如何使用SSPI从Kerberos获取服务令牌 [英] How to get Service Token from Kerberos using SSPI

问题描述

目标: 我正在尝试构建概念验证客户端应用程序，以通过使用SSPI来实现单点登录".我是C#的新手，我感到困惑.

Objective: I am trying to build Proof Of Concept client app to implement Single Sign On by using SSPI. I am new to C# and I am getting confused.

到目前为止我所知道和已经做的事情: 所有用户都是Active Directory域的一部分，因此我知道Kerberos在登录期间用于身份验证.此时，我需要做的就是从Kerberos获取服务令牌，以便可以将其传递给服务资源而不是用户名和密码(如果我输入错了，请更正我).已为我提供了已向Kerberos注册的服务原则名称(SPN)和密码.

What I know and have done so far: All users are part of Active Directory domain, so I know Kerberos is being used for authentication during login. All I need to do at this point is to get service token from Kerberos so I can pass it to the service resource instead of username and password (correct me if I am wrong). I have been provided Service Principle Name (SPN) and password that has been registered with Kerberos for the service.

我希望不使用平台调用服务来调用SSPI函数，但是如果需要的话，我会这样做.我通读了".NET远程身份验证和授权示例-第一部分"，并使用了 Microsoft .Samples.Security.SSPI 进行测试.我还尝试过将 C#/.Net接口用于Win32 SSPI身份验证API .

I was hoping not to use Platform Invocation Services to call SSPI functions, but I will if I have to. I read through ".NET Remoting Authentication and Authorization Sample - Part I" and used Microsoft.Samples.Security.SSPI for testing. I also tried using C#/.Net Interface To The Win32 SSPI Authentication API.

到目前为止，我可以获取用户/客户端凭据，构建客户端安全上下文.但是，如何为给定的SPN请求服务票证?

So far, I can get user/client credentials, build client security context. But how do I request a Service Ticket for a given SPN?

感谢您的帮助和指导.请具体说明，如果您有任何疑问，请告诉我.

I would appreciate your help and guidance. Please be specific if you can and let me know if you have any questions.

推荐答案

您可以在下面通过提供SPN来获取令牌

You can use below to get the token by giving the SPN

  public String getToken(string userName)
    {
     using (var domainContext = new PrincipalContext(ContextType.Domain, "domain"))
        {
          using (var foundUser = UserPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, userName))
            {
                Console.WriteLine("User Principale name" + UserPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, userName).UserPrincipalName);
                string spn = UserPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, userName).UserPrincipalName;
                KerberosSecurityTokenProvider k1 = new KerberosSecurityTokenProvider(spn, System.Security.Principal.TokenImpersonationLevel.Impersonation, new System.Net.NetworkCredential(userName, "password", "domain"));
                KerberosRequestorSecurityToken T1 = k1.GetToken(TimeSpan.FromMinutes(1)) as KerberosRequestorSecurityToken;
                string sret = Convert.ToBase64String(T1.GetRequest());
                Console.WriteLine("=====sret========" + sret);
                return sret;
            }
        }

    }

这篇关于如何使用SSPI从Kerberos获取服务令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！