private string GetKerberosTicket(string spn)
{
var clientUpn = ConfigurationManager.AppSettings["Client_UPN"];
Console.WriteLine($"Client_UPN: {clientUpn}");
Console.WriteLine($"SPN: {spn}");
EnsureTgt(clientUpn);
using (var clientCredentials = GssCredentials.FromKeytab(clientUpn, CredentialUsage.Initiate))
{
using (var initiator = new GssInitiator(credential: clientCredentials, spn: spn))
{
try
{
var kerberosTicket = Convert.ToBase64String(initiator.Initiate(null));
Console.WriteLine($"Ticket: {kerberosTicket}");
return($"Negotiate {kerberosTicket}");
}
catch (GssException exception)
{
Console.Error.WriteLine(exception.Message);
return(string.Empty);
}
}
}
}
private string GetKerberosTicket(string targetServiceUpn, string clientUpn)
{
this.Logger().LogDebug($"Getting TGT for UPN '{clientUpn}'");
EnsureTgt(clientUpn);
this.Logger().LogDebug($"Getting client credentials for UPN '{clientUpn}' using the provided keytab file");
using (var clientCredentials = GssCredentials.FromKeytab(clientUpn, CredentialUsage.Initiate))
{
this.Logger().LogDebug($"Initiating kerberos client connection");
using (var initiator = new GssInitiator(credential: clientCredentials, spn: targetServiceUpn))
{
try
{
this.Logger().LogDebug($"Getting kerberos ticket for UPN '{clientUpn}'");
var kerberosTicket = Convert.ToBase64String(initiator.Initiate(null));
this.Logger().LogTrace($"Ticket: {kerberosTicket}");
return($"Negotiate {kerberosTicket}");
}
catch (GssException exception)
{
this.Logger().LogError(exception.Message);
return(string.Empty);
}
}
}
}
public static byte[] GetTicket()
{
using (var clientCredentials = GssCredentials.FromKeytab(ClientSPN, CredentialUsage.Initiate))
using (var initiator = new GssInitiator(credential: clientCredentials, spn: SqlServerSPN))
{
return(initiator.Initiate(null));
}
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
var servicePrincipal = "<spn>";
services.AddAuthentication(options =>
{
options.DefaultChallengeScheme = GssAuthenticationDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = GssAuthenticationDefaults.AuthenticationScheme;
})
.AddKerberos(options =>
{
options.Credential = GssCredentials.FromKeytab(servicePrincipal, CredentialUsage.Accept);
});
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
var servicePrincipal = "<spn>";
// Aquire MIT Kerberos credentials from the systems configured Keytab
var serverCredentials = GssCredentials.FromKeytab(servicePrincipal, CredentialUsage.Accept);
// Uncomment to use Microsoft SSPI (Windows)
// var serverCredentials = new SspiCredentials();
services.AddAuthentication(options =>
{
options.DefaultChallengeScheme = GssAuthenticationDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = GssAuthenticationDefaults.AuthenticationScheme;
})
.AddKerberos(options =>
{
// Use MIT Kerberos GSS (Linux / Windows)
options.AcceptorFactory = () => new GssAcceptor(serverCredentials);
// Uncomment to use Microsoft SSPI (Windows)
// options.AcceptorFactory = () => new SspiAcceptor(serverCredentials);
});
}