protected static bool?DetectPacRequirement(KrbKdcReq asReq)
{
var pacRequest = asReq.PaData.FirstOrDefault(pa => pa.Type == PaDataType.PA_PAC_REQUEST);
if (pacRequest != null)
{
var paPacRequest = KrbPaPacRequest.Decode(pacRequest.Value);
return(paPacRequest.IncludePac);
}
return(null);
}
private async Task <ReadOnlyMemory <byte> > GenerateAsRep(KrbAsReq asReq, IKerberosPrincipal principal)
{
// 1. detect if specific PAC contents are requested (claims)
// 2. if requested generate PAC for user
// 3. stuff PAC into ad-if-relevant pa-data of krbtgt ticket
// 4. look up krbtgt account
// 5. encrypt against krbtgt
// 6. done
var requirements = new List <KrbPaData>();
foreach (var handler in postProcessAuthHandlers)
{
await InvokePreAuthHandler(null, principal, requirements, handler.Value);
}
var rst = new ServiceTicketRequest
{
Principal = principal,
Addresses = asReq.Body.Addresses,
Nonce = asReq.Body.Nonce,
IncludePac = true,
Flags = TicketFlags.Initial | KrbKdcRep.DefaultFlags
};
rst.EncryptedPartKey = await principal.RetrieveLongTermCredential();
var pacRequest = asReq.PaData.FirstOrDefault(pa => pa.Type == PaDataType.PA_PAC_REQUEST);
if (pacRequest != null)
{
var paPacRequest = KrbPaPacRequest.Decode(pacRequest.Value);
rst.IncludePac = paPacRequest.IncludePac;
}
var asRep = await KrbAsRep.GenerateTgt(rst, RealmService);
asRep.PaData = requirements.ToArray();
return(asRep.EncodeApplication());
}
private async Task <ReadOnlyMemory <byte> > GenerateAsRep(PreAuthenticationContext preauth, KrbAsReq asReq)
{
// 1. detect if specific PAC contents are requested (claims)
// 2. if requested generate PAC for user
// 3. stuff PAC into ad-if-relevant pa-data of krbtgt ticket
// 4. look up krbtgt account
// 5. encrypt against krbtgt
// 6. done
var rst = new ServiceTicketRequest
{
Principal = preauth.Principal,
EncryptedPartKey = preauth.EncryptedPartKey,
Addresses = asReq.Body.Addresses,
Nonce = asReq.Body.Nonce,
IncludePac = true,
Flags = TicketFlags.Initial | KrbKdcRep.DefaultFlags
};
if (rst.EncryptedPartKey == null)
{
rst.EncryptedPartKey = await rst.Principal.RetrieveLongTermCredential();
}
var pacRequest = asReq.PaData.FirstOrDefault(pa => pa.Type == PaDataType.PA_PAC_REQUEST);
if (pacRequest != null)
{
var paPacRequest = KrbPaPacRequest.Decode(pacRequest.Value);
rst.IncludePac = paPacRequest.IncludePac;
}
var asRep = await KrbAsRep.GenerateTgt(rst, RealmService);
if (preauth.PaData != null)
{
asRep.PaData = preauth.PaData.ToArray();
}
return(asRep.EncodeApplication());
}