private static async Task RequestTickets(
X509Certificate2 cert,
string user,
string password,
string overrideKdc,
string s4u,
string spn,
bool retryDH,
bool includeCNameHint,
string servicePassword,
string serviceSalt
)
{
KerberosCredential kerbCred;
if (cert == null)
{
kerbCred = new KerberosPasswordCredential(user, password);
}
else
{
var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.Build(cert);
var kdcCerts = new List <X509Certificate2>();
for (var i = 0; i < chain.ChainElements.Count; i++)
{
var c = chain.ChainElements[i].Certificate;
if (c.Thumbprint != cert.Thumbprint)
{
kdcCerts.Add(c);
}
}
if (retryDH)
{
kerbCred = new RandomDHAsymmetricCredential(cert, user);
}
else
{
kerbCred = new TrustedKdcAsymmetricCredential(cert, user);
}
}
KerberosClient client;
if (Uri.TryCreate(overrideKdc, UriKind.Absolute, out Uri kdcProxy))
{
var kdcProxyTransport = new HttpsKerberosTransport()
{
DomainPaths = new Dictionary <string, Uri>
{
{ kdcProxy.DnsSafeHost.ToLowerInvariant(), kdcProxy },
{ kerbCred.Domain.ToLowerInvariant(), kdcProxy }
}
};
client = new KerberosClient(null, kdcProxyTransport);
}
else
{
client = new KerberosClient(overrideKdc);
}
if (includeCNameHint)
{
client.CNameHint = KrbPrincipalName.FromString(kerbCred.UserName, PrincipalNameType.NT_PRINCIPAL, kerbCred.Domain);
}
using (client)
using (kerbCred as IDisposable)
{
await client.Authenticate(kerbCred);
W("AS-REQ Succeeded", ConsoleColor.Green);
spn = spn ?? "host/appservice.corp.identityintervention.com";
KrbTicket s4uTicket = null;
if (!string.IsNullOrWhiteSpace(s4u))
{
var s4uSelf = await client.GetServiceTicket(
kerbCred.UserName,
ApOptions.MutualRequired,
s4u : s4u
);
s4uTicket = s4uSelf.Ticket;
}
var ticket = await client.GetServiceTicket(
spn,
ApOptions.MutualRequired,
s4uTicket : s4uTicket
);
DumpTicket(ticket);
ResetColor();
if (!retryDH)
{
try
{
await TryValidate(spn, ticket, servicePassword, serviceSalt);
}
catch (Exception ex)
{
W(ex.Message, ConsoleColor.Yellow);
ResetColor();
}
}
}
}
private static async Task RequestTickets(
X509Certificate2 cert,
string user,
string password,
string overrideKdc,
string s4u,
string spn,
bool retryDH,
bool includeCNameHint,
string servicePassword,
string serviceSalt,
bool cacheToFile
)
{
KerberosCredential kerbCred;
if (cert == null)
{
kerbCred = new KerberosPasswordCredential(user, password);
}
else
{
var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.Build(cert);
var kdcCerts = new List <X509Certificate2>();
for (var i = 0; i < chain.ChainElements.Count; i++)
{
var c = chain.ChainElements[i].Certificate;
if (c.Thumbprint != cert.Thumbprint)
{
kdcCerts.Add(c);
}
}
if (retryDH)
{
kerbCred = new RandomDHAsymmetricCredential(cert, user);
}
else
{
kerbCred = new TrustedKdcAsymmetricCredential(cert, user);
}
}
var factory = LoggerFactory.Create(builder =>
{
builder.AddConsole(opt => opt.IncludeScopes = true);
builder.AddFilter <ConsoleLoggerProvider>(level => level >= LogLevel.Trace);
});
var client = new KerberosClient(logger: factory);
if (Uri.TryCreate(overrideKdc, UriKind.Absolute, out Uri kdcProxy))
{
client.Configuration.Realms[kdcProxy.DnsSafeHost].Kdc.Add(kdcProxy.OriginalString);
client.Configuration.Realms[kerbCred.Domain].Kdc.Add(kdcProxy.OriginalString);
client.Configuration.Defaults.DnsLookupKdc = false;
}
else if (!string.IsNullOrWhiteSpace(overrideKdc))
{
client.Configuration.Defaults.DnsLookupKdc = false;
client.PinKdc(kerbCred.Domain, overrideKdc);
}
if (cacheToFile)
{
client.Configuration.Defaults.DefaultCCacheName = "krb5cc";
}
KrbPrincipalName cnameHint = null;
if (includeCNameHint)
{
cnameHint = KrbPrincipalName.FromString(kerbCred.UserName, PrincipalNameType.NT_PRINCIPAL, kerbCred.Domain);
}
client.RenewTickets = true;
using (client)
using (kerbCred as IDisposable)
{
await client.Authenticate(kerbCred);
spn = spn ?? "host/appservice.corp.identityintervention.com";
KrbTicket s4uTicket = null;
if (!string.IsNullOrWhiteSpace(s4u))
{
var s4uSelf = await client.GetServiceTicket(
kerbCred.UserName,
ApOptions.MutualRequired,
s4u : s4u
);
s4uTicket = s4uSelf.Ticket;
}
var session = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired,
S4uTicket = s4uTicket,
CNameHint = cnameHint
}
);
DumpTicket(session.ApReq);
ResetColor();
if (!retryDH)
{
try
{
await TryValidate(spn, session.ApReq, servicePassword, serviceSalt, factory);
}
catch (Exception ex)
{
W(ex.Message, ConsoleColor.Yellow);
ResetColor();
}
}
}
}
