Assert.IsNotNull(serviceTicket); var encodedTicket = "Negotiate " + Convert.ToBase64String(serviceTicket.EncodeGssApi().ToArray()); var authenticator = new KerberosAuthenticator(new KeyTable(new KerberosKey(new byte[16], etype: EncryptionType.AES128_CTS_HMAC_SHA1_96))); var result = await authenticator.Authenticate(encodedTicket); Assert.IsNotNull(result); Assert.AreEqual("*****@*****.**", result.Name); } }
private static async System.Threading.Tasks.Task MainAsync() { foreach (var f in Files) { var data = File.ReadAllBytes("data\\" + f.Key); var key = File.ReadAllBytes("data\\" + f.Value); W($"Decrypting {f.Key} with key {f.Value}", ConsoleColor.Green); var validator = new KerberosValidator(key) { //Logger = W, ValidateAfterDecrypt = ValidationActions.Replay }; var authenticator = new KerberosAuthenticator(validator); var result = await authenticator.Authenticate(data); ; if (result == null) { throw new InvalidDataException("Could not decrypt token"); } foreach (var c in result.Claims.OrderBy(c => c.Type)) { W($"{c.Type}: {c.Value}"); } W(""); ; } ; }
private static async Task AssertDecode(byte[] data, byte[] key, EncryptionType etype) { var validator = new IntrospectiveValidator(key) { ValidateAfterDecrypt = DefaultActions }; var authenticator = new KerberosAuthenticator(validator); var result = await authenticator.Authenticate(data); Assert.IsNotNull(result); Assert.IsTrue(result.Claims.Count() > 0); Assert.AreEqual("Kerberos", result.AuthenticationType); Assert.AreEqual("*****@*****.**", result.Name); Assert.IsNotNull(validator.Data); Assert.AreEqual(etype, validator.Data.EType); }
public async Task TestValidatorClaimsPresent() { var validator = new KerberosValidator(new KeyTable(ReadDataFile("sample.keytab"))) { ValidateAfterDecrypt = DefaultActions }; var authenticator = new KerberosAuthenticator(validator); var result = await authenticator.Authenticate(RC4Ticket_Claims); Assert.IsNotNull(result); var kerbIdentity = result as KerberosIdentity; Assert.IsNotNull(kerbIdentity); Assert.IsTrue(result.Claims.Count() > 0); Assert.IsFalse(result.Claims.Any(c => c.Type == "Validated")); Assert.AreEqual(DefaultActions, kerbIdentity.ValidationMode); }
private static async Task ValidateTicket(KrbApReq ticket) { var encoded = ticket.EncodeApplication().ToArray(); var authenticator = new KerberosAuthenticator( new KeyTable( new KerberosKey( "P@ssw0rd!", principalName: new PrincipalName( PrincipalNameType.NT_PRINCIPAL, "CORP.IDENTITYINTERVENTION.com", new[] { "host/appservice.corp.identityintervention.com" } ), saltType: SaltType.ActiveDirectoryUser ) ) ); var validated = (KerberosIdentity)await authenticator.Authenticate(encoded); Assert.IsNotNull(validated); Assert.AreEqual(validated.FindFirst(ClaimTypes.Sid).Value, "S-1-5-123-456-789-12-321-888"); }