Skip to content

Improvements for AP-REP validation #400

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

Improvements for AP-REP validation #400

wants to merge 3 commits into from

Conversation

petrsnd
Copy link
Contributor

@petrsnd petrsnd commented Jul 1, 2025
edited
Loading

Summary of changes:

  • Expose ServiceTicketSessionKey and ClientSubSessionKey in ApplicationSessionContext while preserving existing functionality
  • Try to decrypt AP-REP with all keys before failing
  • Remove sequence number validation on decrypted AP-REP

What's the problem?

We are unable to implement a simple WinRM (HTTP/SOAP) connection setup using GSS-API Krb5 while simulating the WinRM protocol with Kerberos authentication. When selecting the Kerberos authentication option for Enter-PSSession, PowerShell uses Kerberos directly, not SPNEGO.

This change is to have Kerberos.NET make all keys available via the ApplicationSessionContext to validate GSS-API tokens. The observed behavior that we are following is that the AP-REP is validated with the service ticket session key, and then GSS Wrap/Unwrap uses the subkey returned from the server.

  • Bugfix
  • New Feature

What's the solution?

ApplicationSessionContext needs to keep track of sub session keys as well and try multiple options before giving up, in order to accommodate applications that may misbehave relative to common expectations and specifications.

ApplicationSessionContext should not try to validate that the sequence numbers match.

  • Includes unit tests
  • Requires manual test

The code in #398 can be used to manually test.

What issue is this related to, if any?

The issue is described in #398.

@petrsnd petrsnd mentioned this pull request Jul 1, 2025
Closed
4 tasks
petrsnd
petrsnd commented Jul 1, 2025
View reviewed changes
Kerberos.NET/Crypto/DecryptedKrbApRep.cs
nameof(this.SequenceNumber)
);
}
//if (this.SequenceNumber != this.Response.SequenceNumber)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SteveSyfuhs Would you like us to remove DecryptedKrbApRep_Validate_Sequence or try to make it work by passing in a custom validator with this implementation as the default?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@petrsnd @CodyBatt