Copy cname from request in order to be spec compliant

Author: MaximeKjaer

Kerberos.NET/Entities/Krb/KrbKdcRep.cs

@@ -113,6 +113,19 @@ out MessageType messageType
                 throw new InvalidOperationException("A service principal key must be provided");
             }
 
+            if (request.Compatibility.HasFlag(KerberosCompatibilityFlags.IsolateRealmsConsistently))
+            {
+                if (request.ClientName == null)
+                {
+                    throw new InvalidOperationException("Client name must be provided when IsolateRealmsConsistently is set");
+                }
+
+                if (request.ClientRealmName == null)
+                {
+                    throw new InvalidOperationException("Client realm name must be provided when IsolateRealmsConsistently is set");
+                }
+            }
+
             if (request.Compatibility.HasFlag(KerberosCompatibilityFlags.NormalizeRealmsUppercase))
             {
                 request.RealmName = request.RealmName?.ToUpperInvariant();
@@ -196,8 +209,6 @@ private static KrbEncTicketPart CreateEncTicketPart(
             KrbEncryptionKey sessionKey
         )
         {
-            var cname = CreateCNameForTicket(request);
-
             var flags = request.Flags;
 
             if (request.PreAuthenticationData?.Any(r => r.Type == PaDataType.PA_REQ_ENC_PA_REP) ?? false)
@@ -211,7 +222,7 @@ KrbEncryptionKey sessionKey
 
             var encTicketPart = new KrbEncTicketPart()
             {
-                CName = cname,
+                CName = request.Compatibility.HasFlag(KerberosCompatibilityFlags.IsolateRealmsConsistently) ? request.ClientName : CreateCNameForTicket(request),
                 CRealm = request.Compatibility.HasFlag(KerberosCompatibilityFlags.IsolateRealmsConsistently) ? request.ClientRealmName : request.RealmName,
                 Key = sessionKey,
                 AuthTime = request.Now,
@@ -237,11 +248,11 @@ private static KrbPrincipalName CreateCNameForTicket(ServiceTicketRequest reques
         {
             if (string.IsNullOrEmpty(request.SamAccountName))
             {
+                // This is a bug, fixed under the IsolateRealmsConsistently flag.
+                // Client realm name is not necessarily the same as the (service) realm name
                 return KrbPrincipalName.FromPrincipal(
                     request.Principal,
-                    realm: request.Compatibility.HasFlag(KerberosCompatibilityFlags.IsolateRealmsConsistently) ?
-                        request.ClientRealmName :
-                        request.RealmName
+                    realm: request.RealmName
                 );
             }
 

Kerberos.NET/Entities/Krb/ServiceTicketRequest.cs

@@ -28,7 +28,12 @@ public struct ServiceTicketRequest : IEquatable<ServiceTicketRequest>
         public KerberosKey KdcAuthorizationKey { get; set; }
 
         /// <summary>
-        /// The realm name for which the requested identity originated
+        /// The client name (cname) of the identity requesting the ticket
+        /// </summary>
+        public KrbPrincipalName ClientName { get; set; }
+
+        /// <summary>
+        /// The client realm (crealm) name of the identity requesting the ticket
         /// </summary>
         public string ClientRealmName { get; set; }
 
@@ -179,6 +184,21 @@ public bool Equals(ServiceTicketRequest other)
                 return false;
             }
 
+            if (other.ClientName != this.ClientName)
+            {
+                return false;
+            }
+
+            if (other.ClientRealmName != this.ClientRealmName)
+            {
+                return false;
+            }
+
+            if (other.EncryptedPartEType != this.EncryptedPartEType)
+            {
+                return false;
+            }
+
             if (other.EncryptedPartKey != this.EncryptedPartKey)
             {
                 return false;
@@ -281,6 +301,10 @@ public override int GetHashCode()
         {
             return EntityHashCode.GetHashCode(
                 this.Addresses,
+                this.ClientName,
+                this.ClientRealmName,
+                this.Compatibility,
+                this.EncryptedPartEType,
                 this.EncryptedPartKey,
                 this.EndTime,
                 this.Flags,

Kerberos.NET/Server/KdcAsReqMessageHandler.cs

@@ -167,6 +167,12 @@ private ReadOnlyMemory<byte> GenerateAsRep(KrbAsReq asReq, PreAuthenticationCont
 
             var rst = new ServiceTicketRequest
             {
+                // RFC 4120 section 3.1.5 Receipt of KRB_AS_REP Message
+                // "If the reply message type is KRB_AS_REP, then the client verifies that the cname and crealm fields
+                // in the cleartext portion of the reply match what it requested."
+                ClientName = asReq.Body.CName,
+                ClientRealmName = asReq.Body.Realm,
+
                 Principal = context.Principal,
                 EncryptedPartKey = context.EncryptedPartKey,
                 EncryptedPartEType = context.EncryptedPartEType,

Kerberos.NET/Server/KdcTgsReqMessageHandler.cs

@@ -265,13 +265,19 @@ public override ReadOnlyMemory<byte> ExecuteCore(PreAuthenticationContext contex
 
             var rst = new ServiceTicketRequest
             {
+                // RFC 4120, section 3.3.3 Generation of KRB_TGS_REP Message:
+                // "By default, the address field, the client's name and realm, the list of transited realms, the time
+                // of initial authentication, the expiration time, and the authorization data of the newly-issued
+                // ticket will be copied from the TGT or renewable ticket."
+                ClientName = context.Ticket.CName,
+                ClientRealmName = context.Ticket.CRealm,
+
                 KdcAuthorizationKey = context.EvidenceTicketKey,
                 Principal = context.Principal,
                 EncryptedPartKey = context.EncryptedPartKey,
                 EncryptedPartEType = context.EncryptedPartEType,
                 ServicePrincipal = context.ServicePrincipal,
                 ServicePrincipalKey = serviceKey,
-                ClientRealmName = context.Ticket.CRealm,
                 RealmName = tgsReq.Body.Realm,
                 Addresses = tgsReq.Body.Addresses,
                 RenewTill = context.Ticket.RenewTill,

Tests/Tests.Kerberos.NET/Client/HttpKerberosTransportTests.cs

@@ -92,6 +92,8 @@ protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage reques
 
                 var rst = new ServiceTicketRequest
                 {
+                    ClientName = KrbPrincipalName.FromPrincipal(principal),
+                    ClientRealmName = Realm,
                     Principal = principal,
                     EncryptedPartKey = principalKey,
                     ServicePrincipalKey = new KerberosKey(key: TgtKey, etype: EncryptionType.AES256_CTS_HMAC_SHA1_96)

Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs

@@ -76,24 +76,27 @@ public void CreateServiceTicket()
 
             var tgsRep = KrbKdcRep.GenerateServiceTicket<KrbTgsRep>(new ServiceTicketRequest
             {
-                EncryptedPartKey = key,
+                ClientName = KrbPrincipalName.FromString("blah@test.com"),
+                ClientRealmName = "test.com",
+                Principal = new FakeKerberosPrincipal("blah@test.com"),
+
                 ServicePrincipal = new FakeKerberosPrincipal("blah@blah.com"),
                 ServicePrincipalKey = key,
-                Principal = new FakeKerberosPrincipal("blah@blah2.com"),
                 RealmName = "blah.com",
-                ClientRealmName = "test.com",
+
+                EncryptedPartKey = key,
                 Compatibility = KerberosCompatibilityFlags.IsolateRealmsConsistently,
             });
 
             Assert.IsNotNull(tgsRep);
             Assert.AreEqual("blah.com", tgsRep.Ticket.Realm);
             Assert.AreEqual("blah@blah.com/blah.com", tgsRep.Ticket.SName.FullyQualifiedName);
             Assert.AreEqual("test.com", tgsRep.CRealm);
-            Assert.AreEqual("blah@blah2.com", tgsRep.CName.FullyQualifiedName);
+            Assert.AreEqual("blah@test.com", tgsRep.CName.FullyQualifiedName);
 
             var ticketEncPart = tgsRep.Ticket.EncryptedPart.Decrypt(key, KeyUsage.Ticket, KrbEncTicketPart.DecodeApplication);
             Assert.AreEqual("test.com", ticketEncPart.CRealm);
-            Assert.AreEqual("blah@blah2.com", ticketEncPart.CName.FullyQualifiedName);
+            Assert.AreEqual("blah@test.com", ticketEncPart.CName.FullyQualifiedName);
         }
 
         [TestMethod]
@@ -121,12 +124,14 @@ string expectedCRealm
 
             var tgsRep = KrbKdcRep.GenerateServiceTicket<KrbTgsRep>(new ServiceTicketRequest
             {
+                Principal = new FakeKerberosPrincipal($"blah@{crealm}"),
+                ClientName = KrbPrincipalName.FromString($"blah@{crealm}"),
+                ClientRealmName = crealm,
+
                 EncryptedPartKey = key,
                 ServicePrincipal = new FakeKerberosPrincipal("blah@blah.com"),
                 ServicePrincipalKey = key,
-                Principal = new FakeKerberosPrincipal("blah@blah2.com"),
                 RealmName = realm,
-                ClientRealmName = crealm,
                 Compatibility = compatibilityFlags,
             });