示例#1
0
        protected void TypicalASExchange(KerberosTestClient client, KdcOptions options)
        {
            //Create and send AS request
            PaPacRequest             paPacRequest = new PaPacRequest(true);
            PaPacOptions             paPacOptions = new PaPacOptions(PacOptions.Claims);
            Asn1SequenceOf <PA_DATA> paData       = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paPacRequest.Data, paPacOptions.Data });

            client.SendAsRequest(options, paData);

            //Recieve preauthentication required error
            METHOD_DATA      methodData;
            KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);

            //Create pa-enc-timestamp
            string         timeStamp      = KerberosUtility.CurrentKerberosTime.Value;
            PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
                                                               0,
                                                               this.client.Context.SelectedEType,
                                                               this.client.Context.CName.Password,
                                                               this.client.Context.CName.Salt);

            paData = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data, paPacOptions.Data });
            //Create and send AS request
            client.SendAsRequest(options, paData);
            KerberosAsResponse asResponse = client.ExpectAsResponse();
        }
        private CLAIMS_SET?GetADUserClaims_SingleRealm(string realm, string user, string userPwd, string server, string servicePwd, string serviceSpn)
        {
            base.Logging();

            client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
                                            this.testConfig.LocalRealm.User[2].Username,
                                            this.testConfig.LocalRealm.User[2].Password,
                                            KerberosAccountType.User,
                                            testConfig.LocalRealm.KDC[0].IPAddress,
                                            testConfig.LocalRealm.KDC[0].Port,
                                            testConfig.TransportType,
                                            testConfig.SupportedOid);

            KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;

            client.SendAsRequest(options, null);
            METHOD_DATA      methodData;
            KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);

            BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with PaEncTimeStamp, PaPacRequest and paPacOptions.");
            string         timeStamp      = KerberosUtility.CurrentKerberosTime.Value;
            PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
                                                               0,
                                                               client.Context.SelectedEType,
                                                               client.Context.CName.Password,
                                                               this.client.Context.CName.Salt);
            PaPacRequest             paPacRequest = new PaPacRequest(true);
            PaPacOptions             paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc);
            Asn1SequenceOf <PA_DATA> seqOfPaData  = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data, paPacOptions.Data });

            client.SendAsRequest(options, seqOfPaData);
            KerberosAsResponse asResponse = client.ExpectAsResponse();

            BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send FAST armored TGS request: {0}.", this.testConfig.LocalRealm.FileServer[0].Smb2ServiceName);
            Asn1SequenceOf <PA_DATA> seqOfPaData2 = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paPacRequest.Data, paPacOptions.Data });

            client.SendTgsRequest(this.testConfig.LocalRealm.FileServer[0].Smb2ServiceName, options, seqOfPaData2);
            KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();
            EncryptionKey       key         = testConfig.QueryKey(this.testConfig.LocalRealm.FileServer[0].Smb2ServiceName, client.Context.Realm.ToString(), client.Context.SelectedEType);

            tgsResponse.DecryptTicket(key);
            BaseTestSite.Assert.IsNotNull(tgsResponse.EncPart, "The encrypted part of TGS-REP is decrypted.");

            if (this.testConfig.IsKileImplemented)
            {
                BaseTestSite.Assert.IsNotNull(tgsResponse.TicketEncPart.authorization_data, "The ticket contains Authorization data.");
                AdWin2KPac adWin2kPac = FindOneInAuthData <AdWin2KPac>(tgsResponse.TicketEncPart.authorization_data.Elements);
                BaseTestSite.Assert.IsNotNull(adWin2kPac, "The Authorization data contains AdWin2KPac.");

                foreach (PacInfoBuffer buf in adWin2kPac.Pac.PacInfoBuffers)
                {
                    if (buf.GetType() == typeof(ClientClaimsInfo))
                    {
                        return(((ClientClaimsInfo)buf).NativeClaimSet);
                    }
                }
            }
            return(null);
        }
示例#3
0
        private EncTicketPart RetrieveAndDecryptServiceTicket(KerberosFunctionalClient kerberosClient, out EncryptionKey serviceKey)
        {
            //Create and send AS request
            const KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;

            kerberosClient.SendAsRequest(options, null);

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client expects Kerberos Error from KDC");
            //Receive preauthentication required error
            METHOD_DATA      methodData;
            KerberosKrbError krbError = kerberosClient.ExpectPreauthRequiredError(out methodData);

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client sends AS request with PA-DATA set");
            //Create sequence of PA data
            string         timeStamp      = KerberosUtility.CurrentKerberosTime.Value;
            PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
                                                               0,
                                                               kerberosClient.Context.SelectedEType,
                                                               kerberosClient.Context.CName.Password,
                                                               kerberosClient.Context.CName.Salt);
            PaPacRequest             paPacRequest = new PaPacRequest(true);
            Asn1SequenceOf <PA_DATA> seqOfPaData  = new Asn1SequenceOf <PA_DATA>(new[] { paEncTimeStamp.Data, paPacRequest.Data });

            //Create and send AS request
            kerberosClient.SendAsRequest(options, seqOfPaData);

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client expects AS response from KDC");
            KerberosAsResponse asResponse = kerberosClient.ExpectAsResponse();

            BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");

            //Create and send TGS request
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client sends TGS request to KDC");
            kerberosClient.SendTgsRequest(servicePrincipalName, options);

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client expects TGS response from KDC");
            KerberosTgsResponse tgsResponse = kerberosClient.ExpectTgsResponse();

            BaseTestSite.Assert.AreEqual(servicePrincipalName,
                                         KerberosUtility.PrincipalName2String(tgsResponse.Response.ticket.sname),
                                         "Service principal name in service ticket should match expected.");

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Decrypt SMB2 Service Ticket");
            serviceKey = keyManager.QueryKey(servicePrincipalName, TestConfig.DomainName, kerberosClient.Context.SelectedEType);
            tgsResponse.DecryptTicket(serviceKey);

            return(tgsResponse.TicketEncPart);
        }
示例#4
0
        /// <summary>
        /// Initialize the context from a token.
        /// </summary>
        /// <param name="inToken">The token used to initialize.</param>
        /// <exception cref="System.NotSupportedException">Thrown when the ContextAttribute contains a flag that not be
        /// supported.</exception>
        /// <exception cref="System.InvalidOperationException">Thrown when an error is returned.</exception>
        public override void Initialize(byte[] inToken)
        {
            if (inToken == null || inToken.Length == 0)
            {
                KilePdu       response = null;
                string        sname    = ConstValue.KERBEROS_SNAME;
                KileAsRequest asRequest;
                EncryptionKey subkey = null;

                // Create and send AS request for pre-authentication
                KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.RENEWABLE
                                     | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLEOK;
                KDCOptions flags = new KDCOptions(KerberosUtility.ConvertInt2Flags((int)options));

                // Create and send AS request for pre-authentication
                asRequest = client.CreateAsRequest(sname, flags, null, this.GetClientSupportedEtype());
                client.SendPdu(asRequest);
                response = client.ExpectPdu(ConstValue.TIMEOUT_DEFAULT);
                KileKrbError preAuthError = response as KileKrbError;
                if ((preAuthError == null) || (!preAuthError.ErrorCode.Equals(KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED)))
                {
                    throw new InvalidOperationException("The Error code should be KDC_ERR_PREAUTH_REQUIRED");
                }

                // Create and send AS request for TGT
                var                      defualtEncryptType = (client.ClientContext.TgsSessionKey == null) ? EncryptionType.RC4_HMAC : (EncryptionType)client.ClientContext.TgsSessionKey.keytype.Value;
                PaEncTimeStamp           timestamp          = client.ConstructPaEncTimeStamp(defualtEncryptType);
                PaPacRequest             pacRequest         = client.ConstructPaPacRequest(true);
                Asn1SequenceOf <PA_DATA> paData             = client.ConstructPaData(timestamp, pacRequest);

                if ((contextAttribute & ClientSecurityContextAttribute.DceStyle) == ClientSecurityContextAttribute.DceStyle)
                {
                    asRequest = client.CreateAsRequest(sname, flags, paData, this.GetClientSupportedEtype());
                    //subkey = new EncryptionKey((int)EncryptionType.AES256_CTS_HMAC_SHA1_96,
                    //    KileUtility.GenerateRandomBytes(ConstValue.AES_KEY_LENGTH));

                    var key = KeyGenerator.MakeKey(EncryptionType.AES256_CTS_HMAC_SHA1_96, client.ClientContext.Password, client.ClientContext.Salt);
                    subkey = new EncryptionKey(new KerbInt32((long)EncryptionType.AES256_CTS_HMAC_SHA1_96), new Asn1OctetString(key));
                }
                else
                {
                    asRequest = client.CreateAsRequest(sname, flags, paData, this.GetClientSupportedEtype());
                }
                client.SendPdu(asRequest);
                response = client.ExpectPdu(ConstValue.TIMEOUT_DEFAULT);

                if (response.GetType() == typeof(KileKrbError))
                {
                    throw new InvalidOperationException("Received Kerberos Error response: " + ((KileKrbError)response).ErrorCode);
                }
                KileAsResponse asResponse = (KileAsResponse)response;

                // Create and send TGS request

                // for example: "KERB.COMldapsut02.kerb.com"
                client.ClientContext.Salt = domain.ToUpper();
                string[] nameList = userLogonName.Split('/');
                foreach (string name in nameList)
                {
                    client.ClientContext.Salt += name;
                }
                KileTgsRequest tgsRequest = client.CreateTgsRequest(this.serverName,
                                                                    flags,
                                                                    null,
                                                                    ChecksumType.hmac_md5_string,
                                                                    null,
                                                                    null);
                client.SendPdu(tgsRequest);
                response = client.ExpectPdu(ConstValue.TIMEOUT_DEFAULT);

                if (response.GetType() == typeof(KileKrbError))
                {
                    throw new InvalidOperationException("Received Kerberos Error response: " + ((KileKrbError)response).ErrorCode);
                }

                KileTgsResponse tgsResponse = (KileTgsResponse)response;

                ApOptions     apOption;
                ChecksumFlags checksumFlag;
                GetFlagsByContextAttribute(out apOption, out checksumFlag);

                KerbAuthDataTokenRestrictions adRestriction =
                    client.ConstructKerbAuthDataTokenRestrictions(0,
                                                                  (uint)LSAP_TOKEN_INFO_INTEGRITY_Flags.FULL_TOKEN,
                                                                  (uint)LSAP_TOKEN_INFO_INTEGRITY_TokenIL.Medium,
                                                                  new Guid().ToString());
                AdAuthDataApOptions adApOptions = client.ConstructAdAuthDataApOptions(ConstValue.KERB_AP_OPTIONS_CBT);
                AuthorizationData   authData    = client.ConstructAuthorizationData(adRestriction, adApOptions);
                KileApRequest       apRequest   = client.CreateApRequest(apOption,
                                                                         ChecksumType.ap_authenticator_8003,
                                                                         ConstValue.SEQUENCE_NUMBER_DEFAULT,
                                                                         checksumFlag,
                                                                         subkey,
                                                                         authData);
                token = apRequest.ToBytes();

                bool isMutualAuth = (contextAttribute & ClientSecurityContextAttribute.MutualAuth)
                                    == ClientSecurityContextAttribute.MutualAuth;
                bool isDceStyle = (contextAttribute & ClientSecurityContextAttribute.DceStyle)
                                  == ClientSecurityContextAttribute.DceStyle;

                if (isMutualAuth || isDceStyle)
                {
                    continueProcess = true;   // SEC_I_CONTINUE_NEEDED;
                }
                else
                {
                    continueProcess = false;  // SEC_E_OK;
                }
            }
            else  // mutual authentication
            {
                KileApResponse apResponse = client.ParseApResponse(inToken);
                token = null;

                if ((contextAttribute & ClientSecurityContextAttribute.DceStyle)
                    == ClientSecurityContextAttribute.DceStyle)
                {
                    KileApResponse apResponseSend = client.CreateApResponse(null);
                    token = apResponseSend.ToBytes();
                }

                this.continueProcess = false;      // SEC_E_OK;
            }
        }
示例#5
0
        private void CrossRealm_Smb2_AccessFile(string localRealmName, string trustuedRealmName, User localUser, Computer localKDC, Computer trustedKDC, TransportType transportType, FileServer fileserverInTrustedRealm, string filePath, string fileName, bool expectAccessDeny)
        {
            base.Logging();

            client = new KerberosTestClient(localRealmName,
                                            localUser.Username,
                                            localUser.Password,
                                            KerberosAccountType.User,
                                            localKDC.IPAddress,
                                            localKDC.Port,
                                            transportType,
                                            testConfig.SupportedOid);

            //Create and send AS request
            KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;

            client.SendAsRequest(options, null);
            //Recieve preauthentication required error
            METHOD_DATA      methodData;
            KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);

            //Create sequence of PA data
            string         timeStamp      = KerberosUtility.CurrentKerberosTime.Value;
            PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
                                                               0,
                                                               this.client.Context.SelectedEType,
                                                               this.client.Context.CName.Password,
                                                               this.client.Context.CName.Salt);
            PaPacRequest             paPacRequest = new PaPacRequest(true);
            Asn1SequenceOf <PA_DATA> seqOfPaData  = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });

            //Create and send AS request
            client.SendAsRequest(options, seqOfPaData);
            KerberosAsResponse asResponse = client.ExpectAsResponse();

            //Create and send TGS request
            if (this.testConfig.TrustType == Adapter.TrustType.Forest)
            {
                client.SendTgsRequest(fileserverInTrustedRealm.Smb2ServiceName, options);
            }
            else if (this.testConfig.TrustType == Adapter.TrustType.Realm)
            {
                client.SendTgsRequest(trustedKDC.DefaultServiceName, options);
            }
            BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send TGS request");
            KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();

            BaseTestSite.Log.Add(LogEntryKind.Comment, "Receive a referral TGS response.");

            BaseTestSite.Assert.AreEqual(trustedKDC.DefaultServiceName,
                                         KerberosUtility.PrincipalName2String(tgsResponse.Response.ticket.sname),
                                         "The service principal name in referral ticket should match expected.");
            BaseTestSite.Assert.AreEqual(localRealmName.ToLower(),
                                         tgsResponse.Response.ticket.realm.Value.ToLower(),
                                         "The realm name in referral ticket should match expected.");

            //Change realm
            client.ChangeRealm(trustuedRealmName,
                               trustedKDC.IPAddress,
                               trustedKDC.Port,
                               this.testConfig.TransportType);

            //Create and send referral TGS request
            client.SendTgsRequest(fileserverInTrustedRealm.Smb2ServiceName, options);
            KerberosTgsResponse refTgsResponse = client.ExpectTgsResponse();

            BaseTestSite.Assert.AreEqual(fileserverInTrustedRealm.Smb2ServiceName,
                                         KerberosUtility.PrincipalName2String(refTgsResponse.Response.ticket.sname),
                                         "The service principal name in service ticket should match expected.");
            BaseTestSite.Assert.AreEqual(trustuedRealmName.ToLower(),
                                         refTgsResponse.Response.ticket.realm.Value.ToLower(),
                                         "The realm name in service ticket should match expected.");

            EncryptionKey key = testConfig.QueryKey(fileserverInTrustedRealm.Smb2ServiceName, client.Context.Realm.ToString(), client.Context.SelectedEType);

            refTgsResponse.DecryptTicket(key);

            BaseTestSite.Assert.AreEqual(localRealmName.ToLower(),
                                         refTgsResponse.TicketEncPart.crealm.Value.ToLower(),
                                         "Realm name in service ticket encrypted part should match expected.");
            BaseTestSite.Assert.AreEqual(localUser.Username.ToLower(),
                                         KerberosUtility.PrincipalName2String(refTgsResponse.TicketEncPart.cname).ToLower(),
                                         "User name in service ticket encrypted part should match expected.");

            AuthorizationData data   = null;
            EncryptionKey     subkey = KerberosUtility.GenerateKey(client.Context.SessionKey);

            byte[] token = client.CreateGssApiToken(ApOptions.MutualRequired,
                                                    data,
                                                    subkey,
                                                    ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG);

            BaseTestSite.Log.Add(LogEntryKind.Comment, "Logon to fileserver and Access File.");
            AccessFile(filePath, fileName, fileserverInTrustedRealm, token, refTgsResponse.EncPart.key, expectAccessDeny);
        }
示例#6
0
        private void CBAC_Smb2_AccessFile(string RealmName, User user, Computer kdc, TransportType transportType, FileServer fileserver, string filePath, string fileName, bool expectAccessDeny)
        {
            base.Logging();

            client = new KerberosTestClient(RealmName,
                                            user.Username,
                                            user.Password,
                                            KerberosAccountType.User,
                                            kdc.IPAddress,
                                            kdc.Port,
                                            transportType,
                                            testConfig.SupportedOid);

            KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;

            client.SendAsRequest(options, null);
            METHOD_DATA      methodData;
            KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);

            BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send AS request with PaEncTimeStamp, PaPacRequest and paPacOptions.");
            string         timeStamp      = KerberosUtility.CurrentKerberosTime.Value;
            PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
                                                               0,
                                                               client.Context.SelectedEType,
                                                               client.Context.CName.Password,
                                                               this.client.Context.CName.Salt);
            PaPacRequest             paPacRequest = new PaPacRequest(true);
            PaPacOptions             paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc);
            Asn1SequenceOf <PA_DATA> seqOfPaData  = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data, paPacOptions.Data });

            client.SendAsRequest(options, seqOfPaData);
            KerberosAsResponse asResponse = client.ExpectAsResponse();

            //Verify encrypted padata
            PaSupportedEncTypes paSupportedEncTypes = null;

            BaseTestSite.Assert.IsNotNull(asResponse.EncPart, "The encrypted part of AS-REP is decrypted.");
            BaseTestSite.Assert.IsNotNull(asResponse.EncPart.pa_datas, "The encrypted padata is not null.");
            if (this.testConfig.IsKileImplemented)
            {
                foreach (var padata in asResponse.EncPart.pa_datas.Elements)
                {
                    var parsedPadata = PaDataParser.ParseRepPaData(padata);
                    if (parsedPadata is PaSupportedEncTypes)
                    {
                        paSupportedEncTypes = parsedPadata as PaSupportedEncTypes;
                    }
                }
                BaseTestSite.Assert.IsNotNull(paSupportedEncTypes, "The encrypted padata of AS-REP contains PA_SUPPORTED_ENCTYPES.");
                if (this.testConfig.IsClaimSupported)
                {
                    BaseTestSite.Assert.IsTrue(
                        paSupportedEncTypes.SupportedEncTypes.HasFlag(SupportedEncryptionTypes.Claims_Supported),
                        "Claims is supported.");
                }
            }
            //TGS exchange
            BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send FAST armored TGS request: {0}.", fileserver.Smb2ServiceName);
            Asn1SequenceOf <PA_DATA> seqOfPaData2 = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paPacRequest.Data, paPacOptions.Data });

            client.SendTgsRequest(fileserver.Smb2ServiceName, options, seqOfPaData2);
            KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();
            EncryptionKey       key         = testConfig.QueryKey(fileserver.Smb2ServiceName, client.Context.Realm.ToString(), client.Context.SelectedEType);

            tgsResponse.DecryptTicket(key);
            BaseTestSite.Assert.IsNotNull(tgsResponse.EncPart, "The encrypted part of TGS-REP is decrypted.");

            //Verify TGS encryped padata
            paSupportedEncTypes = null;
            BaseTestSite.Assert.IsNotNull(tgsResponse.EncPart, "The encrypted part of TGS-REP is decrypted.");
            BaseTestSite.Assert.IsNotNull(tgsResponse.EncPart.pa_datas, "The encrypted padata of TGS-REP is not null.");
            if (this.testConfig.IsKileImplemented)
            {
                foreach (var padata in tgsResponse.EncPart.pa_datas.Elements)
                {
                    var parsedPadata = PaDataParser.ParseRepPaData(padata);
                    if (parsedPadata is PaSupportedEncTypes)
                    {
                        paSupportedEncTypes = parsedPadata as PaSupportedEncTypes;
                    }
                }
                BaseTestSite.Assert.IsNotNull(paSupportedEncTypes, "The encrypted padata of TGS-REP contains PA_SUPPORTED_ENCTYPES.");
            }

            if (this.testConfig.IsKileImplemented)
            {
                BaseTestSite.Assert.IsNotNull(tgsResponse.TicketEncPart.authorization_data, "The ticket contains Authorization data.");
                AdWin2KPac adWin2kPac = FindOneInAuthData <AdWin2KPac>(tgsResponse.TicketEncPart.authorization_data.Elements);
                BaseTestSite.Assert.IsNotNull(adWin2kPac, "The Authorization data contains AdWin2KPac.");
            }

            AuthorizationData data   = null;
            EncryptionKey     subkey = KerberosUtility.GenerateKey(client.Context.SessionKey);

            byte[] token = client.CreateGssApiToken(ApOptions.MutualRequired,
                                                    data,
                                                    subkey,
                                                    ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG);

            BaseTestSite.Log.Add(LogEntryKind.Comment, "Logon to fileserver and Access File.");
            AccessFile(filePath, fileName, fileserver, token, tgsResponse.EncPart.key, expectAccessDeny);
        }
示例#7
0
        private void DAC_Smb2_AccessFile(string RealmName, User user, Computer kdc, TransportType transportType, FileServer fileserver, string filePath, string fileName, bool expectAccessDeny)
        {
            base.Logging();

            client = new KerberosTestClient(RealmName,
                                            user.Username,
                                            user.Password,
                                            KerberosAccountType.User,
                                            kdc.IPAddress,
                                            kdc.Port,
                                            transportType,
                                            testConfig.SupportedOid);

            //Create and send AS request
            KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;

            client.SendAsRequest(options, null);
            //Recieve preauthentication required error
            METHOD_DATA      methodData;
            KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);

            //Create sequence of PA data
            string         timeStamp      = KerberosUtility.CurrentKerberosTime.Value;
            PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
                                                               0,
                                                               client.Context.SelectedEType,
                                                               this.client.Context.CName.Password,
                                                               this.client.Context.CName.Salt);
            PaPacRequest             paPacRequest = new PaPacRequest(true);
            Asn1SequenceOf <PA_DATA> seqOfPaData  = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });

            //Create and send AS request
            client.SendAsRequest(options, seqOfPaData);
            KerberosAsResponse asResponse = client.ExpectAsResponse();

            BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");

            //Create and send TGS request
            client.SendTgsRequest(fileserver.Smb2ServiceName, options);
            KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();

            BaseTestSite.Assert.AreEqual(fileserver.Smb2ServiceName,
                                         KerberosUtility.PrincipalName2String(tgsResponse.Response.ticket.sname),
                                         "Service principal name in service ticket should match expected.");
            EncryptionKey key = testConfig.QueryKey(fileserver.Smb2ServiceName, client.Context.Realm.ToString(), client.Context.SelectedEType);

            tgsResponse.DecryptTicket(key);

            BaseTestSite.Assert.AreEqual(RealmName.ToLower(),
                                         tgsResponse.TicketEncPart.crealm.Value.ToLower(),
                                         "Realm name in service ticket encrypted part should match expected.");
            BaseTestSite.Assert.AreEqual(user.Username.ToLower(),
                                         KerberosUtility.PrincipalName2String(tgsResponse.TicketEncPart.cname).ToLower(),
                                         "User name in service ticket encrypted part should match expected.");

            //Assert authorization data
            if (this.testConfig.IsKileImplemented)
            {
                BaseTestSite.Assert.IsNotNull(tgsResponse.TicketEncPart.authorization_data, "The ticket contains Authorization data.");
                AdWin2KPac adWin2kPac = FindOneInAuthData <AdWin2KPac>(tgsResponse.TicketEncPart.authorization_data.Elements);
                BaseTestSite.Assert.IsNotNull(adWin2kPac, "The Authorization data contains AdWin2KPac.");
            }

            AuthorizationData data   = null;
            EncryptionKey     subkey = KerberosUtility.GenerateKey(client.Context.SessionKey);

            byte[] token = client.CreateGssApiToken(ApOptions.MutualRequired,
                                                    data,
                                                    subkey,
                                                    ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG);

            BaseTestSite.Log.Add(LogEntryKind.Comment, "Logon to fileserver and Access File.");
            AccessFile(filePath, fileName, fileserver, token, tgsResponse.EncPart.key, expectAccessDeny);
        }
        private void claimsTest_Kerberos_CrossRealm_ADSource_User_Only(bool ctaFromConfig)
        {
            client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
                                            this.testConfig.LocalRealm.User[2].Username,
                                            this.testConfig.LocalRealm.User[2].Password,
                                            KerberosAccountType.User,
                                            testConfig.LocalRealm.KDC[0].IPAddress,
                                            testConfig.LocalRealm.KDC[0].Port,
                                            testConfig.TransportType,
                                            testConfig.SupportedOid);

            //Create and send AS request
            KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;

            client.SendAsRequest(options, null);
            //Recieve preauthentication required error
            METHOD_DATA      methodData;
            KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);

            //Create sequence of PA data
            string         timeStamp      = KerberosUtility.CurrentKerberosTime.Value;
            PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
                                                               0,
                                                               this.client.Context.SelectedEType,
                                                               this.client.Context.CName.Password,
                                                               this.client.Context.CName.Salt);
            PaPacRequest             paPacRequest = new PaPacRequest(true);
            PaPacOptions             paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc);
            Asn1SequenceOf <PA_DATA> seqOfPaData  = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data, paPacOptions.Data });

            //Create and send AS request
            client.SendAsRequest(options, seqOfPaData);
            KerberosAsResponse       asResponse   = client.ExpectAsResponse();
            Asn1SequenceOf <PA_DATA> seqOfPaData2 = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });

            //Create and send TGS request
            client.SendTgsRequest(this.testConfig.TrustedRealm.KDC[0].DefaultServiceName, options, seqOfPaData2);

            BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send TGS request");
            KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();

            BaseTestSite.Log.Add(LogEntryKind.Comment, "Receive a referral TGS response.");

            BaseTestSite.Assert.AreEqual(this.testConfig.TrustedRealm.KDC[0].DefaultServiceName,
                                         KerberosUtility.PrincipalName2String(tgsResponse.Response.ticket.sname),
                                         "The service principal name in referral ticket should match expected.");
            BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.RealmName.ToLower(),
                                         tgsResponse.Response.ticket.realm.Value.ToLower(),
                                         "The realm name in referral ticket should match expected.");

            EncryptionKey key = testConfig.QueryKey(this.testConfig.TrustedRealm.KDC[0].DefaultServiceName + "@" + this.testConfig.LocalRealm.RealmName, client.Context.Realm.ToString(), client.Context.SelectedEType);

            tgsResponse.DecryptTicket(key);

            CLAIMS_SET claims      = new CLAIMS_SET();
            AdWin2KPac adWin2kPac  = FindOneInAuthData <AdWin2KPac>(tgsResponse.TicketEncPart.authorization_data.Elements);
            bool       foundClaims = false;

            foreach (PacInfoBuffer buf in adWin2kPac.Pac.PacInfoBuffers)
            {
                if (buf.GetType() == typeof(ClientClaimsInfo))
                {
                    claims      = ((ClientClaimsInfo)buf).NativeClaimSet;
                    foundClaims = true;
                }
            }
            BaseTestSite.Assert.IsTrue(foundClaims, "Found claims in referral TGS Ticket");
            foundClaims = false;

            #region genertaed transformed claims
            Dictionary <string, string> expectedClaims = new Dictionary <string, string>();
            if (!ctaFromConfig)
            {
                ClaimTransformer    transformer = new ClaimTransformer(this.testConfig.TrustedRealm.KDC[0].IPAddress, this.testConfig.TrustedRealm.RealmName, this.testConfig.TrustedRealm.Admin.Username, this.testConfig.TrustedRealm.Admin.Password);
                List <CLAIMS_ARRAY> transformed = null;
                BaseTestSite.Assert.AreEqual <Win32ErrorCode_32>(Win32ErrorCode_32.ERROR_SUCCESS, transformer.TransformClaimsOnTrustTraversal(claims.ClaimsArrays, this.testConfig.LocalRealm.RealmName, true, out transformed), "should successfully transform claims");
                foreach (CLAIMS_ARRAY array in transformed)
                {
                    foreach (CLAIM_ENTRY entry in array.ClaimEntries)
                    {
                        string id    = entry.Id;
                        string value = null;
                        switch (entry.Type)
                        {
                        case CLAIM_TYPE.CLAIM_TYPE_BOOLEAN:
                            value = entry.Values.Struct4.BooleanValues[0].ToString();
                            break;

                        case CLAIM_TYPE.CLAIM_TYPE_INT64:
                            value = entry.Values.Struct1.Int64Values[0].ToString();
                            break;

                        case CLAIM_TYPE.CLAIM_TYPE_STRING:
                            value = entry.Values.Struct3.StringValues[0].ToString();
                            break;

                        case CLAIM_TYPE.CLAIM_TYPE_UINT64:
                            value = entry.Values.Struct2.Uint64Values[0].ToString();
                            break;

                        default:
                            BaseTestSite.Assert.Fail("Found invalid claim type during transform, value:" + (int)entry.Type);
                            break;
                        }
                        expectedClaims.Add(id.ToLower(), value.ToLower());
                    }
                }
            }
            else
            {
                string[] tmp = this.testConfig.LocalRealm.User[2].TransformedClaims.ToLower().Split(new string[] { ";" }, StringSplitOptions.RemoveEmptyEntries);
                BaseTestSite.Assert.IsTrue(tmp != null && tmp.Length % 2 == 0, "Claim.Crossforest.TransformedClaims in PTFConfig should be valid and not empty");
                for (int i = 0; i < tmp.Length; i += 2)
                {
                    expectedClaims.Add(tmp[i], tmp[i + 1]);
                }
            }
            #endregion
            //Change realm
            client.ChangeRealm(this.testConfig.TrustedRealm.RealmName,
                               this.testConfig.TrustedRealm.KDC[0].IPAddress,
                               this.testConfig.TrustedRealm.KDC[0].Port,
                               this.testConfig.TransportType);

            //Create and send referal TGS request
            client.SendTgsRequest(this.testConfig.TrustedRealm.FileServer[0].Smb2ServiceName, options);
            KerberosTgsResponse refTgsResponse = client.ExpectTgsResponse();

            BaseTestSite.Assert.AreEqual(this.testConfig.TrustedRealm.FileServer[0].Smb2ServiceName,
                                         KerberosUtility.PrincipalName2String(refTgsResponse.Response.ticket.sname),
                                         "The service principal name in service ticket should match expected.");
            BaseTestSite.Assert.AreEqual(this.testConfig.TrustedRealm.RealmName.ToLower(),
                                         refTgsResponse.Response.ticket.realm.Value.ToLower(),
                                         "The realm name in service ticket should match expected.");

            key = testConfig.QueryKey(this.testConfig.TrustedRealm.FileServer[0].Smb2ServiceName, client.Context.Realm.ToString(), client.Context.SelectedEType);
            refTgsResponse.DecryptTicket(key);

            BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.RealmName.ToLower(),
                                         refTgsResponse.TicketEncPart.crealm.Value.ToLower(),
                                         "Realm name in service ticket encrypted part should match expected.");
            BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.User[2].Username,
                                         KerberosUtility.PrincipalName2String(refTgsResponse.TicketEncPart.cname).ToLower(),
                                         "User name in service ticket encrypted part should match expected.");

            adWin2kPac = FindOneInAuthData <AdWin2KPac>(refTgsResponse.TicketEncPart.authorization_data.Elements);
            foreach (PacInfoBuffer buf in adWin2kPac.Pac.PacInfoBuffers)
            {
                if (buf.GetType() == typeof(ClientClaimsInfo))
                {
                    foundClaims = true;
                    claims      = ((ClientClaimsInfo)buf).NativeClaimSet;
                }
            }

            int errors = 0;
            BaseTestSite.Assert.IsTrue(foundClaims, "Found claims in reference TGS Ticket");
            for (int i = 0; i < claims.ClaimsArrays[0].ClaimEntries.Length; i++)
            {
                string claimvalue = null;
                if (!expectedClaims.TryGetValue(claims.ClaimsArrays[0].ClaimEntries[i].Id.ToLower(), out claimvalue))
                {
                    errors++;
                    BaseTestSite.Log.Add(LogEntryKind.CheckFailed, "Found unexpected claim with id: " + claims.ClaimsArrays[0].ClaimEntries[i].Id + " after transform");
                }
                else
                {
                    if (claimvalue != claims.ClaimsArrays[0].ClaimEntries[i].Values.Struct3.StringValues[0].ToLower())
                    {
                        errors++;
                        BaseTestSite.Log.Add(
                            LogEntryKind.CheckFailed,
                            "Value of claim \"" + claims.ClaimsArrays[0].ClaimEntries[i].Id + "\" is not expected, expected: " + claimvalue + " ,actual: " + claims.ClaimsArrays[0].ClaimEntries[i].Values.Struct3.StringValues[0]);
                    }
                    expectedClaims.Remove(claims.ClaimsArrays[0].ClaimEntries[i].Id);
                }
            }

            BaseTestSite.Assert.AreEqual(expectedClaims.Count, claims.ClaimsArrays[0].ClaimEntries.Count(), "Claims count should be equal.");
            BaseTestSite.Assert.AreEqual <int>(0, errors, "Expect no error should be found when compare claims from reference TGS ticket");
        }
示例#9
0
        public void KerbAuth_Replay()
        {
            #region Get Service Ticket
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Initialize Kerberos Functional Client");
            KerberosFunctionalClient kerberosClient = new KerberosFunctionalClient(
                TestConfig.DomainName,
                TestConfig.UserName,
                TestConfig.UserPassword,
                KerberosAccountType.User,
                KDCIP,
                KDCPort,
                TransportType.TCP,
                OidPkt,
                BaseTestSite);

            //Create and send AS request
            const KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
            kerberosClient.SendAsRequest(options, null);

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client expects Kerberos Error from KDC");
            //Receive preauthentication required error
            METHOD_DATA      methodData;
            KerberosKrbError krbError = kerberosClient.ExpectPreauthRequiredError(out methodData);

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client sends AS request with PA-DATA set");
            //Create sequence of PA data
            string         timeStamp      = KerberosUtility.CurrentKerberosTime.Value;
            PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
                                                               0,
                                                               kerberosClient.Context.SelectedEType,
                                                               kerberosClient.Context.CName.Password,
                                                               kerberosClient.Context.CName.Salt);
            PaPacRequest             paPacRequest = new PaPacRequest(true);
            Asn1SequenceOf <PA_DATA> seqOfPaData  = new Asn1SequenceOf <PA_DATA>(new[] { paEncTimeStamp.Data, paPacRequest.Data });
            //Create and send AS request
            kerberosClient.SendAsRequest(options, seqOfPaData);

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client expects AS response from KDC");
            KerberosAsResponse asResponse = kerberosClient.ExpectAsResponse();
            BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");

            //Create and send TGS request
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client sends TGS request to KDC");
            kerberosClient.SendTgsRequest(servicePrincipalName, options);

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client expects TGS response from KDC");
            KerberosTgsResponse tgsResponse = kerberosClient.ExpectTgsResponse();

            BaseTestSite.Assert.AreEqual(servicePrincipalName,
                                         KerberosUtility.PrincipalName2String(tgsResponse.Response.ticket.sname),
                                         "Service principal name in service ticket should match expected.");
            #endregion

            #region Create AP request
            Ticket        serviceTicket = kerberosClient.Context.Ticket.Ticket;
            Realm         crealm        = serviceTicket.realm;
            EncryptionKey subkey        = KerberosUtility.GenerateKey(kerberosClient.Context.SessionKey);
            PrincipalName cname         = kerberosClient.Context.CName.Name;
            Authenticator authenticator = CreateAuthenticator(cname, crealm, subkey);

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create AP Request");
            KerberosApRequest request = new KerberosApRequest(
                kerberosClient.Context.Pvno,
                new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.MutualRequired)),
                kerberosClient.Context.Ticket,
                authenticator,
                KeyUsageNumber.AP_REQ_Authenticator
                );
            #endregion

            #region Create GSS token and send session setup request
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create GSS Token");
            byte[] token = KerberosUtility.AddGssApiTokenHeader(request, OidPkt, GssToken);

            Smb2FunctionalClientForKerbAuth smb2Client = new Smb2FunctionalClientForKerbAuth(TestConfig.Timeout, TestConfig, BaseTestSite);
            smb2Client.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress);
            byte[] repToken;
            uint   status = DoSessionSetupWithGssToken(smb2Client, token, out repToken);

            KerberosApResponse apRep = kerberosClient.GetApResponseFromToken(repToken, GssToken);
            // Get subkey from AP response, which used for signing in smb2
            apRep.Decrypt(kerberosClient.Context.Ticket.SessionKey.keyvalue.ByteArrayValue);
            smb2Client.SetSessionSigningAndEncryption(true, false, apRep.ApEncPart.subkey.keyvalue.ByteArrayValue);
            #endregion

            #region Second client
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Replay the request from another client");
            Smb2FunctionalClientForKerbAuth smb2Client2 = new Smb2FunctionalClientForKerbAuth(TestConfig.Timeout, TestConfig, BaseTestSite);
            smb2Client2.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress);
            status = DoSessionSetupWithGssToken(smb2Client2, token, out repToken);

            BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
                                            "Session Setup should fail because it uses a Replay of KRB_AP_REQ");

            if (TestConfig.IsWindowsPlatform)
            {
                krbError = kerberosClient.GetKrbErrorFromToken(repToken);
                BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_REPEAT, krbError.ErrorCode,
                                             "SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_REPEAT);
            }
            smb2Client2.Disconnect();
            #endregion

            string path = Smb2Utility.GetUncPath(TestConfig.SutComputerName, TestConfig.BasicFileShare);
            AccessFile(smb2Client, path);

            smb2Client.LogOff();
            smb2Client.Disconnect();
        }
        public void ChangePasswordSuccess()
        {
            base.Logging();

            if (!this.testConfig.UseProxy)
            {
                BaseTestSite.Assert.Inconclusive("This case is only applicable when Kerberos Proxy Service is in use.");
            }

            //Create kerberos test client and connect
            client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
                                            this.testConfig.LocalRealm.User[22].Username,
                                            this.testConfig.LocalRealm.User[22].Password,
                                            KerberosAccountType.User,
                                            testConfig.LocalRealm.KDC[0].IPAddress,
                                            testConfig.LocalRealm.KDC[0].Port,
                                            testConfig.TransportType,
                                            testConfig.SupportedOid);

            // Kerberos Proxy Service is used
            if (this.testConfig.UseProxy)
            {
                BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
                KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
                proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
                client.UseProxy          = true;
                client.ProxyClient       = proxyClient;
            }

            KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends AS_REQ without Pre-Authentication data");
            client.SendAsRequestForPwdChange(options, null);
            //Recieve preauthentication required error
            METHOD_DATA methodData;

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "KDC returns KRB_ERROR: KDC_ERR_PREAUTH_REQUIRED");
            KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);

            //Create sequence of PA data
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends AS_REQ with PA-ENC-TIMESTAMP and PA-PAC-REQUEST");
            string         timeStamp      = KerberosUtility.CurrentKerberosTime.Value;
            PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
                                                               0,
                                                               this.client.Context.SelectedEType,
                                                               this.client.Context.CName.Password,
                                                               this.client.Context.CName.Salt);

            PaPacRequest             paPacRequest = new PaPacRequest(true);
            Asn1SequenceOf <PA_DATA> seqOfPaData  = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });

            //Create and send AS request
            client.SendAsRequestForPwdChange(options, seqOfPaData);
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "KDC returns AS_REP");
            KerberosAsResponse asResponse = client.ExpectAsResponse();

            BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");

            //Create kpassword test client and connect
            KpasswdTestClient kpassClient = new KpasswdTestClient(
                testConfig.LocalRealm.KDC[0].IPAddress,
                KerberosConstValue.KPASSWORD_PORT,
                testConfig.TransportType,
                client.Context.Ticket);

            // Kerberos Proxy Service is used
            if (this.testConfig.UseProxy)
            {
                BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
                KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
                proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
                kpassClient.UseProxy     = true;
                kpassClient.ProxyClient  = proxyClient;
            }

            //Create and send Kpassword request
            string newPwd = this.testConfig.LocalRealm.User[22].Password;

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends KpasswordRequest");
            kpassClient.SendKpasswordRequest(newPwd);
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "KDC returns KpasswordResponse");
            KpasswordResponse kpassResponse = kpassClient.ExpectKpasswordResponse();

            //Verify the result code
            BaseTestSite.Assert.AreEqual(KpasswdError.KRB5_KPASSWD_SUCCESS, (KpasswdError)kpassClient.GetResultCode(kpassResponse), "The result code should be KRB5_KPASSWD_SUCCESS.");
        }
示例#11
0
        public void NetworkLogonLdapWithoutPac_Ldap()
        {
            base.Logging();

            client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
                                            this.testConfig.LocalRealm.User[1].Username,
                                            this.testConfig.LocalRealm.User[1].Password,
                                            KerberosAccountType.User,
                                            testConfig.LocalRealm.KDC[0].IPAddress,
                                            testConfig.LocalRealm.KDC[0].Port,
                                            testConfig.TransportType,
                                            testConfig.SupportedOid);

            // Kerberos Proxy Service is used
            if (this.testConfig.UseProxy)
            {
                BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
                KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
                proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
                client.UseProxy          = true;
                client.ProxyClient       = proxyClient;
            }

            //Create and send AS request
            KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;

            client.SendAsRequest(options, null);

            //Recieve preauthentication required error
            METHOD_DATA      methodData;
            KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);

            //Create sequence of PA data
            string         timeStamp      = KerberosUtility.CurrentKerberosTime.Value;
            PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
                                                               0,
                                                               this.client.Context.SelectedEType,
                                                               this.client.Context.CName.Password,
                                                               this.client.Context.CName.Salt);
            PaPacRequest             paPacRequest = new PaPacRequest(false);
            Asn1SequenceOf <PA_DATA> seqOfPaData  = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });

            //Create and send AS request
            client.SendAsRequest(options, seqOfPaData);
            KerberosAsResponse asResponse = client.ExpectAsResponse();

            BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");

            //Create and send TGS request
            client.SendTgsRequest(this.testConfig.LocalRealm.LdapServer[0].LdapServiceName, options);
            KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();

            AuthorizationData data   = null;
            EncryptionKey     subkey = KerberosUtility.GenerateKey(client.Context.SessionKey);

            byte[] token = client.CreateGssApiToken(ApOptions.MutualRequired,
                                                    data,
                                                    subkey,
                                                    ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG,
                                                    this.testConfig.LocalRealm.LdapServer[0].GssToken);

            //AP exchange part
            byte[]             repToken   = this.SendAndRecieveLdapAp(this.testConfig.LocalRealm.LdapServer[0], token, this.testConfig.TrustedRealm.LdapServer[0].GssToken);
            KerberosApResponse apResponse = client.GetApResponseFromToken(repToken, this.testConfig.LocalRealm.LdapServer[0].GssToken);
        }