public async Task ParseKdcProxyMessage_WithoutLength() { var req = KrbAsReq.CreateAsReq( new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!"), 0 ).EncodeApplication(); var domain = "corp.identityintervention.com"; var hint = DcLocatorHint.DS_AVOID_SELF; var message = KdcProxyMessage.WrapMessage(req, domain, hint, mode: KdcProxyMessageMode.NoPrefix); var kdc = new KdcServer(new KdcServerOptions { RealmLocator = realm => new FakeRealmService(realm) }); var response = await kdc.ProcessMessage(message.Encode()); Assert.IsTrue(response.Length > 0); Assert.IsFalse(KrbError.CanDecode(response)); var proxy = KdcProxyMessage.Decode(response); var preAuthReq = KrbError.DecodeApplication(proxy.UnwrapMessage(out KdcProxyMessageMode mode)); Assert.AreEqual(KdcProxyMessageMode.NoPrefix, mode); Assert.AreEqual(KerberosErrorCode.KDC_ERR_PREAUTH_REQUIRED, preAuthReq.ErrorCode); }
public void Setup() { options = new ListenerOptions { DefaultRealm = Realm, RealmLocator = LocateRealm }; credential = Creds.GetOrAdd(AlgorithmType, a => new KerberosPasswordCredential(a + user, password)); asReq = KrbAsReq.CreateAsReq(credential, DefaultAuthentication).EncodeApplication(); switch (AlgorithmType) { case "RC4": etype = EncryptionType.RC4_HMAC_NT; break; case "AES128": etype = EncryptionType.AES128_CTS_HMAC_SHA1_96; break; case "AES256": etype = EncryptionType.AES256_CTS_HMAC_SHA1_96; break; } }
public Task Setup() { this.Port = new Random().Next(20000, 40000); var options = new ListenerOptions { DefaultRealm = "corp2.identityintervention.com".ToUpper(), RealmLocator = realm => LocateRealm(realm), Log = Logger }; options.Configuration.KdcDefaults.TcpListenBacklog = int.MaxValue; options.Configuration.KdcDefaults.ReceiveTimeout = TimeSpan.FromSeconds(15); options.Configuration.KdcDefaults.KdcTcpListenEndpoints.Clear(); options.Configuration.KdcDefaults.KdcTcpListenEndpoints.Add($"127.0.0.1:{this.Port}"); this.listener = new KdcServiceListener(options); _ = this.listener.Start(); this.credential = Creds.GetOrAdd(this.AlgorithmType, a => new KerberosPasswordCredential(a + this.user, this.password)); this.asReq = new ReadOnlySequence <byte>(KrbAsReq.CreateAsReq(this.credential, DefaultAuthentication).EncodeApplication()); return(Task.CompletedTask); }
public async Task HttpsTransportReceivesFailure() { var transport = new HandledHttpsKerberosTransport(new FailureKdcMessageDelegatingHandler()); var asReq = KrbAsReq.CreateAsReq(new KerberosPasswordCredential(UserUpn, "P@ssw0rd!"), AuthenticationOptions.Forwardable); await transport.SendMessage <KrbAsRep>("adasdf", asReq.EncodeApplication()); }
public void AsReqRoundtripParse() { var creds = new KerberosPasswordCredential("sdfsdfsdf", "sdfsdfsdf", "sdfsdfsdf"); var asReq = KrbAsReq.CreateAsReq(creds, AuthenticationOptions.AllAuthentication); var encoded = asReq.EncodeApplication(); var decoded = KrbAsReq.DecodeApplication(encoded); Assert.IsNotNull(decoded); }
public async Task HttpsTransportReceivesSuccess() { var transport = new HandledHttpsKerberosTransport(new SuccessKdcMessageDelegatingHandler()); transport.DomainPaths["adasdf"] = new Uri("https://test.internal/fake"); var asReq = KrbAsReq.CreateAsReq(new KerberosPasswordCredential(UserUpn, "P@ssw0rd!"), AuthenticationOptions.Forwardable); var response = await transport.SendMessage <KrbAsRep>("adasdf", asReq.EncodeApplication()); Assert.IsNotNull(response); transport.Dispose(); }
public void AsReqPreAuth_PkinitCertificateAccessible() { var credCert = new X509Certificate2(ReadDataFile("testuser.pfx"), "p"); var cred = new TrustedAsymmetricCredential(credCert, "*****@*****.**"); var asReq = KrbAsReq.CreateAsReq(cred, AuthenticationOptions.AllAuthentication); var handler = new KdcAsReqMessageHandler( asReq.EncodeApplication(), new ListenerOptions { DefaultRealm = "corp.identityintervention.com", RealmLocator = realm => new FakeRealmService(realm) }); handler.PreAuthHandlers[PaDataType.PA_PK_AS_REQ] = service => new PaDataPkAsReqHandler(service) { IncludeOption = X509IncludeOption.EndCertOnly }; var context = new PreAuthenticationContext(); handler.DecodeMessage(context); handler.ExecutePreValidate(context); handler.QueryPreValidate(context); handler.ValidateTicketRequest(context); handler.QueryPreExecute(context); handler.ExecuteCore(context); Assert.AreEqual(PaDataType.PA_PK_AS_REQ, context.ClientAuthority); Assert.AreEqual(1, context.PreAuthenticationState.Count); Assert.IsTrue(context.PreAuthenticationState.TryGetValue(PaDataType.PA_PK_AS_REQ, out PaDataState paState)); var state = paState as PkInitState; Assert.IsNotNull(state); Assert.IsNotNull(state.ClientCertificate); Assert.AreEqual(1, state.ClientCertificate.Count); var clientCert = state.ClientCertificate[0]; Assert.IsFalse(clientCert.HasPrivateKey); Assert.AreEqual(credCert.Thumbprint, clientCert.Thumbprint); }
private static KrbAsRep RequestTgt(out KrbEncryptionKey sessionKey) { var cred = new KerberosPasswordCredential(Upn, "P@ssw0rd!") { // cheating by skipping the initial leg of requesting PA-type Salts = new[] { new KeyValuePair <EncryptionType, string>( EncryptionType.AES256_CTS_HMAC_SHA1_96, "*****@*****.**" ) }, Configuration = Krb5Config.Default() }; var asReq = KrbAsReq.CreateAsReq( cred, AuthenticationOptions.AllAuthentication ); var handler = new KdcAsReqMessageHandler(asReq.EncodeApplication(), new KdcServerOptions { DefaultRealm = Realm, IsDebug = true, RealmLocator = realm => new FakeRealmService(realm) }); handler.PreAuthHandlers[PaDataType.PA_ENC_TIMESTAMP] = service => new PaDataTimestampHandler(service); var results = handler.Execute(); var decoded = KrbAsRep.DecodeApplication(results); var decrypted = cred.DecryptKdcRep( decoded, KeyUsage.EncAsRepPart, d => KrbEncAsRepPart.DecodeApplication(d) ); sessionKey = decrypted.Key; return(decoded); }
public Task Setup() { Port = new Random().Next(20000, 40000); var options = new ListenerOptions { ListeningOn = new IPEndPoint(IPAddress.Loopback, Port), DefaultRealm = "corp2.identityintervention.com".ToUpper(), RealmLocator = realm => LocateRealm(realm), QueueLength = 10 * 1000, ReceiveTimeout = TimeSpan.FromMinutes(60), Log = null }; listener = new KdcServiceListener(options); _ = listener.Start(); credential = Creds.GetOrAdd(AlgorithmType, a => new KerberosPasswordCredential(a + user, password)); asReq = new ReadOnlySequence <byte>(KrbAsReq.CreateAsReq(credential, DefaultAuthentication).EncodeApplication()); return(Task.CompletedTask); }
public static async Task <PingResult> Ping(KerberosCredential credential, Krb5Config config, ILoggerFactory logger = null) { credential.Configuration = config; var asReqMessage = KrbAsReq.CreateAsReq(credential, AuthenticationOptions.Renewable); var asReq = asReqMessage.EncodeApplication(); var transport = new KerberosTransportSelector( new IKerberosTransport[] { new TcpKerberosTransport(logger), new UdpKerberosTransport(logger), new HttpsKerberosTransport(logger) }, config, logger ) { ConnectTimeout = TimeSpan.FromSeconds(5) }; var result = new PingResult { AsReq = asReqMessage }; try { result.AsRep = await transport.SendMessage <KrbAsRep>(credential.Domain, asReq); } catch (KerberosProtocolException pex) { result.Error = pex.Error; } return(result); }
public async Task ParseKdcProxyMessage() { var req = KrbAsReq.CreateAsReq( new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!"), 0 ).EncodeApplication(); var domain = "corp.identityintervention.com"; var hint = DcLocatorHint.DS_AVOID_SELF; var messageBytes = new Memory <byte>(new byte[req.Length + 4]); Endian.ConvertToBigEndian(req.Length, messageBytes.Slice(0, 4)); req.CopyTo(messageBytes.Slice(4, req.Length)); var message = new KdcProxyMessage { TargetDomain = domain, KerbMessage = messageBytes, DcLocatorHint = hint }; var kdc = new KdcServer(new ListenerOptions { RealmLocator = LocateFakeRealm }); var response = await kdc.ProcessMessage(new ReadOnlySequence <byte>(message.Encode())); Assert.IsTrue(response.Length > 0); Assert.IsFalse(KrbError.CanDecode(response)); var proxy = KdcProxyMessage.Decode(response); var preAuthReq = KrbError.DecodeApplication(proxy.UnwrapMessage()); Assert.AreEqual(KerberosErrorCode.KDC_ERR_PREAUTH_REQUIRED, preAuthReq.ErrorCode); }
public async Task ProcessAsReq() { var requestCounter = 0; for (var i = 0; i < AuthenticationAttempts; i++) { var credential = Creds.GetOrAdd(AlgorithmType, a => new KerberosPasswordCredential(a + user, password)); var asReq = KrbAsReq.CreateAsReq(credential, DefaultAuthentication).EncodeApplication(); var message = new ReadOnlySequence <byte>(asReq); KdcAsReqMessageHandler handler = new KdcAsReqMessageHandler(message, listener.Options); var response = await handler.Execute(); Assert.IsNotNull(response); if (DisplayProgress) { CountItOut(ref requestCounter); } } }