internal static KerberosClient CreateClient(KdcListener listener, string kdc = null, bool caching = true, bool queryDns = false)
{
KerberosClient client;
if (listener == null)
{
client = new KerberosClient();
client.PinKdc("corp.identityintervention.com", kdc);
}
else
{
IKerberosTransport transport = new InMemoryTransport(listener);
client = new KerberosClient(transports: transport);
}
client.Configuration.Defaults.DnsLookupKdc = queryDns;
client.CacheServiceTickets = caching;
client.RenewTickets = caching;
client.RenewTicketsThreshold = TimeSpan.MaxValue;
client.RefreshPollInterval = TimeSpan.FromMilliseconds(10);
return(client);
}
private static KerberosClient CreateClient(string kdc, KdcListener listener)
{
KerberosClient client;
if (listener == null)
{
throw new Exception();
}
else
{
IKerberosTransport transport = new InMemoryTransport(listener);
client = new KerberosClient(transports: transport);
}
return(client);
}
internal static KerberosClient CreateClient(
KdcListener listener,
string kdc = null,
bool caching = true,
bool queryDns = false,
bool allowWeakCrypto = false,
bool useWeakCrypto = false,
bool useKrb5TicketCache = false
)
{
KerberosClient client;
if (listener == null)
{
client = new KerberosClientWrapper(useKrb5TicketCache);
client.PinKdc("corp.identityintervention.com", kdc);
}
else
{
IKerberosTransport transport = new InMemoryTransport(listener);
client = new KerberosClientWrapper(useKrb5TicketCache, transports: transport);
}
client.Configuration.Defaults.DnsLookupKdc = queryDns;
client.Configuration.Defaults.AllowWeakCrypto = allowWeakCrypto;
client.CacheServiceTickets = caching;
client.RenewTickets = caching;
client.RenewTicketsThreshold = TimeSpan.MaxValue;
client.RefreshPollInterval = TimeSpan.FromMilliseconds(10);
client.CacheInMemory = !useKrb5TicketCache;
client.Cache.RefreshTickets = useKrb5TicketCache;
if (useWeakCrypto)
{
client.Configuration.Defaults.DefaultTicketEncTypes.Clear();
client.Configuration.Defaults.DefaultTicketEncTypes.Add(EncryptionType.RC4_HMAC_NT);
}
return(client);
}
internal static KerberosClient CreateClient(KdcListener listener, string kdc = null, bool caching = true)
{
KerberosClient client;
if (listener == null)
{
client = new KerberosClient(kdc: kdc);
}
else
{
IKerberosTransport transport = new InMemoryTransport(listener);
client = new KerberosClient(transports: transport);
}
client.CacheServiceTickets = caching;
client.RenewTickets = caching;
client.RenewTicketsThreshold = TimeSpan.MaxValue;
client.RefreshPollInterval = TimeSpan.FromMilliseconds(10);
return(client);
}
public InMemoryTransport(KdcListener listener)
{
this.listener = listener;
this.Enabled = true;
}
internal static async Task RequestAndValidateTickets(
KdcListener listener,
string user,
string password = null,
string overrideKdc = null,
KeyTable keytab = null,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true,
X509Certificate2 cert = null,
string spn = FakeAppServiceSpn,
KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14
)
{
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, user)
{
KeyAgreement = keyAgreement
};
}
else if (keytab != null)
{
kerbCred = new KeytabCredential(user, keytab);
}
else
{
kerbCred = new KerberosPasswordCredential(user, password);
}
KerberosClient client = CreateClient(listener, overrideKdc, caching: caching);
using (client)
{
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired,
S4uTarget = s4u
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn);
}
}
internal static async Task <List <Exception> > MultithreadedRequests(
int threads,
int requests,
bool cacheTickets,
bool encodeNego,
bool includePac,
string kdc,
X509Certificate2 cert,
KdcListener listener
)
{
var exceptions = new List <Exception>();
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, TestAtCorpUserName);
}
else
{
kerbCred = new KerberosPasswordCredential(AdminAtCorpUserName, FakeAdminAtCorpPassword);
}
KerberosClient client = CreateClient(listener, kdc);
using (client)
{
client.CacheServiceTickets = cacheTickets;
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
Task.WaitAll(Enumerable.Range(0, threads).Select(taskNum => Task.Run(async() =>
{
for (var i = 0; i < requests; i++)
{
try
{
if (i % 2 == 0)
{
await client.Authenticate(kerbCred);
}
var ticket = await client.GetServiceTicket(new RequestServiceTicket
{
ServicePrincipalName = FakeAppServiceSpn,
ApOptions = ApOptions.MutualRequired
});
Assert.IsNotNull(ticket.ApReq);
await ValidateTicket(ticket, encodeNego: encodeNego, includePac: includePac);
}
catch (Exception ex)
{
exceptions.Add(ex);
}
}
})).ToArray());
}
return(exceptions);
}
internal static async Task RequestAndValidateTicketsWithCaches(
KdcListener listener,
string user,
string password = null,
string overrideKdc = null,
KeyTable keytab = null,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true,
X509Certificate2 cert = null,
string spn = FakeAppServiceSpn,
KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14,
bool allowWeakCrypto = false,
bool useWeakCrypto = false,
bool mutualAuth = true,
KrbTicket s4uTicket = null,
bool useKrb5TicketCache = false
)
{
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, user)
{
KeyAgreement = keyAgreement
};
}
else if (keytab != null)
{
kerbCred = new KeytabCredential(user, keytab);
}
else
{
kerbCred = new KerberosPasswordCredential(user, password);
}
KerberosClient client = CreateClient(
listener,
overrideKdc,
caching: caching,
allowWeakCrypto: allowWeakCrypto,
useWeakCrypto: useWeakCrypto,
useKrb5TicketCache: useKrb5TicketCache
);
using (kerbCred as IDisposable)
using (client)
{
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = mutualAuth ? ApOptions.MutualRequired : 0
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = mutualAuth ? ApOptions.MutualRequired : 0
}
);
await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn, mutualAuth : mutualAuth);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = mutualAuth ? ApOptions.MutualRequired : 0,
S4uTarget = s4u,
S4uTicket = s4uTicket
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth);
}
if (user.Contains("-fallback"))
{
Assert.AreEqual(PrincipalNameType.NT_PRINCIPAL, kerbCred.PrincipalNameType);
}
else
{
Assert.AreEqual(PrincipalNameType.NT_ENTERPRISE, kerbCred.PrincipalNameType);
}
}
internal static async Task RequestAndValidateTickets(
KdcListener listener,
string user,
string password = null,
string overrideKdc = null,
KeyTable keytab = null,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true,
X509Certificate2 cert = null,
string spn = FakeAppServiceSpn,
KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14,
bool allowWeakCrypto = false,
bool useWeakCrypto = false,
bool mutualAuth = true,
KrbTicket s4uTicket = null
)
{
await RequestAndValidateTicketsWithCaches(
listener,
user,
password,
overrideKdc,
keytab,
s4u,
encodeNego,
caching,
includePac,
cert,
spn,
keyAgreement,
allowWeakCrypto,
useWeakCrypto,
mutualAuth,
s4uTicket
);
if (caching)
{
await RequestAndValidateTicketsWithCaches(
listener,
user,
password,
overrideKdc,
keytab,
s4u,
encodeNego,
caching,
includePac,
cert,
spn,
keyAgreement,
allowWeakCrypto,
useWeakCrypto,
mutualAuth,
s4uTicket,
useKrb5TicketCache : true
);
}
}
