public static IAuthDataElement ParseAuthDataElement(AuthorizationDataElement element) { IAuthDataElement authDataElement; switch ((AuthorizationData_elementType)element.ad_type.Value) { case AuthorizationData_elementType.AD_IF_RELEVANT: authDataElement = AdIfRelevent.Parse(element); break; case AuthorizationData_elementType.AD_WIN2K_PAC: authDataElement = AdWin2KPac.Parse(element); break; case AuthorizationData_elementType.AD_FX_FAST_USED: authDataElement = AdFxFastUsed.Parse(element); break; case AuthorizationData_elementType.KERB_AUTH_DATA_TOKEN_RESTRICTIONS: authDataElement = KerbAuthDataTokenRestrictions.Parse(element); break; default: return(null); } return(authDataElement); }
public void AdFxFastUsedInAuthenticator() { base.Logging(); client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.ClientComputer.NetBiosName, this.testConfig.LocalRealm.ClientComputer.Password, KerberosAccountType.Device, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid, testConfig.LocalRealm.ClientComputer.AccountSalt); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // AS_REQ and KRB-ERROR using device principal KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE; client.SendAsRequest(options, null); METHOD_DATA methodData; KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData); // AS_REQ and AS_REP using device principal string timeStamp = KerberosUtility.CurrentKerberosTime.Value; PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp( timeStamp, 0, client.Context.SelectedEType, this.client.Context.CName.Password, this.client.Context.CName.Salt); Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data }); client.SendAsRequest(options, seqOfPaData); KerberosAsResponse asResponse = client.ExpectAsResponse(); BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", asResponse.EncPart.GetType().Name)); // Switch to user principal client = new KerberosTestClient( this.testConfig.LocalRealm.RealmName, this.testConfig.LocalRealm.User[1].Username, this.testConfig.LocalRealm.User[1].Password, KerberosAccountType.User, client.Context.Ticket, client.Context.SessionKey, testConfig.LocalRealm.KDC[0].IPAddress, testConfig.LocalRealm.KDC[0].Port, testConfig.TransportType, testConfig.SupportedOid); // Kerberos Proxy Service is used if (this.testConfig.UseProxy) { BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client ."); KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig); proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName; client.UseProxy = true; client.ProxyClient = proxyClient; } // FAST armored AS_REQ and KRB-ERROR using user principal //Create a "random" key. var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt"); var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0)); var apOptions = ApOptions.None; Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { new PA_DATA(new KerbInt32((long)PaDataType.PA_FX_FAST), null) }); client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions); KerberosKrbError krbError2 = client.ExpectKrbError(); BaseTestSite.Assert.AreEqual(krbError2.ErrorCode, KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, "Pre-authentication required."); // FAST armored AS_REQ and AS_REP using user principal var userKey = KerberosUtility.MakeKey( client.Context.SelectedEType, client.Context.CName.Password, client.Context.CName.Salt); PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge( client.Context.SelectedEType, KerberosUtility.CurrentKerberosTime.Value, 0, client.Context.FastArmorkey, userKey); Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data }); client.SendAsRequestWithFast(options, seqOfPaData3, null, subkey, fastOptions, apOptions); KerberosAsResponse userKrbAsRep = client.ExpectAsResponse(); BaseTestSite.Assert.IsNotNull(userKrbAsRep.Response.ticket, "AS response should contain a TGT."); BaseTestSite.Log.Add( LogEntryKind.Comment, string.Format("The type of AS-REP encrypted part is {0}.", userKrbAsRep.EncPart.GetType().Name)); // FAST armored TGS_REQ and TGS_REP using user principal subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password03!", "this is a salt"); BaseTestSite.Log.Add(LogEntryKind.Comment, "Create and send unarmored TGS request with AD-fx-fast-used."); AdFxFastUsed adFxFastUsed = new AdFxFastUsed(); AuthorizationData authData = new AuthorizationData(new AuthorizationDataElement[] { adFxFastUsed.AuthDataElement }); client.SendTgsRequest(testConfig.LocalRealm.ClientComputer.DefaultServiceName, options, null, null, authData); BaseTestSite.Log.Add(LogEntryKind.Comment, "Receive TGS Error, KDC MUST reject the request."); KerberosKrbError krbError = client.ExpectKrbError(); }