From 79db305eac1c6e11c115bdbe798f59ceff401162 Mon Sep 17 00:00:00 2001
From: Cody Batt <CodyBatt@users.noreply.github.com>
Date: Tue, 1 Jul 2025 10:51:04 -0600
Subject: [PATCH 1/3] Add properties for each key to enable implementations
 that don't use subkey

---
 Kerberos.NET/Client/ApplicationSessionContext.cs | 4 ++++
 Kerberos.NET/Client/KerberosClient.cs            | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/Kerberos.NET/Client/ApplicationSessionContext.cs b/Kerberos.NET/Client/ApplicationSessionContext.cs
index 2ec1f24e..04fc04de 100644
--- a/Kerberos.NET/Client/ApplicationSessionContext.cs
+++ b/Kerberos.NET/Client/ApplicationSessionContext.cs
@@ -15,6 +15,10 @@ public class ApplicationSessionContext
 
         public KrbEncryptionKey SessionKey { get; set; }
 
+        public KrbEncryptionKey ServiceTicketSessionKey { get; set; }
+
+        public KrbEncryptionKey ClientSubSessionKey { get; set; }
+
         public int? SequenceNumber { get; set; }
 
         public int CuSec { get; set; }
diff --git a/Kerberos.NET/Client/KerberosClient.cs b/Kerberos.NET/Client/KerberosClient.cs
index 1f22b2be..e0def520 100644
--- a/Kerberos.NET/Client/KerberosClient.cs
+++ b/Kerberos.NET/Client/KerberosClient.cs
@@ -883,6 +883,8 @@ public async Task<ApplicationSessionContext> GetServiceTicket(
                         out KrbAuthenticator authenticator
                     ),
                     SessionKey = authenticator.Subkey ?? serviceTicketCacheEntry.SessionKey,
+                    ClientSubSessionKey = authenticator.Subkey,
+                    ServiceTicketSessionKey = serviceTicketCacheEntry.SessionKey,
                     CTime = authenticator.CTime,
                     CuSec = authenticator.CuSec,
                     SequenceNumber = authenticator.SequenceNumber

From f80f9e54d828bab7b1e0463d8903260a5041a689 Mon Sep 17 00:00:00 2001
From: petrsnd <petrsnd@gmail.com>
Date: Tue, 1 Jul 2025 13:11:32 -0600
Subject: [PATCH 2/3] Try all keys to decrypt AP-REP, remove seq validation

---
 .../Client/ApplicationSessionContext.cs       | 30 ++++++++++++++++++-
 Kerberos.NET/Crypto/DecryptedKrbApRep.cs      | 14 ++++-----
 2 files changed, 36 insertions(+), 8 deletions(-)

diff --git a/Kerberos.NET/Client/ApplicationSessionContext.cs b/Kerberos.NET/Client/ApplicationSessionContext.cs
index 04fc04de..d296d5e4 100644
--- a/Kerberos.NET/Client/ApplicationSessionContext.cs
+++ b/Kerberos.NET/Client/ApplicationSessionContext.cs
@@ -41,11 +41,39 @@ public KrbEncryptionKey AuthenticateServiceResponse(ReadOnlyMemory<byte> apRepBy
                 SequenceNumber = this.SequenceNumber
             };
 
-            decrypted.Decrypt(this.SessionKey.AsKey());
+            DecryptApRep(decrypted);
 
             decrypted.Validate(ValidationActions.TokenWindow);
 
             return decrypted.Response.SubSessionKey ?? this.SessionKey;
         }
+
+        private void DecryptApRep(DecryptedKrbApRep decrypted)
+        {
+            foreach (var key in new[]
+            {
+                this.SessionKey,
+                this.ServiceTicketSessionKey,
+                this.ClientSubSessionKey,
+            })
+            {
+                if (key == null)
+                {
+                    continue;
+                }
+
+                try
+                {
+                    decrypted.Decrypt(key.AsKey());
+                    return;
+                }
+                catch (Exception)
+                {
+                    // Not this key, continue to the next one
+                }
+            }
+
+            throw new InvalidOperationException("Failed to decrypt AP_REP with any of the provided keys.");
+        }
     }
 }
diff --git a/Kerberos.NET/Crypto/DecryptedKrbApRep.cs b/Kerberos.NET/Crypto/DecryptedKrbApRep.cs
index 13c67a9f..ba22adc9 100644
--- a/Kerberos.NET/Crypto/DecryptedKrbApRep.cs
+++ b/Kerberos.NET/Crypto/DecryptedKrbApRep.cs
@@ -62,13 +62,13 @@ public override void Validate(ValidationActions validation)
                 );
             }
 
-            if (this.SequenceNumber != this.Response.SequenceNumber)
-            {
-                throw new KerberosValidationException(
-                    $"SequenceNumber does not match. Sent: {this.SequenceNumber}; Received: {this.Response.SequenceNumber}",
-                    nameof(this.SequenceNumber)
-                );
-            }
+            //if (this.SequenceNumber != this.Response.SequenceNumber)
+            //{
+            //    throw new KerberosValidationException(
+            //        $"SequenceNumber does not match. Sent: {this.SequenceNumber}; Received: {this.Response.SequenceNumber}",
+            //        nameof(this.SequenceNumber)
+            //    );
+            //}
         }
     }
 }

From 31cc965389006c267e2718fadef45fbd7d9b4d8d Mon Sep 17 00:00:00 2001
From: petrsnd <petrsnd@gmail.com>
Date: Tue, 1 Jul 2025 13:21:19 -0600
Subject: [PATCH 3/3] AP-REP not AP_REP

---
 Kerberos.NET/Client/ApplicationSessionContext.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Kerberos.NET/Client/ApplicationSessionContext.cs b/Kerberos.NET/Client/ApplicationSessionContext.cs
index d296d5e4..9c6323c7 100644
--- a/Kerberos.NET/Client/ApplicationSessionContext.cs
+++ b/Kerberos.NET/Client/ApplicationSessionContext.cs
@@ -73,7 +73,7 @@ private void DecryptApRep(DecryptedKrbApRep decrypted)
                 }
             }
 
-            throw new InvalidOperationException("Failed to decrypt AP_REP with any of the provided keys.");
+            throw new InvalidOperationException("Failed to decrypt AP-REP with any of the provided keys.");
         }
     }
 }