private static async Task RequestAndValidateTickets(
string user,
string password,
string overrideKdc,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true
)
{
var kerbCred = new KerberosPasswordCredential(user, password);
using (var client = new KerberosClient(overrideKdc)
{
CacheServiceTickets = caching
})
{
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
var spn = FakeAppServiceSpn;
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, includePac : includePac);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = FakeAppServiceSpn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, encodeNego, includePac : includePac);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = FakeAppServiceSpn,
ApOptions = ApOptions.MutualRequired,
S4uTarget = s4u
}
);
await ValidateTicket(ticket, includePac : includePac);
}
}
private static async Task RequestAndValidateTickets(
string user,
string password,
string overrideKdc,
string s4u = null,
bool encodeNego = false,
bool caching = false
)
{
var kerbCred = new KerberosPasswordCredential(user, password);
KerberosClient client = new KerberosClient(overrideKdc)
{
CacheServiceTickets = caching
};
await client.Authenticate(kerbCred);
var spn = "host/appservice.corp.identityintervention.com";
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = "host/appservice.corp.identityintervention.com",
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, encodeNego);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = "host/appservice.corp.identityintervention.com",
ApOptions = ApOptions.MutualRequired,
S4uTarget = s4u
}
);
await ValidateTicket(ticket);
}
private static async Task RequestAndValidateTickets(string user, string password, string overrideKdc)
{
var kerbCred = new KerberosPasswordCredential(user, password);
KerberosClient client = new KerberosClient(overrideKdc);
await client.Authenticate(kerbCred);
var ticket = await client.GetServiceTicket(
"host/appservice.corp.identityintervention.com",
ApOptions.MutualRequired
);
await ValidateTicket(ticket);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
"host/appservice.corp.identityintervention.com",
ApOptions.MutualRequired
);
await ValidateTicket(ticket);
}
private static async Task RequestAndValidateTickets(
string user,
string password = null,
string overrideKdc = null,
KeyTable keytab = null,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true,
X509Certificate2 cert = null
)
{
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, user);
}
else if (keytab != null)
{
kerbCred = new KeytabCredential(user, keytab);
}
else
{
kerbCred = new KerberosPasswordCredential(user, password);
}
using (var client = new KerberosClient(overrideKdc)
{
CacheServiceTickets = caching
})
{
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
var spn = FakeAppServiceSpn;
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, includePac : includePac);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = FakeAppServiceSpn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, encodeNego, includePac : includePac);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = FakeAppServiceSpn,
ApOptions = ApOptions.MutualRequired,
S4uTarget = s4u
}
);
await ValidateTicket(ticket, includePac : includePac);
}
}
internal static async Task RequestAndValidateTickets(
KdcListener listener,
string user,
string password = null,
string overrideKdc = null,
KeyTable keytab = null,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true,
X509Certificate2 cert = null,
string spn = FakeAppServiceSpn,
KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14
)
{
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, user)
{
KeyAgreement = keyAgreement
};
}
else if (keytab != null)
{
kerbCred = new KeytabCredential(user, keytab);
}
else
{
kerbCred = new KerberosPasswordCredential(user, password);
}
KerberosClient client = CreateClient(listener, overrideKdc, caching: caching);
using (client)
{
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired,
S4uTarget = s4u
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn);
}
}
internal static async Task RequestAndValidateTicketsWithCaches(
KdcListener listener,
string user,
string password = null,
string overrideKdc = null,
KeyTable keytab = null,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true,
X509Certificate2 cert = null,
string spn = FakeAppServiceSpn,
KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14,
bool allowWeakCrypto = false,
bool useWeakCrypto = false,
bool mutualAuth = true,
KrbTicket s4uTicket = null,
bool useKrb5TicketCache = false
)
{
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, user)
{
KeyAgreement = keyAgreement
};
}
else if (keytab != null)
{
kerbCred = new KeytabCredential(user, keytab);
}
else
{
kerbCred = new KerberosPasswordCredential(user, password);
}
KerberosClient client = CreateClient(
listener,
overrideKdc,
caching: caching,
allowWeakCrypto: allowWeakCrypto,
useWeakCrypto: useWeakCrypto,
useKrb5TicketCache: useKrb5TicketCache
);
using (kerbCred as IDisposable)
using (client)
{
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = mutualAuth ? ApOptions.MutualRequired : 0
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = mutualAuth ? ApOptions.MutualRequired : 0
}
);
await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn, mutualAuth : mutualAuth);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = mutualAuth ? ApOptions.MutualRequired : 0,
S4uTarget = s4u,
S4uTicket = s4uTicket
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth);
}
if (user.Contains("-fallback"))
{
Assert.AreEqual(PrincipalNameType.NT_PRINCIPAL, kerbCred.PrincipalNameType);
}
else
{
Assert.AreEqual(PrincipalNameType.NT_ENTERPRISE, kerbCred.PrincipalNameType);
}
}
