public void LocateKey_NoSalts() { var cred = new KeytabCredential("*****@*****.**", new KeyTable(Aes128Key, RC4Key)); var key = cred.CreateKey(); Assert.IsNotNull(key); Assert.AreEqual(EncryptionType.RC4_HMAC_NT, key.EncryptionType); }
public void LocateKey_AesSalts() { var cred = new KeytabCredential("*****@*****.**", new KeyTable(Aes128Key, RC4Key)) { Salts = new[] { KeyValuePair.Create(EncryptionType.AES128_CTS_HMAC_SHA1_96, "asfsdz") } }; var key = cred.CreateKey(); Assert.IsNotNull(key); Assert.AreEqual(EncryptionType.AES128_CTS_HMAC_SHA1_96, key.EncryptionType); }
private static async Task RequestAndValidateTickets( string user, string password = null, string overrideKdc = null, KeyTable keytab = null, string s4u = null, bool encodeNego = false, bool caching = false, bool includePac = true, X509Certificate2 cert = null ) { KerberosCredential kerbCred; if (cert != null) { kerbCred = new TrustedAsymmetricCredential(cert, user); } else if (keytab != null) { kerbCred = new KeytabCredential(user, keytab); } else { kerbCred = new KerberosPasswordCredential(user, password); } using (var client = new KerberosClient(overrideKdc) { CacheServiceTickets = caching }) { if (!includePac) { client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest; } await client.Authenticate(kerbCred); var spn = FakeAppServiceSpn; var ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = ApOptions.MutualRequired } ); await ValidateTicket(ticket, includePac : includePac); await client.RenewTicket(); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = FakeAppServiceSpn, ApOptions = ApOptions.MutualRequired } ); await ValidateTicket(ticket, encodeNego, includePac : includePac); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = FakeAppServiceSpn, ApOptions = ApOptions.MutualRequired, S4uTarget = s4u } ); await ValidateTicket(ticket, includePac : includePac); } }
public void CreateKey() { var cred = new KeytabCredential("sdfsdf", new KeyTable(), "sdfsdf"); Assert.IsNotNull(cred); }
internal static async Task RequestAndValidateTickets( KdcListener listener, string user, string password = null, string overrideKdc = null, KeyTable keytab = null, string s4u = null, bool encodeNego = false, bool caching = false, bool includePac = true, X509Certificate2 cert = null, string spn = FakeAppServiceSpn, KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14 ) { KerberosCredential kerbCred; if (cert != null) { kerbCred = new TrustedAsymmetricCredential(cert, user) { KeyAgreement = keyAgreement }; } else if (keytab != null) { kerbCred = new KeytabCredential(user, keytab); } else { kerbCred = new KerberosPasswordCredential(user, password); } KerberosClient client = CreateClient(listener, overrideKdc, caching: caching); using (client) { if (!includePac) { client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest; } await client.Authenticate(kerbCred); var ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = ApOptions.MutualRequired } ); await ValidateTicket(ticket, includePac : includePac, spn : spn); await client.RenewTicket(); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = ApOptions.MutualRequired } ); await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = ApOptions.MutualRequired, S4uTarget = s4u } ); await ValidateTicket(ticket, includePac : includePac, spn : spn); } }
static async Task Main(string[] args) { loggerFactory = LoggerFactory.Create(builder => { builder .AddFilter("Microsoft", LogLevel.Warning) .AddFilter("System", LogLevel.Warning) .AddFilter("RestNegotiateClient.Program", LogLevel.Debug) .AddFilter("Kerberos.Net", LogLevel.Trace) .AddConsole(delegate(ConsoleLoggerOptions d) { }); }); logger = loggerFactory.CreateLogger <Program>(); /*CommandLineArguments parsedArgs = new CommandLineArguments(args); * String url = (String) parsedArgs.GetValueOrDefault(""); * if (!parsedArgs.ContainsKey("keytab")) { * await Console.Error.WriteLineAsync("Syntax: RestNegotiateClient --keytab <keytab> --principal <principal> <url>"); * return; * } * String keytab = (String) parsedArgs.GetValueOrDefault("keytab", "krb5.keytab"); * String principal = (String) parsedArgs.GetValueOrDefault("principal", "cud/[email protected]");*/ String keytab = args[0]; String principal = args[1]; String url = args[2]; String outfile = args[3]; Console.Error.WriteLine("keytab={0}, principal={1}, url={2}", keytab, principal, url, outfile); // Check URL is syntactically valid Uri uri = null; if (!Uri.TryCreate(url, UriKind.Absolute, out uri)) { throw new ArgumentException(String.Format("Invalid URL: {0}", url)); } var client = new KerberosClient("kdc0.ox.ac.uk", loggerFactory); client.AuthenticationOptions ^= AuthenticationOptions.Canonicalize; var udp = client.Transports.OfType <UdpKerberosTransport>().FirstOrDefault(); udp.Enabled = true; var keyTable = new KeyTable(File.ReadAllBytes(keytab)); var kerbCred = new KeytabCredential(principal, keyTable, "OX.AC.UK"); logger.LogDebug("User name: {0}", kerbCred.UserName); await client.Authenticate(kerbCred); logger.LogDebug("Authenticated!"); // Now get a service ticket for the HTTP server and perform the request String serverPrincipal = String.Format("HTTP/{0}", uri.DnsSafeHost); var ticket = await client.GetServiceTicket(serverPrincipal); String spnego = Convert.ToBase64String(ticket.EncodeGssApi().ToArray()); var httpClient = new HttpClient(); httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Negotiate", spnego); using (var outStream = File.Open(outfile, FileMode.Create)) { var httpStream = await httpClient.GetStreamAsync(uri); await httpStream.CopyToAsync(outStream); } }
internal static async Task RequestAndValidateTicketsWithCaches( KdcListener listener, string user, string password = null, string overrideKdc = null, KeyTable keytab = null, string s4u = null, bool encodeNego = false, bool caching = false, bool includePac = true, X509Certificate2 cert = null, string spn = FakeAppServiceSpn, KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14, bool allowWeakCrypto = false, bool useWeakCrypto = false, bool mutualAuth = true, KrbTicket s4uTicket = null, bool useKrb5TicketCache = false ) { KerberosCredential kerbCred; if (cert != null) { kerbCred = new TrustedAsymmetricCredential(cert, user) { KeyAgreement = keyAgreement }; } else if (keytab != null) { kerbCred = new KeytabCredential(user, keytab); } else { kerbCred = new KerberosPasswordCredential(user, password); } KerberosClient client = CreateClient( listener, overrideKdc, caching: caching, allowWeakCrypto: allowWeakCrypto, useWeakCrypto: useWeakCrypto, useKrb5TicketCache: useKrb5TicketCache ); using (kerbCred as IDisposable) using (client) { if (!includePac) { client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest; } await client.Authenticate(kerbCred); var ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = mutualAuth ? ApOptions.MutualRequired : 0 } ); await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth); await client.RenewTicket(); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = mutualAuth ? ApOptions.MutualRequired : 0 } ); await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn, mutualAuth : mutualAuth); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = mutualAuth ? ApOptions.MutualRequired : 0, S4uTarget = s4u, S4uTicket = s4uTicket } ); await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth); } if (user.Contains("-fallback")) { Assert.AreEqual(PrincipalNameType.NT_PRINCIPAL, kerbCred.PrincipalNameType); } else { Assert.AreEqual(PrincipalNameType.NT_ENTERPRISE, kerbCred.PrincipalNameType); } }