public void NegotiateStream_StreamToStream_Authentication_Success() { VirtualNetwork network = new VirtualNetwork(); using (var clientStream = new VirtualNetworkStream(network, isServer: false)) using (var serverStream = new VirtualNetworkStream(network, isServer: true)) using (var client = new NegotiateStream(clientStream)) using (var server = new NegotiateStream(serverStream)) { Assert.False(client.IsAuthenticated); Assert.False(server.IsAuthenticated); Task[] auth = new Task[2]; auth[0] = client.AuthenticateAsClientAsync(); auth[1] = server.AuthenticateAsServerAsync(); bool finished = Task.WaitAll(auth, TestConfiguration.PassingTestTimeoutMilliseconds); Assert.True(finished, "Handshake completed in the allotted time"); // Expected Client property values: Assert.True(client.IsAuthenticated); Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel); Assert.Equal(true, client.IsEncrypted); Assert.Equal(false, client.IsMutuallyAuthenticated); Assert.Equal(false, client.IsServer); Assert.Equal(true, client.IsSigned); Assert.Equal(false, client.LeaveInnerStreamOpen); IIdentity serverIdentity = client.RemoteIdentity; Assert.Equal("NTLM", serverIdentity.AuthenticationType); Assert.Equal(false, serverIdentity.IsAuthenticated); Assert.Equal("", serverIdentity.Name); // Expected Server property values: Assert.True(server.IsAuthenticated); Assert.Equal(TokenImpersonationLevel.Identification, server.ImpersonationLevel); Assert.Equal(true, server.IsEncrypted); Assert.Equal(false, server.IsMutuallyAuthenticated); Assert.Equal(true, server.IsServer); Assert.Equal(true, server.IsSigned); Assert.Equal(false, server.LeaveInnerStreamOpen); IIdentity clientIdentity = server.RemoteIdentity; Assert.Equal("NTLM", clientIdentity.AuthenticationType); Assert.Equal(true, clientIdentity.IsAuthenticated); IdentityValidator.AssertIsCurrentIdentity(clientIdentity); } }
public void NegotiateStream_StreamToStream_Successive_ClientWrite_Async_Success() { byte[] recvBuf = new byte[_sampleMsg.Length]; VirtualNetwork network = new VirtualNetwork(); using (var clientStream = new VirtualNetworkStream(network, isServer: false)) using (var serverStream = new VirtualNetworkStream(network, isServer: true)) using (var client = new NegotiateStream(clientStream)) using (var server = new NegotiateStream(serverStream)) { Assert.False(client.IsAuthenticated); Assert.False(server.IsAuthenticated); Task[] auth = new Task[2]; auth[0] = client.AuthenticateAsClientAsync(); auth[1] = server.AuthenticateAsServerAsync(); bool finished = Task.WaitAll(auth, TestConfiguration.PassingTestTimeoutMilliseconds); Assert.True(finished, "Handshake completed in the allotted time"); auth[0] = client.WriteAsync(_sampleMsg, 0, _sampleMsg.Length); auth[1] = server.ReadAsync(recvBuf, 0, _sampleMsg.Length); finished = Task.WaitAll(auth, TestConfiguration.PassingTestTimeoutMilliseconds); Assert.True(finished, "Send/receive completed in the allotted time"); Assert.True(_sampleMsg.SequenceEqual(recvBuf)); auth[0] = client.WriteAsync(_sampleMsg, 0, _sampleMsg.Length); auth[1] = server.ReadAsync(recvBuf, 0, _sampleMsg.Length); finished = Task.WaitAll(auth, TestConfiguration.PassingTestTimeoutMilliseconds); Assert.True(finished, "Send/receive completed in the allotted time"); Assert.True(_sampleMsg.SequenceEqual(recvBuf)); } }
protected override Task AuthenticateAsClientAsync(NegotiateStream client, NetworkCredential credential, string targetName) => client.AuthenticateAsClientAsync(credential, targetName);
public void NegotiateStream_StreamToStream_Authentication_EmptyCredentials_Fails() { string targetName = "testTargetName"; // Ensure there is no confusion between DefaultCredentials / DefaultNetworkCredentials and a // NetworkCredential object with empty user, password and domain. NetworkCredential emptyNetworkCredential = new NetworkCredential("", "", ""); Assert.NotEqual(emptyNetworkCredential, CredentialCache.DefaultCredentials); Assert.NotEqual(emptyNetworkCredential, CredentialCache.DefaultNetworkCredentials); VirtualNetwork network = new VirtualNetwork(); using (var clientStream = new VirtualNetworkStream(network, isServer: false)) using (var serverStream = new VirtualNetworkStream(network, isServer: true)) using (var client = new NegotiateStream(clientStream)) using (var server = new NegotiateStream(serverStream)) { Assert.False(client.IsAuthenticated); Assert.False(server.IsAuthenticated); Task[] auth = new Task[2]; auth[0] = client.AuthenticateAsClientAsync(emptyNetworkCredential, targetName); auth[1] = server.AuthenticateAsServerAsync(); bool finished = Task.WaitAll(auth, TestConfiguration.PassingTestTimeoutMilliseconds); Assert.True(finished, "Handshake completed in the allotted time"); // Expected Client property values: Assert.True(client.IsAuthenticated); Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel); Assert.Equal(true, client.IsEncrypted); Assert.Equal(false, client.IsMutuallyAuthenticated); Assert.Equal(false, client.IsServer); Assert.Equal(true, client.IsSigned); Assert.Equal(false, client.LeaveInnerStreamOpen); IIdentity serverIdentity = client.RemoteIdentity; Assert.Equal("NTLM", serverIdentity.AuthenticationType); Assert.Equal(true, serverIdentity.IsAuthenticated); Assert.Equal(targetName, serverIdentity.Name); // Expected Server property values: Assert.True(server.IsAuthenticated); Assert.Equal(TokenImpersonationLevel.Identification, server.ImpersonationLevel); Assert.Equal(true, server.IsEncrypted); Assert.Equal(false, server.IsMutuallyAuthenticated); Assert.Equal(true, server.IsServer); Assert.Equal(true, server.IsSigned); Assert.Equal(false, server.LeaveInnerStreamOpen); IIdentity clientIdentity = server.RemoteIdentity; Assert.Equal("NTLM", clientIdentity.AuthenticationType); // TODO #5241: Behavior difference: Assert.Equal(false, clientIdentity.IsAuthenticated); // On .Net Desktop: Assert.Equal(true, clientIdentity.IsAuthenticated); IdentityValidator.AssertHasName(clientIdentity, @"NT AUTHORITY\ANONYMOUS LOGON"); } }
protected override Task AuthenticateAsClientAsync(NegotiateStream client, NetworkCredential credential, string targetName) => client.AuthenticateAsClientAsync(credential, targetName, ProtectionLevel.EncryptAndSign, TokenImpersonationLevel.Identification);
protected override Task AuthenticateAsClientAsync(NegotiateStream client, NetworkCredential credential, string targetName) => client.AuthenticateAsClientAsync(credential, null, targetName);
public void NegotiateStream_StreamToStream_Authentication_EmptyCredentials_Fails() { string targetName = "testTargetName"; // Ensure there is no confusion between DefaultCredentials / DefaultNetworkCredentials and a // NetworkCredential object with empty user, password and domain. NetworkCredential emptyNetworkCredential = new NetworkCredential("", "", ""); Assert.NotEqual(emptyNetworkCredential, CredentialCache.DefaultCredentials); Assert.NotEqual(emptyNetworkCredential, CredentialCache.DefaultNetworkCredentials); VirtualNetwork network = new VirtualNetwork(); using (var clientStream = new VirtualNetworkStream(network, isServer: false)) using (var serverStream = new VirtualNetworkStream(network, isServer: true)) using (var client = new NegotiateStream(clientStream)) using (var server = new NegotiateStream(serverStream)) { Assert.False(client.IsAuthenticated); Assert.False(server.IsAuthenticated); Task[] auth = new Task[2]; auth[0] = client.AuthenticateAsClientAsync(emptyNetworkCredential, targetName); auth[1] = server.AuthenticateAsServerAsync(); bool finished = Task.WaitAll(auth, TestConfiguration.PassingTestTimeoutMilliseconds); Assert.True(finished, "Handshake completed in the allotted time"); // Expected Client property values: Assert.True(client.IsAuthenticated); Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel); Assert.Equal(true, client.IsEncrypted); Assert.Equal(false, client.IsMutuallyAuthenticated); Assert.Equal(false, client.IsServer); Assert.Equal(true, client.IsSigned); Assert.Equal(false, client.LeaveInnerStreamOpen); IIdentity serverIdentity = client.RemoteIdentity; Assert.Equal("NTLM", serverIdentity.AuthenticationType); Assert.Equal(true, serverIdentity.IsAuthenticated); Assert.Equal(targetName, serverIdentity.Name); // Expected Server property values: Assert.True(server.IsAuthenticated); Assert.Equal(TokenImpersonationLevel.Identification, server.ImpersonationLevel); Assert.Equal(true, server.IsEncrypted); Assert.Equal(false, server.IsMutuallyAuthenticated); Assert.Equal(true, server.IsServer); Assert.Equal(true, server.IsSigned); Assert.Equal(false, server.LeaveInnerStreamOpen); IIdentity clientIdentity = server.RemoteIdentity; Assert.Equal("NTLM", clientIdentity.AuthenticationType); // TODO #5241: Behavior difference: Assert.Equal(false, clientIdentity.IsAuthenticated); // On .Net Desktop: Assert.Equal(true, clientIdentity.IsAuthenticated); IdentityValidator.AssertHasName(clientIdentity, @"NT AUTHORITY\ANONYMOUS LOGON"); } }
private async Task VerifyAuthentication(NetworkCredential credential) { string serverName = Configuration.Security.NegotiateServer.Host; int port = Configuration.Security.NegotiateServer.Port; string serverSPN = "HOST/" + serverName; bool isLocalhost = await IsLocalHost(serverName); string expectedAuthenticationType = "Kerberos"; bool mutualAuthenitcated = true; if (credential == CredentialCache.DefaultNetworkCredentials && isLocalhost) { expectedAuthenticationType = "NTLM"; } else if (credential != CredentialCache.DefaultNetworkCredentials && (string.IsNullOrEmpty(credential.UserName) || string.IsNullOrEmpty(credential.Password))) { // Anonymous authentication. expectedAuthenticationType = "NTLM"; mutualAuthenitcated = false; } using (var client = new TcpClient()) { await client.ConnectAsync(serverName, port); NetworkStream clientStream = client.GetStream(); using (var auth = new NegotiateStream(clientStream, leaveInnerStreamOpen:false)) { await auth.AuthenticateAsClientAsync( credential, serverSPN, ProtectionLevel.EncryptAndSign, System.Security.Principal.TokenImpersonationLevel.Identification); Assert.Equal(expectedAuthenticationType, auth.RemoteIdentity.AuthenticationType); Assert.Equal(serverSPN, auth.RemoteIdentity.Name); Assert.Equal(true, auth.IsAuthenticated); Assert.Equal(true, auth.IsEncrypted); Assert.Equal(mutualAuthenitcated, auth.IsMutuallyAuthenticated); Assert.Equal(true, auth.IsSigned); // Send a message to the server. Encode the test data into a byte array. byte[] message = Encoding.UTF8.GetBytes("Hello from the client."); await auth.WriteAsync(message, 0, message.Length); } } }
/// <summary> /// Handles the connection process of clients /// </summary> private void HandleClientComm(object sender) { //This conntects the client //first we need an rescue timer _BootUpTimer = new Timer(new TimerCallback(_BootUpTimer_Elapsed), null, 0, 100); bool leaveInnerStreamOpen = false; try { _SocketTCPClient.LingerState = new LingerOption(true, 10); // encryption if (_Mode == VaserOptions.ModeKerberos) { _ConnectionStream = new NetworkStream(_SocketTCPClient); QueueSend = QueueSendKerberos; _AuthStream = new NegotiateStream(_ConnectionStream, leaveInnerStreamOpen); } if (_Mode == VaserOptions.ModeSSL) { _ConnectionStream = new NetworkStream(_SocketTCPClient); QueueSend = QueueSendSSL; _sslStream = new SslStream(_ConnectionStream, leaveInnerStreamOpen); } if (_Mode == VaserOptions.ModeNotEncrypted) { QueueSend = QueueSendNotEncrypted; //_NotEncryptedStream = _ConnectionStream; } if (IsServer) { //server if (_Mode == VaserOptions.ModeKerberos) { if (_vKerberosS._policy == null) { if (_vKerberosS._credential == null) { _AuthStream.AuthenticateAsServerAsync(); } else { _AuthStream.AuthenticateAsServerAsync(_vKerberosS._credential, _vKerberosS._requiredProtectionLevel, _vKerberosS._requiredImpersonationLevel); } } else { if (_vKerberosS._credential == null) { _AuthStream.AuthenticateAsServerAsync(_vKerberosS._policy); } else { _AuthStream.AuthenticateAsServerAsync(_vKerberosS._credential, _vKerberosS._policy, _vKerberosS._requiredProtectionLevel, _vKerberosS._requiredImpersonationLevel); } } link.IsAuthenticated = _AuthStream.IsAuthenticated; link.IsEncrypted = _AuthStream.IsEncrypted; link.IsMutuallyAuthenticated = _AuthStream.IsMutuallyAuthenticated; link.IsSigned = _AuthStream.IsSigned; link.IsServer = _AuthStream.IsServer; IIdentity id = _AuthStream.RemoteIdentity; link.UserName = id.Name; } if (_Mode == VaserOptions.ModeSSL) { if (_vSSLS._enabledSslProtocols == SslProtocols.None) { _sslStream.AuthenticateAsServerAsync(_vSSLS._serverCertificate); } else { _sslStream.AuthenticateAsServerAsync(_vSSLS._serverCertificate, _vSSLS._clientCertificateRequired, _vSSLS._enabledSslProtocols, _vSSLS._checkCertificateRevocation); } link.IsEncrypted = true; link.IsServer = true; } if (_Mode == VaserOptions.ModeNotEncrypted) { link.IsServer = true; } link.vServer = server; BootupDone = true; server.AddNewLink(link); } else { //client if (_Mode == VaserOptions.ModeKerberos) { if (_vKerberosC._binding == null) { if (_vKerberosC._credential == null) { _AuthStream.AuthenticateAsClientAsync(); } else { if (_vKerberosC._requiredProtectionLevel == ProtectionLevel.None && _vKerberosC._requiredImpersonationLevel == TokenImpersonationLevel.None) { _AuthStream.AuthenticateAsClientAsync(_vKerberosC._credential, _vKerberosC._targetName); } else { _AuthStream.AuthenticateAsClientAsync(_vKerberosC._credential, _vKerberosC._targetName, _vKerberosC._requiredProtectionLevel, _vKerberosC._requiredImpersonationLevel); } } } else { if (_vKerberosC._requiredProtectionLevel == ProtectionLevel.None && _vKerberosC._requiredImpersonationLevel == TokenImpersonationLevel.None) { _AuthStream.AuthenticateAsClientAsync(_vKerberosC._credential, _vKerberosC._binding, _vKerberosC._targetName); } else { _AuthStream.AuthenticateAsClientAsync(_vKerberosC._credential, _vKerberosC._binding, _vKerberosC._targetName, _vKerberosC._requiredProtectionLevel, _vKerberosC._requiredImpersonationLevel); } } link.IsAuthenticated = _AuthStream.IsAuthenticated; link.IsEncrypted = _AuthStream.IsEncrypted; link.IsMutuallyAuthenticated = _AuthStream.IsMutuallyAuthenticated; link.IsSigned = _AuthStream.IsSigned; link.IsServer = _AuthStream.IsServer; IIdentity id = _AuthStream.RemoteIdentity; } if (_Mode == VaserOptions.ModeSSL) { if (_vSSLC._clientCertificates == null) { _sslStream.AuthenticateAsClientAsync(_vSSLC._targetHost); } else { _sslStream.AuthenticateAsClientAsync(_vSSLC._targetHost, _vSSLC._clientCertificates, _vSSLC._enabledSslProtocols, _vSSLC._checkCertificateRevocation); } link.IsEncrypted = true; } //Thread.Sleep(50); BootupDone = true; _IsAccepted = true; if (_Mode == VaserOptions.ModeNotEncrypted) { ThreadPool.QueueUserWorkItem(ReceiveNotEncrypted); } if (_Mode == VaserOptions.ModeKerberos) { ThreadPool.QueueUserWorkItem(ReceiveKerberos); } if (_Mode == VaserOptions.ModeSSL) { ThreadPool.QueueUserWorkItem(ReceiveSSL); } } if (EnableHeartbeat) { HeartbeatTimer = new Timer(new TimerCallback(OnHeartbeatEvent), null, HeartbeatMilliseconds, HeartbeatMilliseconds); } } catch (AuthenticationException e) { Debug.WriteLine("Authentication failed. " + e.ToString()); _BootUpTimer.Dispose(); Stop(); return; } catch (Exception e) { Debug.WriteLine("Authentication failed. " + e.ToString()); _BootUpTimer.Dispose(); Stop(); return; } // encryption END _BootUpTimer.Dispose(); _BootUpTimer = null; }