private static async Task RequestTickets( X509Certificate2 cert, string user, string password, string overrideKdc, string s4u, string spn, bool retryDH, bool includeCNameHint, string servicePassword, string serviceSalt ) { KerberosCredential kerbCred; if (cert == null) { kerbCred = new KerberosPasswordCredential(user, password); } else { var chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.Build(cert); var kdcCerts = new List <X509Certificate2>(); for (var i = 0; i < chain.ChainElements.Count; i++) { var c = chain.ChainElements[i].Certificate; if (c.Thumbprint != cert.Thumbprint) { kdcCerts.Add(c); } } if (retryDH) { kerbCred = new RandomDHAsymmetricCredential(cert, user); } else { kerbCred = new TrustedKdcAsymmetricCredential(cert, user); } } KerberosClient client; if (Uri.TryCreate(overrideKdc, UriKind.Absolute, out Uri kdcProxy)) { var kdcProxyTransport = new HttpsKerberosTransport() { DomainPaths = new Dictionary <string, Uri> { { kdcProxy.DnsSafeHost.ToLowerInvariant(), kdcProxy }, { kerbCred.Domain.ToLowerInvariant(), kdcProxy } } }; client = new KerberosClient(null, kdcProxyTransport); } else { client = new KerberosClient(overrideKdc); } if (includeCNameHint) { client.CNameHint = KrbPrincipalName.FromString(kerbCred.UserName, PrincipalNameType.NT_PRINCIPAL, kerbCred.Domain); } using (client) using (kerbCred as IDisposable) { await client.Authenticate(kerbCred); W("AS-REQ Succeeded", ConsoleColor.Green); spn = spn ?? "host/appservice.corp.identityintervention.com"; KrbTicket s4uTicket = null; if (!string.IsNullOrWhiteSpace(s4u)) { var s4uSelf = await client.GetServiceTicket( kerbCred.UserName, ApOptions.MutualRequired, s4u : s4u ); s4uTicket = s4uSelf.Ticket; } var ticket = await client.GetServiceTicket( spn, ApOptions.MutualRequired, s4uTicket : s4uTicket ); DumpTicket(ticket); ResetColor(); if (!retryDH) { try { await TryValidate(spn, ticket, servicePassword, serviceSalt); } catch (Exception ex) { W(ex.Message, ConsoleColor.Yellow); ResetColor(); } } } }
private static async Task RequestTickets( X509Certificate2 cert, string user, string password, string overrideKdc, string s4u, string spn, bool retryDH, bool includeCNameHint, string servicePassword, string serviceSalt, bool cacheToFile ) { KerberosCredential kerbCred; if (cert == null) { kerbCred = new KerberosPasswordCredential(user, password); } else { var chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.Build(cert); var kdcCerts = new List <X509Certificate2>(); for (var i = 0; i < chain.ChainElements.Count; i++) { var c = chain.ChainElements[i].Certificate; if (c.Thumbprint != cert.Thumbprint) { kdcCerts.Add(c); } } if (retryDH) { kerbCred = new RandomDHAsymmetricCredential(cert, user); } else { kerbCred = new TrustedKdcAsymmetricCredential(cert, user); } } var factory = LoggerFactory.Create(builder => { builder.AddConsole(opt => opt.IncludeScopes = true); builder.AddFilter <ConsoleLoggerProvider>(level => level >= LogLevel.Trace); }); var client = new KerberosClient(logger: factory); if (Uri.TryCreate(overrideKdc, UriKind.Absolute, out Uri kdcProxy)) { client.Configuration.Realms[kdcProxy.DnsSafeHost].Kdc.Add(kdcProxy.OriginalString); client.Configuration.Realms[kerbCred.Domain].Kdc.Add(kdcProxy.OriginalString); client.Configuration.Defaults.DnsLookupKdc = false; } else if (!string.IsNullOrWhiteSpace(overrideKdc)) { client.Configuration.Defaults.DnsLookupKdc = false; client.PinKdc(kerbCred.Domain, overrideKdc); } if (cacheToFile) { client.Configuration.Defaults.DefaultCCacheName = "krb5cc"; } KrbPrincipalName cnameHint = null; if (includeCNameHint) { cnameHint = KrbPrincipalName.FromString(kerbCred.UserName, PrincipalNameType.NT_PRINCIPAL, kerbCred.Domain); } client.RenewTickets = true; using (client) using (kerbCred as IDisposable) { await client.Authenticate(kerbCred); spn = spn ?? "host/appservice.corp.identityintervention.com"; KrbTicket s4uTicket = null; if (!string.IsNullOrWhiteSpace(s4u)) { var s4uSelf = await client.GetServiceTicket( kerbCred.UserName, ApOptions.MutualRequired, s4u : s4u ); s4uTicket = s4uSelf.Ticket; } var session = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = ApOptions.MutualRequired, S4uTicket = s4uTicket, CNameHint = cnameHint } ); DumpTicket(session.ApReq); ResetColor(); if (!retryDH) { try { await TryValidate(spn, session.ApReq, servicePassword, serviceSalt, factory); } catch (Exception ex) { W(ex.Message, ConsoleColor.Yellow); ResetColor(); } } } }