public void CacheCannotBeNull()
{
var client = new KerberosClient
{
Cache = null
};
}
internal static KerberosClient CreateClient(KdcListener listener, string kdc = null, bool caching = true, bool queryDns = false)
{
KerberosClient client;
if (listener == null)
{
client = new KerberosClient();
client.PinKdc("corp.identityintervention.com", kdc);
}
else
{
IKerberosTransport transport = new InMemoryTransport(listener);
client = new KerberosClient(transports: transport);
}
client.Configuration.Defaults.DnsLookupKdc = queryDns;
client.CacheServiceTickets = caching;
client.RenewTickets = caching;
client.RenewTicketsThreshold = TimeSpan.MaxValue;
client.RefreshPollInterval = TimeSpan.FromMilliseconds(10);
return(client);
}
private async Task S4u2Self(KerberosClient client)
{
var myTgtEntry = client.Cache.GetCacheItem <KerberosClientCacheEntry>($"krbtgt/{client.DefaultDomain}");
var myTgt = myTgtEntry.KdcResponse?.Ticket;
if (myTgt == null)
{
this.IO.Writer.WriteLine(SR.Resource("CommandLine_WhoAmI_NoTgt"));
return;
}
var result = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = client.UserPrincipalName,
UserToUserTicket = myTgt,
CacheTicket = false,
}
);
var authenticator = new KerberosAuthenticator(new KerberosValidator(myTgtEntry.SessionKey.AsKey()));
var identity = await authenticator.Authenticate(result.ApReq.EncodeApplication());
this.DescribeTicket(identity as KerberosIdentity);
}
private static async Task RequestAndValidateTickets(
string user,
string password,
string overrideKdc,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true
)
{
var kerbCred = new KerberosPasswordCredential(user, password);
using (var client = new KerberosClient(overrideKdc)
{
CacheServiceTickets = caching
})
{
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
var spn = FakeAppServiceSpn;
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, includePac : includePac);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = FakeAppServiceSpn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, encodeNego, includePac : includePac);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = FakeAppServiceSpn,
ApOptions = ApOptions.MutualRequired,
S4uTarget = s4u
}
);
await ValidateTicket(ticket, includePac : includePac);
}
}
public async Task ClientRequestsServiceTicketBeforeAuthentication()
{
using (var client = new KerberosClient())
{
await client.GetServiceTicket("host/test.com");
}
}
private async Task GetServiceTicket(KerberosClient client)
{
await ExecuteWithErrorHandling(
client,
async c => await c.GetServiceTicket(this.ServicePrincipalName)
);
}
private static async Task RequestTickets(string user, string password, string overrideKdc)
{
var kerbCred = new KerberosPasswordCredential(user, password);
KerberosClient client = new KerberosClient(overrideKdc);
await client.Authenticate(kerbCred);
var ticket = await client.GetServiceTicket(
"host/appservice.corp.identityintervention.com",
ApOptions.MutualRequired
);
var encoded = ticket.EncodeApplication().ToArray();
var authenticator = new KerberosAuthenticator(
new KeyTable(
new KerberosKey(
"P@ssw0rd!",
principalName: new PrincipalName(
PrincipalNameType.NT_PRINCIPAL,
"CORP.IDENTITYINTERVENTION.com",
new[] { "host/appservice.corp.identityintervention.com" }
),
saltType: SaltType.ActiveDirectoryUser
)
)
);
var validated = (KerberosIdentity)await authenticator.Authenticate(encoded);
DumpClaims(validated);
}
private async Task RenewServiceTicket(KerberosClient client)
{
await ExecuteWithErrorHandling(
client,
async c => await c.RenewTicket()
);
}
/// Authenticates to the Kerberos domain and obtains
/// a Service Ticket to the service identified by the
/// configured Service Principal Name (SPN).
public async Task AuthenticateToKerberosAsync()
{
var kCred = new KerberosPasswordCredential(
_kerberosOptions.Username, _kerberosOptions.Password, _kerberosOptions.Domain);
var kClient = _options.KerberosOptions?.Client;
if (kClient == null)
{
kClient = new KerberosClient();
}
try
{
await kClient.Authenticate(kCred);
_serviceTicket = await kClient.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = _kerberosOptions.MapperServiceSpn,
ApOptions = ApOptions.MutualRequired,
});
_serviceTicketToken = ByteString.CopyFrom(_serviceTicket.ApReq.EncodeApplication().ToArray());
}
finally
{
if (kClient != _options.KerberosOptions?.Client)
{
kClient.Dispose();
}
}
}
private async Task GetServiceTicket(KerberosClient client)
{
try
{
await client.GetServiceTicket(this.ServicePrincipalName);
}
catch (AggregateException aex)
{
ICollection <Exception> exceptions = aex.InnerExceptions?.Where(e => e != null)?.ToList();
if (exceptions == null)
{
exceptions = new List <Exception>();
if (aex.InnerException != null)
{
exceptions.Add(aex.InnerException);
}
}
foreach (var ex in exceptions.Where(e => e != null))
{
if (ex is KerberosProtocolException kex && kex?.Error?.ErrorCode == KerberosErrorCode.KRB_AP_ERR_TKT_EXPIRED)
{
await PurgeTickets();
await client.GetServiceTicket(this.ServicePrincipalName);
break;
}
this.IO.Writer.WriteLine(ex?.Message ?? SR.Resource("Unknown Error"));
}
}
}
public void CacheFileFormat4Supported()
{
using (var client = new KerberosClient())
{
Assert.AreEqual(4, client.Configuration.Defaults.CCacheType);
Assert.IsNotNull(client.Cache);
}
}
public void CacheCannotBeNull()
{
#pragma warning disable IDE0067 // Dispose objects before losing scope
_ = new KerberosClient {
Cache = null
};
#pragma warning restore IDE0067 // Dispose objects before losing scope
}
public void ServiceTicketsNotCached()
{
using (var client = new KerberosClient())
{
Assert.IsNotNull(client.Cache);
Assert.IsFalse(client.CacheServiceTickets);
}
}
public void KerberosClientStartup()
{
using (var client = new KerberosClient())
{
Assert.IsNotNull(client);
Assert.AreEqual(3, client.Transports.Count());
}
}
private void DescribeClientDetails(KerberosClient client)
{
this.WriteLine();
this.WriteHeader(SR.Resource("CommandLine_KList_ClientDetails"));
this.WriteLine();
this.IO.ListProperties(client);
}
public void TcpClientEnabledByDefault()
{
var client = new KerberosClient();
var tcp = client.Transports.FirstOrDefault(t => t.Protocol == ProtocolType.Tcp);
Assert.IsNotNull(tcp);
Assert.IsTrue(tcp.Enabled);
}
public void CacheFileFormatBelow4Supported()
{
using (var client = new KerberosClient())
{
client.CacheInMemory = false;
client.Configuration.Defaults.CCacheType = 3;
Assert.IsNotNull(client.Cache);
}
}
public void UdpClientDisabledByDefault()
{
var client = new KerberosClient();
var udp = client.Transports.FirstOrDefault(t => t.Protocol == ProtocolType.Udp);
Assert.IsNotNull(udp);
Assert.IsFalse(udp.Enabled);
}
public void TcpClientEnabledByDefault()
{
using (var client = new KerberosClient())
{
var tcp = client.Transports.OfType <TcpKerberosTransport>().FirstOrDefault();
Assert.IsNotNull(tcp);
Assert.IsTrue(tcp.Enabled);
}
}
public async Task ClientConnectsToServer_Withtimeout()
{
var port = NextPort();
var client = new KerberosClient($"127.0.0.1:{port}")
{
ConnectTimeout = TimeSpan.FromMilliseconds(1)
};
await client.Authenticate(new KerberosPasswordCredential("test", "test", "test"));
}
public void HttpsTransportEnabledByDefault()
{
using (var client = new KerberosClient())
{
var https = client.Transports.OfType <HttpsKerberosTransport>().FirstOrDefault();
Assert.IsNotNull(https);
Assert.IsTrue(https.Enabled);
}
}
public void UdpTransportEnabledByDefault()
{
using (var client = new KerberosClient())
{
var udp = client.Transports.OfType <UdpKerberosTransport>().FirstOrDefault();
Assert.IsNotNull(udp);
Assert.IsTrue(udp.Enabled);
}
}
public async Task RequestTgt(string algo)
{
var cred = new KerberosPasswordCredential(algo + user, password);
var client = new KerberosClient($"{overrideKdc}:{port}");
for (var i = 0; i < AuthenticationAttempts; i++)
{
await client.Authenticate(cred);
}
}
private static async Task RequestAndValidateTickets(
string user,
string password,
string overrideKdc,
string s4u = null,
bool encodeNego = false,
bool caching = false
)
{
var kerbCred = new KerberosPasswordCredential(user, password);
KerberosClient client = new KerberosClient(overrideKdc)
{
CacheServiceTickets = caching
};
await client.Authenticate(kerbCred);
var spn = "host/appservice.corp.identityintervention.com";
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = "host/appservice.corp.identityintervention.com",
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, encodeNego);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = "host/appservice.corp.identityintervention.com",
ApOptions = ApOptions.MutualRequired,
S4uTarget = s4u
}
);
await ValidateTicket(ticket);
}
public void CacheSetDisposesCorrectly()
{
var disposableCache = new DisposableCache();
var client = new KerberosClient()
{
Cache = disposableCache
};
client.Cache = new DisposableCache();
Assert.IsTrue(disposableCache.Disposed);
}
public async Task ClientCannotGetExpiredCachedItem()
{
using (var client = new KerberosClient()
{
Cache = new Krb5TicketCache(FilePath)
})
{
await client.GetServiceTicket(new RequestServiceTicket
{
ServicePrincipalName = "krbtgt/IPA.IDENTITYINTERVENTION.COM"
});
}
}
private static async Task RequestTickets(string user, string password, string overrideKdc, string s4u, string spn)
{
var kerbCred = new KerberosPasswordCredential(user, password);
using (KerberosClient client = new KerberosClient(overrideKdc))
{
await client.Authenticate(kerbCred);
spn = spn ?? "host/appservice.corp.identityintervention.com";
KrbTicket s4uTicket = null;
if (!string.IsNullOrWhiteSpace(s4u))
{
var s4uSelf = await client.GetServiceTicket(
kerbCred.UserName,
ApOptions.MutualRequired,
s4u : s4u
);
s4uTicket = s4uSelf.Ticket;
}
var ticket = await client.GetServiceTicket(
spn,
ApOptions.MutualRequired,
s4uTicket : s4uTicket
);
var encoded = ticket.EncodeApplication().ToArray();
var authenticator = new KerberosAuthenticator(
new KeyTable(
new KerberosKey(
"P@ssw0rd!",
principalName: new PrincipalName(
PrincipalNameType.NT_PRINCIPAL,
"CORP.IDENTITYINTERVENTION.com",
new[] { spn }
),
saltType: SaltType.ActiveDirectoryUser
)
)
);
var validated = (KerberosIdentity)await authenticator.Authenticate(encoded);
DumpClaims(validated);
}
}
public async Task U2U()
{
var port = new Random().Next(20000, 40000);
var options = new ListenerOptions
{
ListeningOn = new IPEndPoint(IPAddress.Loopback, port),
DefaultRealm = "corp2.identityintervention.com".ToUpper(),
IsDebug = true,
RealmLocator = realm => LocateRealm(realm),
ReceiveTimeout = TimeSpan.FromHours(1)
};
KdcServiceListener listener = new KdcServiceListener(options);
_ = listener.Start();
var kerbClientCred = new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!");
var client = new KerberosClient($"127.0.0.1:{port}");
await client.Authenticate(kerbClientCred);
var kerbServerCred = new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!");
var server = new KerberosClient($"127.0.0.1:{port}");
await server.Authenticate(kerbClientCred);
var serverEntry = await server.Cache.Get <KerberosClientCacheEntry>($"krbtgt/{server.DefaultDomain}");
var serverTgt = serverEntry.Ticket.Ticket;
var apReq = await client.GetServiceTicket("host/u2u", ApOptions.MutualRequired | ApOptions.UseSessionKey, u2uServerTicket : serverTgt);
Assert.IsNotNull(apReq);
var decrypted = new DecryptedKrbApReq(apReq);
Assert.IsNull(decrypted.Ticket);
decrypted.Decrypt(serverEntry.SessionKey.AsKey());
decrypted.Validate(ValidationActions.All);
Assert.IsNotNull(decrypted.Ticket);
Assert.AreEqual("host/u2u/CORP.IDENTITYINTERVENTION.COM", decrypted.SName.FullyQualifiedName);
listener.Stop();
}
private async Task S4u2Self(KerberosClient client)
{
if (client.Cache is LsaCredentialCache)
{
this.WriteLineError("The whoami command isn't supported with the LSA Cache");
return;
}
var myTgtEntry = client.Cache.GetCacheItem <KerberosClientCacheEntry>($"krbtgt/{client.DefaultDomain}");
var myTgt = myTgtEntry.KdcResponse?.Ticket;
if (myTgt == null)
{
this.WriteHeader(SR.Resource("CommandLine_WhoAmI_NoTgt"));
return;
}
try
{
var result = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = client.UserPrincipalName,
UserToUserTicket = myTgt,
CacheTicket = false,
S4uTarget = client.UserPrincipalName
}
);
var authenticator = new KerberosAuthenticator(new KerberosValidator(myTgtEntry.SessionKey.AsKey()));
var identity = await authenticator.Authenticate(result.ApReq.EncodeApplication());
this.DescribeTicket(identity as KerberosIdentity);
}
catch (KerberosProtocolException kex)
{
this.WriteLine();
this.WriteLine(1, "{ErrorCode}: {ErrorText}", kex.Error.ErrorCode, kex.Error.ETextWithoutCode());
if (kex.Error.ErrorCode == KerberosErrorCode.KRB_AP_ERR_TKT_EXPIRED)
{
this.WriteLine();
this.WriteLine(1, SR.Resource("CommandLine_WhoAmI_NoTgt"));
}
}
}
public async Task KrbCredImportsAndGets()
{
var krbCred = CreateKrbCredential();
using (var client = new KerberosClient())
{
client.ImportCredential(krbCred);
var serviceTicket = await client.GetServiceTicket("host/test.com");
Assert.IsNotNull(serviceTicket);
Assert.IsNotNull(serviceTicket.Authenticator);
Assert.IsNotNull(serviceTicket.Ticket);
}
}
