Is your feature request related to a problem? Please describe.
The KerberosClient doesn't do much in the way of logging.

Describe the solution you'd like
It would be useful if an ILogger were available to it so callers can examine whats going on. This should get passed down through the stacks to transports and cache. Ideally there would be a way to transit some correlation Id to the server, but that's limited by the structure of the protocol.

Is there a way to use this library on a domain-connected machine to validate tokens, but without having to use a manual keytab file(and instead use the existing domain membership of the computer in question as the connection back to the directory)?

Is your feature request related to a problem? Please describe.
PKINIT is an asymmetric crypto extension for the initial AS-REQ authentication exchange. It's used for smart card (cert-based) authentication.

Describe the solution you'd like
A new class should be implemented AsymmetricKerberosCredential that extends KerberosCredential and accepts X509Certificate2 and AsymmetricAlgorithm parameters.

A new abstract class AsymmetricKerberosCryptoTransformer should be added to contain all the shared asymmetric goo and specific classes should be implemented for a given algorithm such as RSA.

This should probably also honor RFC 8636 for crypto agility reasons.

Additional context

https://tools.ietf.org/html/rfc4556
https://tools.ietf.org/html/rfc8636

Hi All,

I was wondering if there was plans to be able to use a keytab file as means of authentication.

Something like:
... = new KerberosKeytabCredential("PrincipalNameHere", "./PathToKeytabFile", "realm");

Thanks much for the library.

after running the websample i get asked to enter credentials in my browser...
Unsure, i put in the "P@ssw0rd!" i found in the sample into both fields (since i lack the username)

This gives me an InvalidDataException, thrown because he can't detect the mechtype (in TryDiscoverMechType method of the ContextToken class)
It expects my element to have a class 'TagClass.Universal', but it is 'Application'..

Am I doing something wrong?

//offtopic: perhaps good to add a small readme.md to the sample projects, so people like me don't ask stupid questions

Hello,

I have seen the sample where a client is authenticated using username and password. However, some libraries (maybe this one too) support the use case where we want to just acquire the current Kerberos ticket seamlessly without having username/password passed as inputs (so without prompting the user again to enter their credentials because they will have already logged in).

In NSSPI, that is known as the "current context" for client or server.

Is there something similar in this library?

Example:
var client = new KerberosClient();
var kerbCred = new KerberosCurrentClientCredential(); // not Password credentials
await client.Authenticate(kerbCred); // or server.Authenticate() to get a ticket
var ticket = await client.GetServiceTicket("host/appservice.corp.identityintervention.com");

Thanks

Is your feature request related to a problem? Please describe.
Customers are transitioning to OAuth2 based flows but still need to support systems that talk Kerberos. We're looking to offer an OAuth2/STS server that can exchange one type of tickets for another.

Describe the solution you'd like
We would like ability to use Kerberos.NET to leverage S4U2Self & S4U2Proxy extensions to obtain Kerberos tickets on behalf of clients and then get a service ticket to destination service.

Describe alternatives you've considered
ADFS is not an option in this case

I came across Kerberos.net trying to migrate a section of code from sharpview into the newish .net core world. Namely this section:

System.IdentityModel.Tokens.KerberosRequestorSecurityToken Ticket = null; try { Ticket = new System.IdentityModel.Tokens.KerberosRequestorSecurityToken(UserSPN); }

Is there an equivalent in Kerberos.net that can do this??

Hi,

I've followed all the great samples provided and actually I'm facing the following issue:

Invalid checksum at Kerberos.NET.Crypto.AES.AESDecryptor.DecryptWith(Byte[] workBuffer, Int32[] workLens, Byte[] key, Byte[] iv, KeyUsage usage) at Kerberos.NET.Crypto.AES.AESDecryptor.Decrypt(Byte[] cipher, Byte[] key, Byte[] iv, KeyUsage usage) at Kerberos.NET.Crypto.AES.AESDecryptor.Decrypt(Byte[] cipher, KerberosKey key, KeyUsage usage) at Kerberos.NET.Crypto.AESDecryptedData.Decrypt(KeyTable keytab) at Kerberos.NET.KerberosRequest.Decrypt(KrbApReq token, KeyTable keytab) at Kerberos.NET.KerberosValidator.Validate(Byte[] requestBytes) at Kerberos.NET.KerberosAuthenticator.Authenticate(Byte[] token) at Kerberos.NET.KerberosAuthenticator.Authenticate(String token) at elearningapp.MessageHandlers.KerberosMiddleware.ParseKerberosHeader(OwinEnvironment env, HttpContext httpContext)

Does anyone has already encountered that before ?

Thansk in advance !

I'm getting an exception when authenticating this ticket.

System.InvalidCastException: Unable to cast object of type 'Kerberos.NET.Entities.NegTokenTarg' to type 'Kerberos.NET.Entities.ContextToken'.
at Kerberos.NET.KerberosValidator.d__17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Kerberos.NET.KerberosAuthenticator.d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Kerberos.NET.KerberosAuthenticator.d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at UserQuery.

SPN password is "New0rder"

Negotiate oYIG0DCCBsygAwoBAaKCBsMEgga/YIIGuwYJKoZIhvcSAQICAQBuggaqMIIGpqADAgEFoQMCAQ6iBwMFACAAAACjggTiYYIE3jCCBNqgAwIBBaEMGwpBTE1JUkVYLkRDoiEwH6ADAgECoRgwFhsESFRUUBsOYWQuYWxtaXJleC5jb22jggSgMIIEnKADAgEXoQMCAQKiggSOBIIEijZdM1Lqxe9ev+WykLJko9XhMPRl2/TxnuM3GOSfUUyEyheAj2mRgTwGfAkjMdYI44+gNLSVa+pIvAkJ9cbb0HVqRIgv7R4QAB0ftBtLpjdRpUjmBRbmZ4pjSbN9DHEWPxIqW3EYhbOOFSjgPXEVXieHS/UbGlBGamxYzHH+ngq/NvZqwZWwFLb/QFC32QKvbjYeKytDjF24czwm/e9316Uh81nUfQmhaUJmwRMEKvNgUyBRX555xkgx90kAlD6BC7QtCkRDmHtuG/vLr093CEE/KxjCt659DAj8rTtnUOlmY0EvhRfhgIXuAMG5UOl6e5fNnsd4/UHajcCBvlMX0h7tCSmXCZHIZj5MzEG6jLYj42kpgyQmo3zSoLKXfBR/L96QJtWbrmq4wcdQTHafWCjAtLmsE8birCco1p0VhU52ztbQD1dYGBcvJoh6NjaVIvazhrRCYOmJEZuVnZ32XCvaeEccamuIMQErxovqQ2+cLTLVgRzKExGxkXREEZu4oClE9BrjulwjeO89BNhlfmLxpDUuqF5CGdU/gp9FmlCMyLzlrTzm+i8+K5CX0/l6RL3xlHrh7DPwC9/1vNoaz2S3xp3w4KMeySXY+rQN2K9J2v3p1EBB/A08UaaVzF7/qukXYgaFUn2pEG7ywlulp0a097qxFT73flT9g99+33kgF1vh03JOEm1Pj2Au+e8M3P8SN0Ung7cPOIvLutj+l5SLLTDdxLC+QODF/SHlb/INNChbptf9qKMW3jMqGvhZLhatVFBWExAHTvCRfyYEdUZY3q0YTrSJNx//Vvmt5NHKHibxyrBVk/AyoAHhXO8OSx2WMnaZesEUmSKTWoL1zqeANG0opADK1++gX2KdcvqxL54d3zUCAOr/FRc0vdVciwkAOft4aq5+Hniy7VJlNIfZsBCx8JHW0GwuM1LEOOWgSg5AH/38lgXw1yGsazXcz6/9h+Z3/EDIUT2UryfmP0e6wt5saqs5zFXl+J/OUMn+ugbC0sOFTAHAZ6Lz5UTkXfSVkShq1a5g9YBJSoiDTdSIJTLTYBXd377bZs8PtIFGxtvzCwmXa9BXh1uRIc3vMm64Gh8cl5Iud2BGNCVOZGGYG9etGD6RP/oHxrMJI/EbBxZxmDEBP2slYTc1Kv27Cbtke52IjIxwjCrM9d+x7GERD6UUOzaeRFf1I1dYOWgXjhGkVhfvWPLNmEv9EsHrpG4PyM+xllNKJ5OKqMZefdDFmo6O4lQIIP8KfWD8ZWZjwNuyjk6DWJU80WJ5jeD6FmTnQTOt6mek3b/xOWqwM2igpKKcIg/bbCvPqYfaeDuBjydFKthbZIyFmxH4VNuCfl6hZ0WIaIAwaRoXsKIZ1i2PoM7BOxctZ51ZqoJ8dUx3klfpz9xKzumjiswhg/alOFcmXe8bZd7aeA8F5Vmqwynm9yvX9jY4bvYzH1e6GrF7aOWxwkqiH6GfjmHAq63jHenR9vNryViVHdGPe57kfpg5YqnFl0JaUIL9i3Q5mR6y+TnjSuHDD4egxeodbKwuoEubm0igLE/+VxekggGpMIIBpaADAgEXooIBnASCAZj6K4D8NqBiw9JmgFkf/NHPdwDBt+ukckoDOJCtEPlNeK6mqA9q1CA9vGmh2F7QaBpQcULTINDhzSjyjDACbUN9OHFBRf4prrRJIAG4zYfip1ZF6/CPDlyYe5+PYH+g+tjbd/hLcoYGHjDx71n9clkiSghIEDicwWRQ5Bqos8n7L7LNTAqqanXW58mJOdnTRjqVsb56BDm7ZsmSMwIuVnw0iE9aHLLbXcp12rVkgzcVFod9r2FydAUIjXX/Uyfdqpo5o7/zy3R4KFPllzdw56ljl+sYlZ3WiWMkCPWwBnTGB+9ymwWrGP0zDpw9tz7/Ds3ThQxO7EQutGUvKmNnmdw7/eaXTYJgraHlQhlGnL4/Tc1Q7HfTXj0PWr0/8V0GJ/dMkjfjth/khHFQHKMdD+V5+m8qe/THDCNE5cLgZVduy3/Ib6L8qgOfoMJiAvLyNnjKhAYHa0uNLXtVGsIajCxF1wij0M6wJ2RJaiWhC9BVfcDqpEPnhfSD1bN2JfpY1R8RnBy7aCDPKfTyjLOD/5BC6jPhX3cF4h8=

AsnXml.targets(23, 5): [MSB4062] The "Microsoft.Build.Tasks.XslTransformation" task could not be loaded from the assembly Microsoft.Build.Tasks.Core, Version=15.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a. Confirm that the declaration is correct, that the assembly and all its dependencies are available, and that the task contains a public class that implements Microsoft.Build.Framework.ITask.

Is your feature request related to a problem? Please describe.
This is a tracker for the server side of PKINIT #95.

Describe the solution you'd like
Implement PublicKeyPreAuthenticationHandler : KdcPreAuthenticationHandlerBase that queries IRealmService for the KDC signing key. Extract the SignedCms signing certificate from the request and validate it is acceptable for the requested user. Expose a delegate or method overload that lets implementers specify their own validation logic.

Pleace can you show how to get kerberos key from firefox in asp.net core app?
I want to authenticate user in asp.net core
Or another ways to authenticate user in linux systems

Is your feature request related to a problem? Please describe.
Change password is a common enough requirement for Kerberos users and it should be possible to expose this functionality to callers with minimal implementation requirements. This supersedes #79.

Describe the solution you'd like
KerberosClient should add a method ChangePassword(KerberosCredential currentCredential, string newPassword). This should invoke an AS-REQ call to service kadmin/changepw@REALM and then a call to a KDC on port 464 with a change-password message.

Additional context

Spec is defined here: https://www.rfc-editor.org/rfc/rfc3244.txt

There seems to be no blocking issue in order to support .NET Standard 1.3 (or at least 1.5). That way we can support .NET Core 1.0 users.

I hope I can give it a try in the next couple of days.

Also take the opportunity to congrats @SteveSyfuhs for a great lib!

In the "Using the Library" section of the ReadMe, the section line takes in a token to authenticate:
var identity = authenticator.Authenticate("YIIHCAYGKwYBBQUCoIIG...");
I also see these types of encryption tokens in the sample app "KerbTester". In the "KerberosMiddlewareEndtoEndSample" it is hard coded in the program as "NegotiateSample"

Where does this token come from? How do we generate one to use in our code if its needed? We are trying to use Kerberos to authenticate a http request, and we have a keytab but are stuck on this token.

Thanks!

Is your feature request related to a problem? Please describe.
So currently as I am experimenting the ticket expiration is always the same even if you call renew/authenticate and getserviceticket multiple times. This makes me wonder what would happen if at the edge of expiration kerberos ticket is retrieved but used in the request a second after it has expired (due to just some delay).

Describe the solution you'd like
To avoid this I would like to force refresh/generate new ticket that would have new expiration.

Describe alternatives you've considered
I couldn't get this to happen any other way except when creating new instance of the KerberosClient. I obviously could just add some sleep if I can see that the ticket is about to expire, but that is not ideal.

Is this already possible in some way or maybe the usage of kerberos is incorrect here?

Hi there, I am new to all this stuff (kerberos). But I have been working on a .net Forms Auth application for 6 years. Recently the need to be able to validate a kerberos ticket has been asked of us and I was curious if there's some simple snippets you could provide that would point me in the right direction (without needing to upend our current authentication method). The samples provided are all using claims and I am not totally sure how that would port to forms auth/cookie auth.

We typically validate a user by username/password (sometimes through AD) and then create a forms auth ticket that is saved as a cookie and used to validate future requests.

Assuming we can validate the kerberos ticket, we can just create a session with (assuming here) a username?

Any guidance would be greatly appreciated.

Is your feature request related to a problem? Please describe.
The base PKINIT spec supports straight Diffie Hellman using MODP 2 or 14 parameters. This is inefficient and leads to potential interop problems. ECC support was spec'ed shortly after PKINIT and introduces ECDH for key exchange and certificate signatures. This will have better performance implications as well as better cross-platform support as ECDH is supported in .NET Core.

Describe the solution you'd like
Introduce logic into AsymmetricKerberosCredential that detects if the client certificate is EC, and force everything into using EC.

Add a new property to the credential that indicates the key exchange should prefer ECDH over DH (should it be default?).

Additional context
https://tools.ietf.org/html/rfc5349

Hi,

I am getting a kerberos ticket that is encrypted with a key using AES256, when i try to validate the ticket using your kerberos validator, i get invalid check-sum error.

var kerberosValidator = new KerberosValidator(new KerberosKey("sampleKey")) { ValidateAfterDecrypt = ValidationActions.None };
var authenticator = new KerberosAuthenticator(kerberosValidator);
var identity = await authenticator.Authenticate(ticket);

I am debugging a program trying to use this assembly.

KeyTable.GetKey seems really strict for what's trying to happen here.

I can understand the strict match on EncryptionType + PrincipalName, though using PrincipalName.Equals for this might be a bit too strict. Equals is built to exactly match, which is correct for Equals, but for finding a match, shouldn't this allow for a keytab that has more than one Name for a given Principal and EncryptionType? You can have more than one SPN for an account, but obviously an incoming request is only going to have a single SPN. (Also: it's not clear to me that a NameType mismatch is truly a mismatch, e.g. NT_PRINCIPAL in the keytab and NT_SRV_INST in the request. Other libraries are more forgiving in this area.)

Next... if that matching fails (in KeyTable.GetKey) it will use the first entry, but only if there's only a single entry in the keytab. But shouldn't this take the first entry for the given EncryptionType? If I have 5 entries in my keytab, for the 5 different supported algorithms, and my incoming request says RC4_HMAC_NT, if I don't get a match based on type+name, why wouldn't we pick the first RC4_HMAC_NT in the keytab?

Is your feature request related to a problem? Please describe.
This is a tracker for the client side of PKINIT #95.

Describe the solution you'd like
Implement AsymmetricKerberosCredential : KerberosCredential which takes an X509Certificate2 instance containing a private key.

Invert the pre-auth logic such that a given credential controls how it injects a PA element into the as-req instead of leaving it to the KrbAsReq class. Move the default encrypted timestamp implementation into the abstract KerberosCredential class and have existing credentials use that default implementation.

While attempting to parse a keytab acquired using Samba's net ads join command (against a Windows Server 2012 R2 DC), only the first key (of type DES_CBC_CRC) was loaded successfully - the second one had garbage values (type 16718, version 81, length 0) because the first key had an extra 4 bytes of padding at the end which weren't being read, and the other 13 weren't loaded at all.

The problem is in Crypto/KeyTab.cs, in the constructor for KeyEntry - the BinaryReader needs to be explicitly seeked past any unread bytes to ensure that it's at the right offset for the next key.

There's actually another bug in that function too: according to various keytab file format documents, the logic for reading a 32-bit Version field at the end of the entry needs to check if there are at least 4 unread bytes available (Length - bytesConsumedInEntity >= 4, rather than just > 0), and it should probably also ensure that the value is nonzero before using it.

Most other KRB5 implementations I've used (including mod_auth_kerb) support mutual authentication by default - after the client submits a valid Negotiate token, the server responds with its own WWW-Authenticate: Negotiate header containing a Base64-encoded value that the Client can decode in order to confirm that it's actually talking to the correct server.

This library does not appear to support it, at least in its current state - there are symbols defined in Entities/Enums.cs related to mutual authentication, but they are not referenced from anywhere else.

Are there any plans to implement this functionality in the near future?

The encoded tickets created by Ticket.Encode method fail to decode when run through validator. I've also tried with EncodeApplication (not clear what the difference is).

var ticket = await client.GetServiceTicket("iwasvc");

var ticketString = Convert.ToBase64String(ticket.Ticket.EncodeApplication().ToArray());

var validator = new KerberosAuthenticator(new KerberosValidator(new KerberosKey("MYPASSWORD")));
var claims = await validator.Authenticate(ticketString);

Throws the following error:

System.Security.Cryptography.CryptographicException: ASN1 corrupted data. Expected Application-0; Actual: Constructed Application-1
   at System.Security.Cryptography.Asn1.AsnReader.CheckExpectedTag(Asn1Tag tag, Asn1Tag expectedTag, UniversalTagNumber tagNumber) in c:\Projects\Kerberos.NET\Kerberos.NET\Asn1\Experimental\AsnReader.cs:line 455
   at System.Security.Cryptography.Asn1.AsnReader.ReadSequence(Asn1Tag expectedTag) in c:\Projects\Kerberos.NET\Kerberos.NET\Asn1\Experimental\AsnReader.Sequence.cs:line 58
   at Kerberos.NET.Entities.GssApiToken.Decode(ReadOnlyMemory`1 data) in c:\Projects\Kerberos.NET\Kerberos.NET\Entities\GssApi\GssApiToken.cs:line 35
   at Kerberos.NET.MessageParser.Parse(ReadOnlyMemory`1 data) in c:\Projects\Kerberos.NET\Kerberos.NET\MessageParser.cs:line 66
   at Kerberos.NET.MessageParser.Parse[T](ReadOnlyMemory`1 data) in c:\Projects\Kerberos.NET\Kerberos.NET\MessageParser.cs:line 56
   at Kerberos.NET.MessageParser.ParseContext(ReadOnlyMemory`1 data) in c:\Projects\Kerberos.NET\Kerberos.NET\MessageParser.cs:line 41
   at Kerberos.NET.KerberosValidator.Validate(Byte[] requestBytes) in c:\Projects\Kerberos.NET\Kerberos.NET\KerberosValidator.cs:line 54
   at Kerberos.NET.KerberosAuthenticator.Authenticate(Byte[] token) in c:\Projects\Kerberos.NET\Kerberos.NET\KerberosAuthenticator.cs:line 48
   at Kerberos.NET.KerberosAuthenticator.Authenticate(String token) in c:\Projects\Kerberos.NET\Kerberos.NET\KerberosAuthenticator.cs:line 43
   at KerberosPlay.Program.Main(String[] args) in C:\Projects\SqlClientPlay\KerberosPlay\Program.cs:line 31

I'm specifically looking for the client side of authentication protocol exchange.

Is there a way to properly extract details about the incoming ticket after I've authenticated it?

The validator returns a bunch of interesting information, notably in the ticket (like the various timestamps and the ticket flags) but I can't figure out how to get at that information. Using the validator outside of .Authenticate triggers the replay detection logic, in either direction since the authentication call is doing it's own .Validate.

Am I missing something obvious of how to get at the validated/decrypted token inside of the KerberosAuthenticator?

Is your feature request related to a problem? Please describe.
The existing implementations require a lot of allocating and copying because of historical interfaces in .NET. We can bypass these interfaces and call directly into a PAL (Win32 on Windows, custom on other platforms).

This requires issue #57 to be completed first.

hi

i tried to use basic kerberos sample at my end. but i get invalid checksum error. can you help?

`

var keytab = new KeyTable(File.ReadAllBytes(@"C:\Kafka\SRV.keytab"));
string raw = "";
string something = "aes";
switch (something)
{
case "aes":
case "aes256":
raw = "YIIJOAYGKwYBBQUCoIIJLDCC...";
break;
case "aes128":
raw = "YIIHCAYGKwYBBQUCoIIG/DCCB...";
break;
case "rc4":
raw = "YIIKbQYGKwYBBQUCoIIKYTCCCl...";
break;
case "spnego":
raw = "YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAAPx046cicVOngxMfxUsCsEIMeUM39SSXP1N9DuDVIU3IFosQ3eWTsKOPdfTNWD4SAAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAMNbiTClcBVAolAmCpGQrZA=";
break;
default:
raw = args[1];
break;
}

        var validator = new KerberosValidator(keytab)
        {
            //Logger = W
        };

        var authenticator = new KerberosAuthenticator(validator);
        var identity = authenticator.Authenticate(raw);


        var t = identity.Result;

        Console.WriteLine(identity);

        var name = identity.Id;`

Is your feature request related to a problem? Please describe.
The existing NDR encoder is buggy and does not scale to handling arbitrary structures. It would be nice if a generic implementation could be built to handle encoding and decoding for safety, security, and correctness.

Windows already supports this through the NdrMesTypeEncode2 and NdrMesTypeDecode2 functions for RPC. It might be reasonable to call into that on Windows and use a custom implementation for cross-platform using a PAL-like mechanism.

Is your feature request related to a problem? Please describe.
Legacy cryptographic algorithms like MD4 require calling into Windows Win32 APIs directly. This is problematic because there's no Win32 equivalent on other platforms which will cause the calling application to break in terrible ways.

A PAL is useful here because the library can continue to call directly into Win32 APIs and use either a custom implementation or third party like OpenSSL on other platforms.

Describe the solution you'd like
Similar to how .NET corefx does it today with a class file with shared functionality, followed by a Class.Platform.cs file for each class.

I am using a SOAP webservice with standard WCF tooling in Visual Studio.
On my machine that is in Active Directory, passing the Windows Credentials, it works properly, but when I send my app to other PC that is no in AD, the auth fail.

The SOAP webservice, use Kerberos protocol to authenticate users, I was trying to use this in standard SOAP client, but I didn't find a way.

How can I achieve that?

Hey,

This might just be me who does not have enough experience with the Kerberos protocol or the Kerberos.Net Nuget Package.

What I'm essentially attempting to do is call an API which required kerberos authentication.

Using Kerberos.NET, I have successfully gotten a Service Ticket from the authentication server for the SPN where the API is located.

However, after that it's not quite clear if I'm doing things correctly. What I want to do is put the ticket session key in the Authorization header, using the Negotiate scheme, when I send an HTTP request to the API. What I do right now is this:

`
var encodedNegotiateValue = Convert.ToBase64String(ticket.EncodeNegotiate().ToArray());

...
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Negotiate", encodedNegotiateValue);

`

However, this does not work. Am I missing something essential, or using the API incorrectly? I tried to check out the End 2 End tests and saw that a test for negotiate was there. It also uses the Authenticator class. However, I'm not sure where this fits into the protocol, or how exactly to build up the Base 64 encoded negotiate string :)

Hi Steve, based on convo,

I keep getting "Unknown Negotiate Extension Signature". I are using a keytab file generated on our dev box which has our entire AD. When i get the kerberos ticket from the client i get that error. You specified that the ticket i am getting is not correct format.

So i think i am not doing the handshake properly to get the right kerberos ticket from browser. based on your code,

if (!context.Request.Headers.TryGetValue("Authorization", out StringValues authzHeader) || authzHeader.Count != 1)
            {
                context.Response.Headers.Add("WWW-Authenticate", new[] { "Negotiate" });
                context.Response.StatusCode = 401;

                return false;
            }

we we send this, we are not getting a kerberos ticket the browser is sending something else. How can i force my browser or cleint to send the correct kerberos ticket, do i need to include something else int he WWW-Authenticate.

Thanks

I get the following exception when calling
await authenticator.Authenticate(token);
in a netcoreapp2.0 webapi application.

---- System.IO.FileNotFoundException : Could not load file or assembly 'System.Runtime.Caching, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'. The system cannot find the file specified.

Im using nuget package <PackageReference Include="Kerberos.NET" Version="1.5.821.1"/>

Seems like the nuget package is binding to the assembly for net46 applications and not .net core 2.0 apps.

Hi,

I tried creating a custom authenticator using .net core 2, and Kerberos.NET package (using a keytab validator) but I'm always getting this error of: Unknown Negotiate Extension Signature..
from this file:
Kerberos.NET/Kerberos.NET/Entities/NegotiateExtension.cs

Is there a reason for the hardcoded signature here?
What can I do to bypass this?

Thanks,
Liat

Is your feature request related to a problem? Please describe.
Kerberos as spec'ed does not provide a guarantee of current possession of the client key. This means client as-req's can be generated infinitively into the future once, and then be used without requiring knowledge of the client key. The "Freshness" spec introduces the idea of a freshness token sent in the krb-error message to indicate the client needs to include it in the message to continue, which requires current knowledge of the client key to sign the message.

Describe the solution you'd like

KerberosClient should detect the PA_AS_FRESHNESS PA-Data element, inject the token into a new PA-Data element, and retry the request.

PublicKeyPreAuthenticationHandler should be extended to check for the freshness token and validate correctness. A new setting should be included on IRealmSettings that indicates whether freshness is supported or not and if it is, should be injected if not present.

The freshness token should be a short lived value tying the client to the current time. An example token might be something like AesGcm(value: upn | (now + 5 min), key: krbtgt) and validated by decrypting and checking the timestamp hasn't passed

Additional context

https://tools.ietf.org/html/rfc8070

When creating an instance of the KerberosValidator were are getting the following exception:
Method 'GetAsync' in type 'Kerberos.NET.DistributedMemoryCache' from assembly 'Kerberos.NET, Version=2.0.0.0, Culture=neutral, PublicKeyToken=10b231fbfc8c4b4d' does not have an implementation.

var validator = new KerberosValidator(new KerberosKey(Options.Secret)) { ValidateAfterDecrypt = ValidationActions.All };

Is there something I need to do to avoid this exception?

When calling KerberosAuthenticator.Authenticate a null reference exception is thrown.

I dug down into the code and it seems to happen when adding the Sid claim because the pac.LoginInfo is null.

Digging deeper, it seems the NdrBinaryReader can't read non ascii characters.

Trying to use a .net core application in a linux container against existing kerberos infrastructure.
Most documentation for apps in that situation indicate the need for using keytab files and rely on the MIT command line tools to set everything up.
The kdc information is in the /etc/krb5.conf.
It seems that the ASPNetCore team also uses that for their Negotiate mechanism. It would be nice if Kerberos.Net also did.

KerberosClient should provide an initialization mechanism that consumes the same krb5.conf.

I am going to be doing this in my client right now but with some guidance I could contribute whatever I do if wanted.

Thx

Hi Steve, would your package work for the strictly client side functionality of generating a particular service TGT and the associated "Authenticator" to then send to the server service for authentication?

If so, do you mind pointing me to the calls that i would use to do it?

Thanks, Scot

In KeyTable.cs, ReadPrincipal Method, var nameType = (PrincipalNameType)ReadInt32(reader); should not be executed if it's version 1 according to this documentation: https://web.mit.edu/kerberos/krb5-1.12/doc/formats/keytab_file_format.html

I think the code should look like:

var nameType = PrincipalNameType.NT_UNKNOWN;
if (version != 1)
{
    nameType = (PrincipalNameType)ReadInt32(reader);
}

Not that I use that version 1, nor can confirm it, but noticed this as I was doing a code review.

Is your feature request related to a problem? Please describe.
Tests are currently a haphazard mix of unit and E2E tests that often cover wide ranges of functionality in a given test or class.

E2E tests are also currently written as unit tests, which make it easy to quickly verify the library works, but doesn't make it easy to pinpoint exact failures.

Server side is also relying heavily on E2E tests to guarantee services work correctly, which is dangerous.

Describe the solution you'd like
It would be better if each test class was better organized and methods only tested smaller units of functionality.

This works fine on Windows, but fails on Linux which makes sense as the DLL is not present. Is there anyway to support the compressions that rely on the unmanage calls when running on a non-windows platform?

We are running under docker containers which is why we have run into this issue.

Hi,

Could Kerberos.NET be used to authenticate to a sql server looking for Active Directory Details?

Almost something along the lines of this article: https://www.codeproject.com/Articles/1272546/Authenticate-NET-Core-Client-of-SQL-Server-with-In

Is your feature request related to a problem? Please describe.
The logging framework in this library is simplistic which makes it difficult to diagnose issues, especially at scale. It would be useful if this library supported a library like Microsoft.Extensions.Logging for structured logging.

Describe the solution you'd like
Rewrite K.N.ILogger to wrap M.E.L.ILogger and provide structured data at critical points in the server and client processes.

Currently, when Authenticator establishes ClaimsIdentity, it does so in the format of "user@REALM". For dealing with legacy scenarios, it would be useful to have access to principal in "DOMAIN\user" format. I propose either: a) an option for authenticator on how to establish the primary Name claim. b) adding additional claim into ClaimIdentity in the legacy format. c) a+b

Is your feature request related to a problem? Please describe.
Most applications do not use Kerberos directly. They often rely on the platform below them exposing an interface for requesting tickets. This is GSS generically, and SSPI on Windows. It's defined in RFC 2743.

Describe the solution you'd like

An interface and implementation that exposes all the required functions of GSS:

interface IGssContext 
{
   GSS_Acquire_cred(...);
   GSS_Release_cred(...);
   GSS_Inquire_cred(...);
   
   GSS_Add_cred(...);
   GSS_Inquire_cred_by_mech(...);
   
   
   GSS_Init_sec_context(...);
   GSS_Accept_sec_context(...);
   GSS_Delete_sec_context(...);
   GSS_Process_context_token(...);
   GSS_Context_time(...);
   GSS_Inquire_context(...);
   GSS_Wrap_size_limit(...);
   GSS_Export_sec_context(...);
   GSS_Import_sec_context(...);
   
   GSS_GetMIC(...);
   GSS_VerifyMIC(...);
   GSS_Wrap(...);
   GSS_Unwrap(...);
   
   GSS_Display_status(...);
   GSS_Indicate_mechs(...);
   GSS_Compare_name(...);
   GSS_Display_name(...);
   GSS_Import_name(...);
   GSS_Release_name(...);
   GSS_Release_buffer(...);
   GSS_Release_OID_set(...);
   GSS_Create_empty_OID_set(...);
   GSS_Add_OID_set_member(...);
   GSS_Test_OID_set_member(...);
   GSS_Inquire_names_for_mech(...);
   GSS_Inquire_mechs_for_name(...);
   GSS_Canonicalize_name(...);
   GSS_Export_name(...);
   GSS_Duplicate_name(...);
}

By reading Kerberos Change Password Protocol and Kerberos.NET Samples, I wrote the following code:

using Kerberos.NET;
using Kerberos.NET.Client;
using Kerberos.NET.Credentials;
using Kerberos.NET.Crypto;
using Kerberos.NET.Entities;
using System;
using System.Linq;
using System.Net.Sockets;
using System.Text;
using System.Threading.Tasks;

namespace KerberosDemo
{
    class Program
    {
        static async Task Main(string[] args)
        {
            string activeDirectoryServer = "10.12.34.56:88"; // kdc port
            string domain = "TEST.LOCAL";
            string username = "testuser@" + domain;
            string oldPassword = "123";
            string newPassword = "456";

            using var client = new KerberosClient(activeDirectoryServer);
            var kerbCred = new KerberosPasswordCredential(username, oldPassword, domain);
            await client.Authenticate(kerbCred);
            var serviceTicket = await client.GetServiceTicket("kadmin/changepw");

            var apReq = new KrbApReq
            {
                Ticket = serviceTicket.Ticket,
                Authenticator = KrbEncryptedData.Encrypt(Encoding.UTF8.GetBytes(newPassword).AsMemory(), kerbCred.CreateKey(), KeyUsage.ApReqAuthenticator),
                ProtocolVersionNumber = 1
            };

            var tcp = client.Transports.FirstOrDefault(t => t.Protocol == ProtocolType.Tcp);
            await tcp.SendMessage<KrbApReq, KrbAsRep>(domain, apReq);
        }
    }
}

I got the following exception at await tcp.SendMessage<KrbApReq, KrbAsRep>(domain, apReq);:

Unhandled exception.
System.Security.Cryptography.CryptographicException: ASN1 corrupted
data. at
System.Security.Cryptography.Asn1.AsnReader.ReadTagAndLength(Nullable1& contentsLength, Int32& bytesRead) in d:\a\1\s\Kerberos.NET\Asn1\Experimental\AsnReader.cs:line 305 at Kerberos.NET.Entities.KrbError.CanDecode(ReadOnlyMemory1 encoded) in
d:\a\1\s\Kerberos.NET\Entities\Krb\KrbError.cs:line 23 at
Kerberos.NET.Transport.KerberosTransportBase.Decode[T](ReadOnlyMemory1 response) in d:\a\1\s\Kerberos.NET\Client\Transport\KerberosTransportBase.cs:line 41 at Kerberos.NET.Transport.TcpKerberosTransport.ReadResponse[T](NetworkStream stream, CancellationToken cancellation) in d:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 69 at Kerberos.NET.Transport.TcpKerberosTransport.SendMessage[T](String domain, ReadOnlyMemory1 encoded, CancellationToken cancellation) in
d:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 58
at KerberosDemo.Program.Main(String[] args) at
KerberosDemo.Program.

(String[] args)

Your help is appreciated. Thanks.

https://stackoverflow.com/questions/58670044/change-active-directory-password-using-kerberos-change-password-protocol-and-ne

I have validator and authenticator working with keytab created from a service account. Based on that:

• Can I do away with need for keytab somehow if I'm running the Kerberos code in a process already running as the service account?
• Is there anything I can grab after/during validate/authenticate (within ticket object, etc.) that I can use to get an impersonation token?