|
|
//+---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1992 - 1993.
//
// File: gettgs.cxx
//
// Contents: GetTGSTicket and support functions
//
// Classes:
//
// Functions:
//
// History: 04-Mar-94 wader Created
//
//----------------------------------------------------------------------------
#include "kdcsvr.hxx"
#include "kdctrace.h"
#include <tostring.hxx>
#include <userall.h>
#include "fileno.h"
#define FILENO FILENO_GETTGS
extern LARGE_INTEGER tsInfinity;extern LONG lInfinity;
UNICODE_STRING KdcNullString = {0,0,NULL};
//--------------------------------------------------------------------
//
// Name: KdcGetS4UPac
//
// Synopsis: Track down the user acct for PAC info.
//
// Effects: Get the PAC
//
// Arguments: S4UClientName - ClientName from S4U PA Data
// PAC - Resultant PAC (signed w/? key)
//
// Requires:
//
// Returns: KDC_ERR_ or KRB_AP_ERR errors only
//
// Notes: Free client name and realm w/
//
//
//--------------------------------------------------------------------------
KERBERRKdcGetS4UTicketInfo( IN PKERB_INTERNAL_NAME S4UClientName, IN OUT PUSER_INTERNAL6_INFORMATION * UserInfo, IN OUT PSID_AND_ATTRIBUTES_LIST GroupMembership, IN OUT PKERB_EXT_ERROR ExtendedError ){
KERBERR KerbErr; UNICODE_STRING S4UClient = {0}; KDC_TICKET_INFO S4UClientInfo;
KerbErr = KerbConvertKdcNameToString( &S4UClient, S4UClientName, NULL );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// Get the user information...
//
KerbErr = KdcGetTicketInfo( &S4UClient, SAM_OPEN_BY_UPN_OR_ACCOUNTNAME, // extra flags?
S4UClientName, NULL, &S4UClientInfo, ExtendedError, NULL, USER_ALL_KDC_GET_PAC_AUTH_DATA, 0L, UserInfo, GroupMembership );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR, "Getting the ticket info for S4U req failed - %x\n", KerbErr)); DsysAssert(FALSE); goto Cleanup; }
Cleanup:
KerbFreeString(&S4UClient); FreeTicketInfo( &S4UClientInfo );
return KerbErr;
}
//+-------------------------------------------------------------------------
//
// Function: KdcAuditAccountMapping
//
// Synopsis: Generates, if necessary, a success/failure audit for name
// mapping. The names are converted to a string before
// being passed to the LSA.
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOIDKdcAuditAccountMapping( IN PKERB_INTERNAL_NAME ClientName, IN KERB_REALM ClientRealm, IN OPTIONAL PKDC_TICKET_INFO MappedTicketInfo ){ UNICODE_STRING ClientString = {0}; PUNICODE_STRING MappedName = NULL; UNICODE_STRING UnicodeRealm = {0}; UNICODE_STRING NullString = {0}; KERBERR KerbErr; BOOLEAN Successful;
if (ARGUMENT_PRESENT(MappedTicketInfo)) { if (!SecData.AuditKdcEvent(KDC_AUDIT_MAP_SUCCESS)) { return; } Successful = TRUE; MappedName = &MappedTicketInfo->AccountName; } else { if (!SecData.AuditKdcEvent(KDC_AUDIT_MAP_FAILURE)) { return; } MappedName = &NullString; Successful = FALSE; }
KerbErr = KerbConvertRealmToUnicodeString( &UnicodeRealm, &ClientRealm ); if (!KERB_SUCCESS(KerbErr)) { return; }
if (KERB_SUCCESS(KerbConvertKdcNameToString( &ClientString, ClientName, &UnicodeRealm ))) { LsaIAuditAccountLogon( SE_AUDITID_ACCOUNT_MAPPED, Successful, &GlobalKdcName, &ClientString, MappedName, 0 // no status
);
KerbFreeString( &ClientString );
}
KerbFreeString( &UnicodeRealm );}
//----------------------------------------------------------------
//
// Name: KdcInsertAuthorizationData
//
// Synopsis: Inserts auth data into a newly created ticket.
//
// Arguments: FinalTicket - Ticket to insert Auth data into
// EncryptedAuthData - Auth data (optional)
// SourceTicket - Source ticket
//
// Notes: This copies the authorization data from the source ticket
// to the destiation ticket, and adds the authorization data
// passed in. It is called by GetTGSTicket.
//
// This assumes that pedAuthData is an encrypted
// KERB_AUTHORIZATION_DATA.
// It will copy all the elements of that list to the new ticket.
// If pedAuthData is not supplied (or is empty), and there is
// auth data in the source ticket, it is copied to the new
// ticket. If no source ticket, and no auth data is passed
// in, nothing is done.
//
//----------------------------------------------------------------
KERBERRKdcInsertAuthorizationData( OUT PKERB_ENCRYPTED_TICKET FinalTicket, OUT PKERB_EXT_ERROR pExtendedError, IN OPTIONAL PKERB_ENCRYPTED_DATA EncryptedAuthData, IN OPTIONAL PKERB_INTERNAL_NAME S4UClientName, IN BOOLEAN DoingS4U, IN PKERB_ENCRYPTED_TICKET SourceTicket, IN BOOLEAN AddResourceGroups, IN OPTIONAL PKDC_TICKET_INFO OriginalServerInfo, IN OPTIONAL PKERB_ENCRYPTION_KEY OriginalServerKey, IN OPTIONAL PKERB_ENCRYPTION_KEY TargetServerKey ){ PKERB_AUTHORIZATION_DATA SourceAuthData = NULL; PKERB_AUTHORIZATION_DATA FinalAuthData = NULL; PKERB_AUTHORIZATION_DATA PacAuthData = NULL; PKERB_AUTHORIZATION_DATA NewPacAuthData = NULL; KERBERR KerbErr = KDC_ERR_NONE; PKERB_AUTHORIZATION_DATA_LIST * TempAuthData = NULL; PKERB_AUTHORIZATION_DATA NextAuthData; PKERB_INTERNAL_NAME ClientName = NULL; PKERB_IF_RELEVANT_AUTH_DATA * IfRelevantData = NULL; PKERB_AUTHORIZATION_DATA SuppliedAuthData = NULL; UNICODE_STRING DummyName = {0}; SID_AND_ATTRIBUTES_LIST S4UGroupMembership = {0}; PUSER_INTERNAL6_INFORMATION S4UUserInfo = NULL;
TRACE(KDC, InsertAuthorizationData, DEB_FUNCTION);
D_DebugLog(( DEB_T_TICKETS, "Inserting authorization data into ticket.\n" ));
//
// First try to decrypt the supplied authorization data
//
if (!DoingS4U) {
if (ARGUMENT_PRESENT(EncryptedAuthData)) { KerbErr = KerbDecryptDataEx( EncryptedAuthData, &SourceTicket->key, KERB_NON_KERB_SALT, // WAS BUG: wrong salt, removed per MikeSw
&EncryptedAuthData->cipher_text.length, EncryptedAuthData->cipher_text.value );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_WARN, "KLIN(%x) Failed to decrypt encrypted auth data: 0x%x\n", KLIN(FILENO, __LINE__), KerbErr)); goto Cleanup; }
//
// Now decode it
//
KerbErr = KerbUnpackData( EncryptedAuthData->cipher_text.value, EncryptedAuthData->cipher_text.length, PKERB_AUTHORIZATION_DATA_LIST_PDU, (PVOID *) &TempAuthData ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; } if (TempAuthData != NULL) { SuppliedAuthData = *TempAuthData; } }
if (SourceTicket->bit_mask & KERB_ENCRYPTED_TICKET_authorization_data_present) { DsysAssert(SourceTicket->KERB_ENCRYPTED_TICKET_authorization_data != NULL); SourceAuthData = SourceTicket->KERB_ENCRYPTED_TICKET_authorization_data;
//
// Get the AuthData from the source ticket
//
KerbErr = KerbGetPacFromAuthData( SourceAuthData, &IfRelevantData, &PacAuthData );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"KLIN(%x) Failed to get pac from auth data: 0x%x\n", KLIN(FILENO, __LINE__), KerbErr)); goto Cleanup; }
}
//
// The new auth data is the original auth data appended to the
// supplied auth data. The new auth data goes first, followed by the
// auth data from the original ticket.
//
//
// Update the PAC, if it is present.
//
if (ARGUMENT_PRESENT(OriginalServerKey) && (PacAuthData != NULL)) { KerbErr = KdcVerifyAndResignPac( OriginalServerKey, TargetServerKey, OriginalServerInfo, AddResourceGroups, PacAuthData );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"KLIN(%x) Failed to verify & resign pac: 0x%x\n", KLIN(FILENO, __LINE__), KerbErr));
goto Cleanup; }
//
// Copy the old auth data & insert the PAC
//
KerbErr = KdcInsertPacIntoAuthData( SourceAuthData, (IfRelevantData != NULL) ? *IfRelevantData : NULL, PacAuthData, &FinalAuthData );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"KLIN(%x) Failed to insert pac into auth data: 0x%x\n", KLIN(FILENO, __LINE__), KerbErr));
goto Cleanup; } } }
if (DoingS4U) { //
// Use the PAC from the S4U data to return in the TGT / Service Ticket
//
KerbErr = KdcGetS4UTicketInfo( S4UClientName, &S4UUserInfo, &S4UGroupMembership, pExtendedError );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KdcGetPacAuthData( S4UUserInfo, &S4UGroupMembership, TargetServerKey, NULL, // no credential key
AddResourceGroups, FinalTicket, S4UClientName, &NewPacAuthData, pExtendedError ); SamIFreeSidAndAttributesList(&S4UGroupMembership); SamIFree_UserInternal6Information( S4UUserInfo );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR, "Failed to get S4UPacAUthData\n")); DsysAssert(FALSE); goto Cleanup; }
FinalAuthData = NewPacAuthData; NewPacAuthData = NULL;
}
//
// If there was no original PAC, try to insert one here. If the ticket
// was issued from this realm we don't add a pac.
//
else if ((PacAuthData == NULL) && !SecData.IsOurRealm(&SourceTicket->client_realm)) { KDC_TICKET_INFO ClientTicketInfo = {0}; SID_AND_ATTRIBUTES_LIST GroupMembership = {0}; PUSER_INTERNAL6_INFORMATION UserInfo = NULL;
//
// Try mapping the name to get a PAC
//
KerbErr = KerbConvertPrincipalNameToKdcName( &ClientName, &SourceTicket->client_name );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KdcGetTicketInfo( &DummyName, SAM_OPEN_BY_ALTERNATE_ID, ClientName, &SourceTicket->client_realm, &ClientTicketInfo, pExtendedError, NULL, // no handle
USER_ALL_KDC_GET_PAC_AUTH_DATA, 0L, // no extended fields
&UserInfo, &GroupMembership );
if (KERB_SUCCESS(KerbErr)) {
KdcAuditAccountMapping( ClientName, SourceTicket->client_realm, &ClientTicketInfo );
FreeTicketInfo(&ClientTicketInfo); KerbFreeKdcName(&ClientName);
KerbErr = KdcGetPacAuthData( UserInfo, &GroupMembership, TargetServerKey, NULL, // no credential key
AddResourceGroups, FinalTicket, NULL, // no S4U client
&NewPacAuthData, pExtendedError );
SamIFreeSidAndAttributesList(&GroupMembership); SamIFree_UserInternal6Information( UserInfo );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
} else if (KerbErr == KDC_ERR_C_PRINCIPAL_UNKNOWN) {
KdcAuditAccountMapping( ClientName, SourceTicket->client_realm, NULL );
KerbFreeKdcName(&ClientName);
KerbErr = KDC_ERR_NONE; } if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// If we got a PAC, stick it in the list
//
if (NewPacAuthData != NULL) { //
// Copy the old auth data & insert the PAC
//
KerbErr = KerbCopyAndAppendAuthData( &NewPacAuthData, SourceAuthData );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"KLIN(%x) Failed to insert pac into auth data: 0x%x\n", KLIN(FILENO, __LINE__), KerbErr)); goto Cleanup; } FinalAuthData = NewPacAuthData; NewPacAuthData = NULL; } }
//
// if there was any auth data and we didn't copy it transfering the
// PAC, do so now
//
if ((SourceAuthData != NULL) && (FinalAuthData == NULL)) { KerbErr = KerbCopyAndAppendAuthData( &FinalAuthData, SourceAuthData ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; } }
if (SuppliedAuthData != NULL) { KerbErr = KerbCopyAndAppendAuthData( &FinalAuthData, SuppliedAuthData ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; } } if (FinalAuthData != NULL) { FinalTicket->bit_mask |= KERB_ENCRYPTED_TICKET_authorization_data_present; FinalTicket->KERB_ENCRYPTED_TICKET_authorization_data = FinalAuthData; FinalAuthData = NULL; }
KerbErr = KDC_ERR_NONE;
Cleanup:
KerbFreeAuthData( FinalAuthData );
if (TempAuthData != NULL) { KerbFreeData( PKERB_AUTHORIZATION_DATA_LIST_PDU, TempAuthData ); }
KerbFreeAuthData(NewPacAuthData);
if (IfRelevantData != NULL) { KerbFreeData( PKERB_IF_RELEVANT_AUTH_DATA_PDU, IfRelevantData ); }
return(KerbErr);}
//+---------------------------------------------------------------------------
//
// Function: BuildTicketTGS
//
// Synopsis: Builds (most of) a TGS ticket
//
// Arguments: ServiceTicketInfo - Ticket info for the requested service
// ReferralRealm - Realm to build referral to
// RequestBody - The request causing this ticket to be built
// SourceTicket - The TGT used to make this request
// Referral - TRUE if this is an inter-realm referral ticke
// CommonEType - Contains the common encryption type between
// client and server
// NewTicket - The new ticket built here.
//
//
// History: 24-May-93 WadeR Created
//
// Notes: see 3.3.3, A.6 of the Kerberos V5 R5.2 spec
//
//----------------------------------------------------------------------------
KERBERRBuildTicketTGS( IN PKDC_TICKET_INFO ServiceTicketInfo, IN PKERB_KDC_REQUEST_BODY RequestBody, IN PKERB_TICKET SourceTicket, IN BOOLEAN Referral, IN OPTIONAL PKERB_INTERNAL_NAME S4UClientName, IN OPTIONAL PUNICODE_STRING S4UClientRealm, IN ULONG CommonEType, OUT PKERB_TICKET NewTicket, IN OUT PKERB_EXT_ERROR ExtendedError ){ KERBERR KerbErr = KDC_ERR_NONE; KERB_TICKET OutputTicket; PKERB_ENCRYPTED_TICKET EncryptedTicket; PKERB_ENCRYPTED_TICKET SourceEncryptPart; LARGE_INTEGER SourceRenewUntil; LARGE_INTEGER SourceEndTime; LARGE_INTEGER SourceStartTime; LARGE_INTEGER TicketLifespan; LARGE_INTEGER TicketRenewspan; UNICODE_STRING NewTransitedInfo = {0,0,NULL}; UNICODE_STRING ClientRealm = {0,0,NULL}; UNICODE_STRING TransitedRealm = {0,0,NULL}; UNICODE_STRING OldTransitedInfo = {0,0,NULL}; STRING OldTransitedString; ULONG KdcOptions = 0; BOOLEAN fKpasswd = FALSE; ULONG TicketFlags = 0; ULONG SourceTicketFlags = 0; PKERB_HOST_ADDRESSES Addresses = NULL; TRACE(KDC, BuildTicketTGS, DEB_FUNCTION);
D_DebugLog(( DEB_T_TICKETS, "Building a TGS ticket\n" ));
SourceEncryptPart = (PKERB_ENCRYPTED_TICKET) SourceTicket->encrypted_part.cipher_text.value; OutputTicket = *NewTicket; EncryptedTicket = (PKERB_ENCRYPTED_TICKET) OutputTicket.encrypted_part.cipher_text.value;
KdcOptions = KerbConvertFlagsToUlong( &RequestBody->kdc_options );
//
// Get the times from the source ticket into a usable form
//
if (SourceEncryptPart->bit_mask & KERB_ENCRYPTED_TICKET_renew_until_present) { KerbConvertGeneralizedTimeToLargeInt( &SourceRenewUntil, &SourceEncryptPart->KERB_ENCRYPTED_TICKET_renew_until, 0 ); } else { SourceRenewUntil.QuadPart = 0; }
KerbConvertGeneralizedTimeToLargeInt( &SourceEndTime, &SourceEncryptPart->endtime, 0 );
if (SourceEncryptPart->bit_mask & KERB_ENCRYPTED_TICKET_starttime_present) {
KerbConvertGeneralizedTimeToLargeInt( &SourceStartTime, &SourceEncryptPart->KERB_ENCRYPTED_TICKET_starttime, 0 );
} else { SourceStartTime.QuadPart = 0; }
//
// Check to see if the request is for the kpasswd service, in
// which case, we only want the ticket to be good for 2 minutes.
//
KerbErr = KerbCompareKdcNameToPrincipalName( &RequestBody->server_name, GlobalKpasswdName, &fKpasswd );
if (!fKpasswd || !KERB_SUCCESS(KerbErr)) { TicketLifespan = SecData.KdcTgsTicketLifespan(); TicketRenewspan = SecData.KdcTicketRenewSpan(); } else { TicketLifespan.QuadPart = (LONGLONG) 10000000 * 60 * 2; TicketRenewspan.QuadPart = (LONGLONG) 10000000 * 60 * 2; }
//
// TBD: We need to make the ticket 10 minutes if we're doing s4U
//
KerbErr = KdcBuildTicketTimesAndFlags( 0, // no client policy
ServiceTicketInfo->fTicketOpts, &TicketLifespan, &TicketRenewspan, NULL, // no logoff time
NULL, // no acct expiry.
RequestBody, SourceEncryptPart, EncryptedTicket, ExtendedError ); if (!KERB_SUCCESS(KerbErr)) { D_DebugLog((DEB_ERROR,"KLIN(%x) Failed to build ticket times and flags: 0x%x\n", KLIN(FILENO, __LINE__), KerbErr)); goto Cleanup; }
TicketFlags = KerbConvertFlagsToUlong( &EncryptedTicket->flags ); SourceTicketFlags = KerbConvertFlagsToUlong( &SourceEncryptPart->flags );
KerbErr = KerbMakeKey( CommonEType, &EncryptedTicket->key );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
OldTransitedString.Buffer = (PCHAR) SourceEncryptPart->transited.contents.value; OldTransitedString.Length = OldTransitedString.MaximumLength = (USHORT) SourceEncryptPart->transited.contents.length;
//
// Fill in the service names
//
if (Referral) { PKERB_INTERNAL_NAME TempServiceName;
//
// For referral tickets we put a the name "krbtgt/remoterealm@localrealm"
//
//
// We should only be doing this when we didn't get a non-ms principal
//
KerbErr = KerbBuildFullServiceKdcName( &ServiceTicketInfo->AccountName, SecData.KdcServiceName(), KRB_NT_SRV_INST, &TempServiceName );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KerbConvertKdcNameToPrincipalName( &OutputTicket.server_name, TempServiceName );
KerbFreeKdcName(&TempServiceName);
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// If we got here on a referral ticket and are generating one
// and the referral ticket we received was not from the client's
// realm, add in the transited information.
//
if (!KerbCompareRealmNames( &SourceEncryptPart->client_realm, &SourceTicket->realm)) {
KerbErr = KerbStringToUnicodeString( &OldTransitedInfo, &OldTransitedString ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; } KerbErr = KerbConvertRealmToUnicodeString( &TransitedRealm, &SourceTicket->realm ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KerbConvertRealmToUnicodeString( &ClientRealm, &SourceEncryptPart->client_realm ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KdcInsertTransitedRealm( &NewTransitedInfo, &OldTransitedInfo, &ClientRealm, &TransitedRealm, SecData.KdcDnsRealmName() );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
} } else { UNICODE_STRING TempServiceName;
//
// If the client didn't request name canonicalization, use the
// name supplied by the client
//
if (((KdcOptions & KERB_KDC_OPTIONS_name_canonicalize) != 0) && ((ServiceTicketInfo->UserAccountControl & USER_USE_DES_KEY_ONLY) == 0)) { if (ServiceTicketInfo->UserId == DOMAIN_USER_RID_KRBTGT) { PKERB_INTERNAL_NAME TempServiceName = NULL;
KerbErr = KerbBuildFullServiceKdcName( SecData.KdcDnsRealmName(), SecData.KdcServiceName(), KRB_NT_SRV_INST, &TempServiceName );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KerbConvertKdcNameToPrincipalName( &OutputTicket.server_name, TempServiceName );
KerbFreeKdcName(&TempServiceName);
} else //
// We no longer use the NC bit to change the server name, so just
// duplicate the non-NC case, and return the server name from
// the TGS_REQ. NC is still used for building PA DATA for referral
// however. and we should keep it for TGT renewal. TS 2001-4-03
//
{
KerbErr = KerbDuplicatePrincipalName( &OutputTicket.server_name, &RequestBody->KERB_KDC_REQUEST_BODY_server_name );
} } else {
KerbErr = KerbDuplicatePrincipalName( &OutputTicket.server_name, &RequestBody->KERB_KDC_REQUEST_BODY_server_name ); }
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
}
//
// Copy all the other strings over
//
EncryptedTicket->client_realm = SourceEncryptPart->client_realm;
//
// S4U dance... Get the client name and realm from
//
if (ARGUMENT_PRESENT(S4UClientName) && ARGUMENT_PRESENT(S4UClientRealm) && !Referral) {
DebugLog((DEB_ERROR, "Swapping real client name for S4U CLient name\n"));
KerbErr = KerbConvertKdcNameToPrincipalName( &EncryptedTicket->client_name, S4UClientName );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KerbConvertUnicodeStringToRealm( &EncryptedTicket->client_realm, S4UClientRealm );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
} else { KerbErr = KerbDuplicatePrincipalName( &EncryptedTicket->client_name, &SourceEncryptPart->client_name );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
EncryptedTicket->client_realm = SourceEncryptPart->client_realm;
}
//
// If the client did not request canonicalization, return the same
// realm as it sent. Otherwise, send our DNS realm name
//
// if (((KdcOptions & KERB_KDC_OPTIONS_name_canonicalize) != 0) ||
// ((ServiceTicketInfo->UserAccountControl & USER_USE_DES_KEY_ONLY) == 0))
//
// {
OutputTicket.realm = SecData.KdcKerbDnsRealmName();// }
// else
// {
// OutputTicket.realm = RequestBody->realm;
// }
//
// Insert transited realms, if present
//
if (NewTransitedInfo.Length != 0) { STRING TempString; KerbErr = KerbUnicodeStringToKerbString( &TempString, &NewTransitedInfo ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; } EncryptedTicket->transited.transited_type = DOMAIN_X500_COMPRESS; EncryptedTicket->transited.contents.value = (PUCHAR) TempString.Buffer; EncryptedTicket->transited.contents.length = (int) TempString.Length;
} else {
EncryptedTicket->transited.transited_type = DOMAIN_X500_COMPRESS; EncryptedTicket->transited.contents.value = (PUCHAR) MIDL_user_allocate(OldTransitedString.Length); if (EncryptedTicket->transited.contents.value == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; } EncryptedTicket->transited.contents.length = (int) OldTransitedString.Length; RtlCopyMemory( EncryptedTicket->transited.contents.value, OldTransitedString.Buffer, OldTransitedString.Length );
}
//
// Insert the client addresses. We only update them if the new ticket
// is forwarded of proxied and the source ticket was forwardable or proxiable
// - else we copy the old ones
//
if ((((TicketFlags & KERB_TICKET_FLAGS_forwarded) != 0) && ((SourceTicketFlags & KERB_TICKET_FLAGS_forwardable) != 0)) || (((TicketFlags & KERB_TICKET_FLAGS_proxy) != 0) && ((SourceTicketFlags & KERB_TICKET_FLAGS_proxiable) != 0))) { if ((RequestBody->bit_mask & addresses_present) != 0) { Addresses = RequestBody->addresses; } } else { if ((SourceEncryptPart->bit_mask & KERB_ENCRYPTED_TICKET_client_addresses_present) != 0) { Addresses = SourceEncryptPart->KERB_ENCRYPTED_TICKET_client_addresses; } }
if (Addresses != NULL) { EncryptedTicket->KERB_ENCRYPTED_TICKET_client_addresses = Addresses; EncryptedTicket->bit_mask |= KERB_ENCRYPTED_TICKET_client_addresses_present; }
//
// The authorization data will be added by the caller, so set it
// to NULL here.
//
EncryptedTicket->KERB_ENCRYPTED_TICKET_authorization_data = NULL;
OutputTicket.ticket_version = KERBEROS_VERSION; *NewTicket = OutputTicket;
Cleanup: if (!KERB_SUCCESS(KerbErr)) { KdcFreeInternalTicket(&OutputTicket); }
KerbFreeString(&NewTransitedInfo); KerbFreeString(&OldTransitedInfo); KerbFreeString(&ClientRealm); KerbFreeString(&TransitedRealm); return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KdcVerifyTgsLogonRestrictions
//
// Synopsis: Verifies that a client is allowed to request a TGS ticket
// by checking logon restrictions.
//
// Effects:
//
// Arguments: ClientName - Name of client to check
//
// Requires:
//
// Returns: KDC_ERR_NONE or a logon restriction error
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKdcCheckTgsLogonRestrictions( IN PKERB_INTERNAL_NAME ClientName, IN PUNICODE_STRING ClientRealm, OUT PKERB_EXT_ERROR pExtendedError ){ KERBERR Status; UNICODE_STRING MappedClientRealm = {0}; BOOLEAN ClientReferral; KDC_TICKET_INFO ClientInfo = {0}; SAMPR_HANDLE UserHandle = NULL; PUSER_INTERNAL6_INFORMATION UserInfo = NULL; LARGE_INTEGER LogoffTime; NTSTATUS LogonStatus = STATUS_SUCCESS;
//
// If the client is from a different realm, don't bother looking
// it up - the account won't be here.
//
if (!SecData.IsOurRealm( ClientRealm )) { return(KDC_ERR_NONE); }
//
// Normalize the client name
//
Status = KdcNormalize( ClientName, NULL, ClientRealm, KDC_NAME_CLIENT, &ClientReferral, &MappedClientRealm, &ClientInfo, pExtendedError, &UserHandle, USER_ALL_KERB_CHECK_LOGON_RESTRICTIONS, 0L, &UserInfo, NULL // no group memberships
);
if (!KERB_SUCCESS(Status)) { DebugLog((DEB_ERROR,"KLIN(%x) Failed to normalize name ", KLIN(FILENO, __LINE__))); KerbPrintKdcName(DEB_ERROR,ClientName); goto Cleanup; }
Status = KerbCheckLogonRestrictions( UserHandle, NULL, // No client address is available
&UserInfo->I1, KDC_RESTRICT_PKINIT_USED | KDC_RESTRICT_IGNORE_PW_EXPIRATION, // Don't bother checking for password expiration
&LogoffTime, &LogonStatus );
if (!KERB_SUCCESS(Status)) { DebugLog((DEB_WARN,"KLIN (%x) Logon restriction check failed: 0x%x\n", KLIN(FILENO, __LINE__),Status)); //
// This is a *very* important error to trickle back. See 23456 in bug DB
//
FILL_EXT_ERROR(pExtendedError, LogonStatus, FILENO, __LINE__); goto Cleanup; }
Cleanup:
KerbFreeString( &MappedClientRealm ); FreeTicketInfo( &ClientInfo ); SamIFree_UserInternal6Information( UserInfo );
if (UserHandle != NULL) { SamrCloseHandle(&UserHandle); }
return Status;}
//+-------------------------------------------------------------------------
//
// Function: KdcBuildReferralInfo
//
// Synopsis: Builds the referral information to return to the client.
// We only return the realm name and no server name
//
// Effects:
//
// Arguments: ReferralRealm - realm to refer client to
// ReferralInfo - recevies encoded referral info
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKdcBuildReferralInfo( IN PUNICODE_STRING ReferralRealm, OUT PKERB_PA_DATA_LIST *ReferralInfo ){ KERBERR KerbErr = KDC_ERR_NONE; PKERB_PA_DATA_LIST ListElem = NULL; KERB_PA_SERV_REFERRAL ReferralData = {0};
//
// Fill in the unencoded structure.
//
KerbErr = KerbConvertUnicodeStringToRealm( &ReferralData.referred_server_realm, ReferralRealm ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
ListElem = (PKERB_PA_DATA_LIST) MIDL_user_allocate(sizeof(KERB_PA_DATA_LIST)); if (ListElem == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; } RtlZeroMemory(ListElem, sizeof(KERB_PA_DATA_LIST));
ListElem->value.preauth_data_type = KRB5_PADATA_REFERRAL_INFO;
KerbErr = KerbPackData( &ReferralData, KERB_PA_SERV_REFERRAL_PDU, (PULONG) &ListElem->value.preauth_data.length, &ListElem->value.preauth_data.value ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; } *ReferralInfo = ListElem; ListElem = NULL;
Cleanup: if (ListElem != NULL) { if (ListElem->value.preauth_data.value != NULL) { KdcFreeEncodedData(ListElem->value.preauth_data.value); } MIDL_user_free(ListElem); } KerbFreeRealm(&ReferralData.referred_server_realm); return(KerbErr);
}
//--------------------------------------------------------------------
//
// Name: I_RenewTicket
//
// Synopsis: Renews an internal ticket.
//
// Arguments: SourceTicket - Source ticket for this request
// ServiceName - Name of service for ticket
// ClientRealm - Realm of client
// ServiceTicketInfo - Ticket info from service account
// RequestBody - Body of ticket request
// NewTicket - Receives new ticket
// CommonEType - Receives common encryption type for service ticket
// TicketKey - Receives key used to encrypt the ticket
//
// Notes: Validates the ticket, gets the service's current key,
// and builds the reply.
//
//
//--------------------------------------------------------------------
KERBERRI_RenewTicket( IN PKERB_TICKET SourceTicket, IN PKERB_INTERNAL_NAME ServiceName, IN PKDC_TICKET_INFO ServiceTicketInfo, IN PKERB_KDC_REQUEST_BODY RequestBody, IN PULONG CommonEType, OUT PKERB_TICKET NewTicket, OUT PKERB_EXT_ERROR pExtendedError ){ KERBERR KerbErr = KDC_ERR_NONE; PKERB_ENCRYPTED_TICKET SourceEncryptPart = (PKERB_ENCRYPTED_TICKET) SourceTicket->encrypted_part.cipher_text.value; PKERB_ENCRYPTED_TICKET NewEncryptPart = (PKERB_ENCRYPTED_TICKET) NewTicket->encrypted_part.cipher_text.value; PKERB_ENCRYPTION_KEY ServerKey; BOOLEAN NamesEqual = FALSE; TRACE(KDC, I_RenewTicket, DEB_FUNCTION);
D_DebugLog(( DEB_TRACE, "Trying to renew a ticket to ")); D_KerbPrintKdcName(DEB_TRACE, ServiceName );
//
// Make sure the original is renewable.
//
if ((KerbConvertFlagsToUlong(&SourceEncryptPart->flags) & KERB_TICKET_FLAGS_renewable) == 0) { D_DebugLog((DEB_WARN, "KLIN(%x) Attempt made to renew non-renewable ticket\n", KLIN(FILENO, __LINE__))); KerbErr = KDC_ERR_BADOPTION; goto Cleanup; }
//
// Make sure the source ticket service equals the service from the ticket info
//
KerbErr = KerbCompareKdcNameToPrincipalName( &SourceTicket->server_name, ServiceName, &NamesEqual ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
if (!NamesEqual) { //
// Make sure we the renewed ticket is for the same service as the original.
//
FILL_EXT_ERROR(pExtendedError, STATUS_KDC_INVALID_REQUEST, FILENO, __LINE__); KerbErr = KDC_ERR_BADOPTION; goto Cleanup; }
//
// Find the common crypt system.
//
KerbErr = KerbFindCommonCryptSystem( RequestBody->encryption_type, ServiceTicketInfo->Passwords, NULL, CommonEType, &ServerKey );
if (!KERB_SUCCESS(KerbErr)) { KdcReportKeyError( &ServiceTicketInfo->AccountName, &ServiceTicketInfo->AccountName, KDCEVENT_NO_KEY_UNION_TGS, RequestBody->encryption_type, ServiceTicketInfo->Passwords );
goto Cleanup; }
//
// Build the renewal ticket
//
KerbErr = BuildTicketTGS( ServiceTicketInfo, RequestBody, SourceTicket, FALSE, // not referral
NULL, // not doing s4u
NULL, // not doing s4u
*CommonEType, NewTicket, pExtendedError ); if (!KERB_SUCCESS(KerbErr)) { D_DebugLog((DEB_ERROR, "KLIN(%x) Failed to build TGS ticket for renewal: 0x%x\n", KLIN(FILENO, __LINE__), KerbErr)); goto Cleanup; }
//
// BuildTicket puts a random session key in the ticket,
// so replace it with the one from the source ticket.
//
KerbFreeKey( &NewEncryptPart->key );
KerbErr = KerbDuplicateKey( &NewEncryptPart->key, &SourceEncryptPart->key ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// Insert the auth data into the new ticket.
//
//
// BUG 455049: if the service password changes, this will cause problems
// because we don't resign the pac.
//
KerbErr = KdcInsertAuthorizationData( NewEncryptPart, pExtendedError, (RequestBody->bit_mask & enc_authorization_data_present) ? &RequestBody->enc_authorization_data : NULL, NULL, FALSE, SourceEncryptPart, FALSE, // don't add local groups
NULL, NULL, NULL );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"KLIN(%x) Failed to insert authorization data: 0x%x\n", KLIN(FILENO, __LINE__), KerbErr)); goto Cleanup; }
Cleanup:
if (!KERB_SUCCESS(KerbErr)) { KdcFreeInternalTicket( NewTicket ); }
return(KerbErr);
}
//--------------------------------------------------------------------
//
// Name: I_Validate
//
// Synopsis: Validates a post-dated ticket so that it can be used.
// This is not implemented.
//
// Arguments: pkitSourceTicket - (in) ticket to be validated
// pkiaAuthenticator -
// pService - (in) service ticket is for
// pRealm - (in) realm service exists in
// pktrRequest - (in) holds nonce for new ticket
// pkdPAData - (in)
// pkitTicket - (out) new ticket
//
// Notes: See 3.3 of the Kerberos V5 R5.2 spec
//
//--------------------------------------------------------------------
KERBERRI_Validate( IN PKERB_TICKET SourceTicket, IN PKERB_INTERNAL_NAME ServiceName, IN PUNICODE_STRING ClientRealm, IN PKERB_KDC_REQUEST_BODY RequestBody, OUT PULONG CommonEType, OUT PKERB_TICKET NewTicket, OUT PKERB_EXT_ERROR pExtendedError ){ return(KRB_ERR_GENERIC);#ifdef notdef
TRACE(KDC, I_Validate, DEB_FUNCTION);
HRESULT hr;
D_DebugLog(( DEB_TRACE, "Trying to validate a ticket to '%ws' for '%ws'...\n", pkitSourceTicket->ServerName.accsid.pwszDisplayName, pkitSourceTicket->kitEncryptPart.Principal.accsid.pwszDisplayName )); PrintRequest( DEB_T_TICKETS, pktrRequest ); PrintTicket( DEB_T_TICKETS, "Ticket to validate:", pkitSourceTicket );
if ( (pkitSourceTicket->kitEncryptPart.fTicketFlags & (KERBFLAG_POSTDATED | KERBFLAG_INVALID)) != (KERBFLAG_POSTDATED | KERBFLAG_INVALID) ) { hr = KDC_E_BADOPTION; } else if (_wcsicmp(pkitSourceTicket->ServerName.accsid.pwszDisplayName, pasService->pwszDisplayName) != 0) { hr = KDC_E_BADOPTION; } else { TimeStamp tsNow, tsMinus, tsPlus; GetCurrentTimeStamp( &tsNow ); tsMinus = tsNow - SkewTime; tsPlus = tsNow + SkewTime; PrintTime(DEB_TRACE, "Current time: ", tsNow ); PrintTime(DEB_TRACE, "Past time: ", tsMinus ); PrintTime(DEB_TRACE, "Future time: ", tsPlus );
if (pkitSourceTicket->kitEncryptPart.tsStartTime > tsPlus ) hr = KRB_E_TKT_NYV; else if (pkitSourceTicket->kitEncryptPart.tsEndTime < tsMinus ) hr = KRB_E_TKT_EXPIRED; else {
*pkitTicket = *pkitSourceTicket; pkitTicket->kitEncryptPart.fTicketFlags &= (~KERBFLAG_INVALID); hr = S_OK; } } return(hr);#endif // notdef
}
//--------------------------------------------------------------------
//
// Name: I_GetTGSTicket
//
// Synopsis: Gets an internal ticket using a KDC ticket (TGT).
//
// Arguments: SourceTicket - TGT for the client
// ServiceName - Service to get a ticket to
// RequestBody - Body of KDC request message
// ServiceTicketInfo - Ticket info for the service of the
// source ticket
// TicketEncryptionKey - If present, then this is a
// enc_tkt_in_skey request and the PAC should be
// encrypted with this key.
// CommonEType - Receives common encrytion type
// NewTicket - Receives newly created ticket
// ReplyPaData - Contains any PA data to put in the reply
//
// Notes: See GetTGSTicket.
//
//
//--------------------------------------------------------------------
KERBERRI_GetTGSTicket( IN PKERB_TICKET SourceTicket, IN PKERB_INTERNAL_NAME ServiceName, IN PUNICODE_STRING RequestRealm, IN PKERB_KDC_REQUEST_BODY RequestBody, IN PKDC_TICKET_INFO ServiceTicketInfo, IN OPTIONAL PKERB_ENCRYPTION_KEY TicketEncryptionKey, IN OPTIONAL PKERB_INTERNAL_NAME S4UClientName, IN OPTIONAL PUNICODE_STRING S4UClientRealm, OUT PULONG CommonEType, OUT PKERB_TICKET Ticket, OUT PKERB_PA_DATA_LIST * ReplyPaData, OUT PKERB_EXT_ERROR pExtendedError ){
KERBERR KerbErr = KDC_ERR_NONE; UNICODE_STRING LocalServiceName; UNICODE_STRING ServicePrincipal; UNICODE_STRING ServiceRealm = {0}; UNICODE_STRING ClientRealm = {0}; BOOLEAN Referral = FALSE; KERB_ENCRYPTED_TICKET EncryptedTicket = {0}; PKERB_ENCRYPTED_TICKET OutputEncryptedTicket = NULL; PKERB_ENCRYPTED_TICKET SourceEncryptPart = NULL; PKERB_INTERNAL_NAME TargetPrincipal = ServiceName; KERB_TICKET NewTicket = {0}; PKERB_ENCRYPTION_KEY ServerKey; PKERB_ENCRYPTION_KEY OldServerKey; KDC_TICKET_INFO OldServiceTicketInfo = {0}; ULONG NameFlags = 0; ULONG KdcOptions = 0; BOOLEAN GetS4UPac = FALSE;
TRACE(KDC, I_GetTGSTicket, DEB_FUNCTION);
//
// Store away the encrypted ticket from the output ticket to
// assign it at the end.
//
SourceEncryptPart = (PKERB_ENCRYPTED_TICKET) SourceTicket->encrypted_part.cipher_text.value; OutputEncryptedTicket = (PKERB_ENCRYPTED_TICKET) Ticket->encrypted_part.cipher_text.value;
NewTicket.encrypted_part.cipher_text.value = (PUCHAR) &EncryptedTicket;
//
// Copy the space for flags from the real destination.
//
EncryptedTicket.flags = OutputEncryptedTicket->flags;
LocalServiceName.Buffer = NULL;
D_DebugLog(( DEB_TRACE, "Trying to build a new ticket to ")); D_KerbPrintKdcName( DEB_TRACE, ServiceName );
KdcOptions = KerbConvertFlagsToUlong( &RequestBody->kdc_options ); if (KdcOptions & (KERB_KDC_OPTIONS_unused7 | KERB_KDC_OPTIONS_reserved | KERB_KDC_OPTIONS_unused9) ) { DebugLog(( DEB_ERROR,"KLIN(%x) Bad options in TGS request: 0x%x\n", KLIN(FILENO, __LINE__), KdcOptions )); KerbErr = KDC_ERR_BADOPTION; goto Cleanup; }
//
// Check if the client said to canonicalize the name
//
// if ((KdcOptions & KERB_KDC_OPTIONS_name_canonicalize) != 0)
{ NameFlags |= KDC_NAME_CHECK_GC; }
//
// Verify this account is allowed to issue tickets.
//
if ((ServiceTicketInfo->UserId != DOMAIN_USER_RID_KRBTGT) && ((ServiceTicketInfo->UserAccountControl & USER_INTERDOMAIN_TRUST_ACCOUNT) == 0)) { D_DebugLog((DEB_ERROR,"Trying to make a TGS request with a ticket to %wZ\n", &ServiceTicketInfo->AccountName ));
KerbErr = KRB_AP_ERR_NOT_US; goto Cleanup; }
//
// Copy the ticket info into the old structure. It will be replaced with
// new info from Normalize.
//
OldServiceTicketInfo = *ServiceTicketInfo; RtlZeroMemory( ServiceTicketInfo, sizeof(KDC_TICKET_INFO) );
//
// If the client name is in our realm, verify client
// identity and build the PAC for the client.
//
if ( ARGUMENT_PRESENT(S4UClientRealm) && SecData.IsOurRealm(S4UClientRealm) ) { // Fester:
DebugLog((DEB_ERROR, "Doing S4U client lookup!\n")); GetS4UPac = TRUE; } //
// If we have to refer, Normalize will put the credentials of the target
// realm in ServiceTicketInfo. Otherwise, it will be NULL.
//
KerbErr = KdcNormalize( TargetPrincipal, NULL, RequestRealm, NameFlags | KDC_NAME_SERVER | KDC_NAME_FOLLOW_REFERRALS, &Referral, &ServiceRealm, ServiceTicketInfo, pExtendedError, NULL, // no user handle
0L, // no fields to fetch
0L, // no extended fields
NULL, // no user all information
NULL // no group membership
);
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_WARN,"KLIN(%x) Failed to normalize ", KLIN(FILENO, __LINE__))); KerbPrintKdcName(DEB_WARN,ServiceName); DebugLog((DEB_WARN,"\t 0x%x\n",KerbErr)); goto Cleanup; }
if (ServiceTicketInfo != NULL) { if ((ServiceTicketInfo->UserId != DOMAIN_USER_RID_KRBTGT) && (ServiceTicketInfo->UserAccountControl & USER_ACCOUNT_DISABLED) != 0) { KerbErr = KDC_ERR_CLIENT_REVOKED; D_DebugLog((DEB_WARN,"KLIN(%x) Failed to normalize, account is disabled ", KLIN(FILENO, __LINE__))); KerbPrintKdcName(DEB_WARN,ServiceName); D_DebugLog((DEB_WARN,"\t 0x%x\n",KerbErr)); FILL_EXT_ERROR(pExtendedError, STATUS_ACCOUNT_DISABLED, FILENO, __LINE__); goto Cleanup; } }
//
// If this isn't an interdomain trust account, go ahead and issue a normal
// ticket.
//
if ((ServiceTicketInfo->UserAccountControl & USER_INTERDOMAIN_TRUST_ACCOUNT) == 0) {
//
// Find the common crypt system.
//
KerbErr = KerbFindCommonCryptSystem( RequestBody->encryption_type, ServiceTicketInfo->Passwords, NULL, CommonEType, &ServerKey );
if (!KERB_SUCCESS(KerbErr)) { KdcReportKeyError( &ServiceTicketInfo->AccountName, &ServiceTicketInfo->AccountName, KDCEVENT_NO_KEY_UNION_TGS, RequestBody->encryption_type, ServiceTicketInfo->Passwords );
goto Cleanup; }
//
// Check whether service is interactive, 'cause you can't
// get a ticket to an interactive service.
//
KerbErr = BuildTicketTGS( ServiceTicketInfo, RequestBody, SourceTicket, Referral, S4UClientName, S4UClientRealm, *CommonEType, &NewTicket, pExtendedError );
if (!KERB_SUCCESS(KerbErr)) { D_DebugLog((DEB_ERROR,"KLIN(%x) Failed to build TGS ticket for %wZ : 0x%x\n", KLIN(FILENO, __LINE__), &LocalServiceName, KerbErr )); goto Cleanup; } } else { //
// Need to build a referal ticket.
//
D_DebugLog(( DEB_T_KDC, "GetTGSTicket: referring to domain '%wZ'\n", &ServiceTicketInfo->AccountName ));
//
// Verify that if the trust is not transitive, the client is from
// this realm.
//
SourceEncryptPart =(PKERB_ENCRYPTED_TICKET) SourceTicket->encrypted_part.cipher_text.value; if (((ServiceTicketInfo->fTicketOpts & AUTH_REQ_TRANSITIVE_TRUST) == 0) && (ServiceTicketInfo->UserId != DOMAIN_USER_RID_KRBTGT))
{ if (!SecData.IsOurRealm(&SourceEncryptPart->client_realm)) { D_DebugLog((DEB_WARN,"Client from realm %s attempted to access non transitve trust to %wZ : illegal\n", SourceEncryptPart->client_realm, &ServiceTicketInfo->AccountName )); KerbErr = KDC_ERR_PATH_NOT_ACCEPTED; } }
//
// Verify that the trust for the client is transitive as well, if it isn't
// from this domain. This means that if the source ticket trust isn't
// transitive, then this ticket can't be used to get further
// tgt's, in any realm.
//
// e.g. the TGT from client comes from a domain w/ which we don't
// have transitive trust.
//
if (((OldServiceTicketInfo.fTicketOpts & AUTH_REQ_TRANSITIVE_TRUST) == 0) && (OldServiceTicketInfo.UserId != DOMAIN_USER_RID_KRBTGT)) { KerbErr = KDC_ERR_PATH_NOT_ACCEPTED; }
//
// This is probably not a common error, but could
// indicate a configuration problem, so log an explicit
// error. See bug 87879.
//
if (KerbErr == KDC_ERR_PATH_NOT_ACCEPTED) {
KerbErr = KerbConvertRealmToUnicodeString( &ClientRealm, &SourceEncryptPart->client_realm );
if (KERB_SUCCESS(KerbErr)) { ReportServiceEvent( EVENTLOG_ERROR_TYPE, KDCEVENT_FAILED_TRANSITIVE_TRUST, 0, // no raw data
NULL, // no raw data
2, // number of strings
ClientRealm.Buffer, ServiceTicketInfo->AccountName.Buffer ); } KerbErr = KDC_ERR_PATH_NOT_ACCEPTED; goto Cleanup; }
//
// Find the common crypt system.
//
KerbErr = KerbFindCommonCryptSystem( RequestBody->encryption_type, ServiceTicketInfo->Passwords, NULL, CommonEType, &ServerKey );
if (!KERB_SUCCESS(KerbErr)) { KdcReportKeyError( &ServiceTicketInfo->AccountName, &ServiceTicketInfo->AccountName, KDCEVENT_NO_KEY_UNION_TGS, RequestBody->encryption_type, ServiceTicketInfo->Passwords );
goto Cleanup; }
KerbErr = BuildTicketTGS( ServiceTicketInfo, RequestBody, SourceTicket, TRUE, NULL, // not doing s4u
NULL, // not doing s4u
*CommonEType, &NewTicket, pExtendedError );
if (!KERB_SUCCESS(KerbErr)) { D_DebugLog((DEB_ERROR,"KLIN(%x) Failed to build TGS ticket for %wZ : 0x%x\n", KLIN(FILENO, __LINE__), &ServiceTicketInfo->AccountName, KerbErr )); goto Cleanup; }
//
// If this is a referral/canonicaliztion, return the target realm
//
if (Referral && ((KdcOptions & KERB_KDC_OPTIONS_name_canonicalize) != 0)) { D_DebugLog((DEB_TRACE,"Building referral info for realm %wZ\n", &ServiceRealm )); KerbErr = KdcBuildReferralInfo( &ServiceRealm, ReplyPaData ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; } }
}
OldServerKey = KerbGetKeyFromList( OldServiceTicketInfo.Passwords, SourceTicket->encrypted_part.encryption_type );
DsysAssert(OldServerKey != NULL); if (OldServerKey == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; }
//
// Insert the auth data into the new ticket.
//
KerbErr = KdcInsertAuthorizationData( &EncryptedTicket, pExtendedError, (RequestBody->bit_mask & enc_authorization_data_present) ? &RequestBody->enc_authorization_data : NULL, S4UClientName, GetS4UPac, (PKERB_ENCRYPTED_TICKET) SourceTicket->encrypted_part.cipher_text.value, ((ServiceTicketInfo->UserId != DOMAIN_USER_RID_KRBTGT) && ((ServiceTicketInfo->UserAccountControl & USER_INTERDOMAIN_TRUST_ACCOUNT) == 0)), // only insert for non-referrals
&OldServiceTicketInfo, OldServerKey, ARGUMENT_PRESENT(TicketEncryptionKey) ? TicketEncryptionKey : ServerKey );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"KLIN(%x) Failed to insert authorization data: 0x%x\n", KLIN(FILENO, __LINE__), KerbErr)); goto Cleanup; }
*Ticket = NewTicket; *OutputEncryptedTicket = EncryptedTicket; Ticket->encrypted_part.cipher_text.value = (PUCHAR) OutputEncryptedTicket;
Cleanup: //
// Now free the original service ticket info (which was for the KDC) so
// we can get it for the real service
//
FreeTicketInfo( &OldServiceTicketInfo );
if (!KERB_SUCCESS(KerbErr)) { KdcFreeInternalTicket( &NewTicket ); } KerbFreeString( &ServiceRealm );
KerbFreeString( &ClientRealm );
return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KerbUnpackAdditionalTickets
//
// Synopsis: Unpacks the AdditionalTickets field of a KDC request
// and (a) verifies that the ticket is TGT for this realm
// and (b) the ticket is encrypted with the corret key and
// (c) the ticket is valid
//
// Effects: allocate output ticket
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes: there can only be one additional ticket
//
//
//--------------------------------------------------------------------------
KERBERRKdcUnpackAdditionalTickets( IN PKERB_TICKET_LIST TicketList, OUT PKERB_ENCRYPTED_TICKET * AdditionalTicket ){ KERBERR KerbErr = KDC_ERR_NONE; PKERB_ENCRYPTED_TICKET EncryptedTicket = NULL; UNICODE_STRING ServerNames[3]; PKERB_ENCRYPTION_KEY EncryptionKey = NULL; PKERB_TICKET Ticket; KERB_REALM LocalRealm; KDC_TICKET_INFO KrbtgtTicketInfo = {0};
//
// Verify that there is a ticket & that there is only one ticket
//
//
// TBD: Make this work w/ S4U && U2U as there will be more than 1 ticket
// at that point. Evaluate options by lowest id first...
// S4UToSelf (12)
//
if ((TicketList == NULL) || (TicketList->next != NULL)) { D_DebugLog((DEB_ERROR,"KLIN(%x) Trying to unpack null ticket or more than one ticket\n", KLIN(FILENO, __LINE__))); KerbErr = KRB_ERR_GENERIC; goto Cleanup; }
KerbErr = SecData.GetKrbtgtTicketInfo(&KrbtgtTicketInfo); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
Ticket = &TicketList->value; //
// Verify the ticket, first with the normal password list
//
ServerNames[0] = *SecData.KdcFullServiceKdcName(); ServerNames[1] = *SecData.KdcFullServiceDnsName(); ServerNames[2] = *SecData.KdcFullServiceName();
EncryptionKey = KerbGetKeyFromList( KrbtgtTicketInfo.Passwords, Ticket->encrypted_part.encryption_type ); if (EncryptionKey == NULL) { KerbErr = KDC_ERR_ETYPE_NOTSUPP; goto Cleanup; }
//
// NOTE: we only allow additional tickets from our realm. This
// means cross-realm TGTs can't be used as additional tickets.
//
KerbErr = KerbVerifyTicket( Ticket, 3, // 3 names
ServerNames, SecData.KdcDnsRealmName(), EncryptionKey, &SkewTime, &EncryptedTicket ); //
// if it failed due to wrong password, try again with older password
//
if ((KerbErr == KRB_AP_ERR_MODIFIED) && (KrbtgtTicketInfo.OldPasswords != NULL)) { EncryptionKey = KerbGetKeyFromList( KrbtgtTicketInfo.OldPasswords, Ticket->encrypted_part.encryption_type ); if (EncryptionKey == NULL) { KerbErr = KDC_ERR_ETYPE_NOTSUPP; goto Cleanup; } KerbErr = KerbVerifyTicket( &TicketList->value, 2, // 2 names
ServerNames, SecData.KdcDnsRealmName(), EncryptionKey, &SkewTime, &EncryptedTicket );
} if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"KLIN(%x) Failed to verify additional ticket: 0x%x\n", KLIN(FILENO, __LINE__),KerbErr)); goto Cleanup; }
LocalRealm = SecData.KdcKerbDnsRealmName();
//
// Verify the realm of the ticket
//
if (!KerbCompareRealmNames( &LocalRealm, &Ticket->realm )) { D_DebugLog((DEB_ERROR,"KLIN(%x) Additional ticket realm is wrong: %s instead of %s\n", KLIN(FILENO, __LINE__), Ticket->realm, LocalRealm)); KerbErr = KDC_ERR_POLICY; goto Cleanup; }
//
// Verify the realm of the client is the same as our realm
//
if (!KerbCompareRealmNames( &LocalRealm, &EncryptedTicket->client_realm )) { D_DebugLog((DEB_ERROR,"KLIN(%x) Additional ticket client realm is wrong: %s instead of %s\n", KLIN(FILENO, __LINE__),EncryptedTicket->client_realm, LocalRealm)); KerbErr = KDC_ERR_POLICY; goto Cleanup; }
*AdditionalTicket = EncryptedTicket; EncryptedTicket = NULL;
Cleanup: if (EncryptedTicket != NULL) { KerbFreeTicket(EncryptedTicket); } FreeTicketInfo(&KrbtgtTicketInfo); return(KerbErr);
}
//--------------------------------------------------------------------
//
// Name: KdcFindS4UClientAndRealm
//
// Synopsis: Decodes PA DATA to find PA_DATA_FOR_USER entry.
//
// Effects: Get a client name and realm for processing S4U request
//
// Arguments: PAList - Preauth data list from TGS_REQ
// ServerKey - Key in authenticator, used to sign PA_DATA.
// ClientRealm - Target for client realm
// ClientName - Principal to get S4U ticket for
//
// Requires:
//
// Returns: KDC_ERR_ or KRB_AP_ERR errors only
//
// Notes: Free client name and realm w/
//
//
//--------------------------------------------------------------------------
KERBERRKdcFindS4UClientAndRealm( IN PKERB_PA_DATA_LIST PaList, IN OUT PUNICODE_STRING ClientRealm, IN OUT PKERB_INTERNAL_NAME * ClientName ){
KERBERR Kerberr = KRB_ERR_GENERIC; PKERB_PA_DATA PaData = NULL; PKERB_PA_FOR_USER S4URequest = NULL;
*ClientName = NULL; RtlInitUnicodeString( ClientRealm, NULL );
PaData = KerbFindPreAuthDataEntry( KRB5_PADATA_S4U, PaList );
if (NULL == PaData) { DebugLog((DEB_ERROR, "No S4U pa data \n")); Kerberr = KDC_ERR_BADOPTION; goto Cleanup; } Kerberr = KerbUnpackData( PaData->preauth_data.value, PaData->preauth_data.length, KERB_PA_FOR_USER_PDU, (PVOID* ) &S4URequest );
if (!KERB_SUCCESS(Kerberr)) { DebugLog((DEB_ERROR, "Failed to unpack PA_FOR_USER\n")); goto Cleanup; }
Kerberr = KerbConvertRealmToUnicodeString( ClientRealm, &S4URequest->client_realm );
if (!KERB_SUCCESS(Kerberr)) { goto Cleanup; }
Kerberr = KerbConvertPrincipalNameToKdcName( ClientName, &S4URequest->client_name );
if (!KERB_SUCCESS(Kerberr)) { goto Cleanup; }
Cleanup:
if (S4URequest != NULL) { KerbFreeData( KERB_PA_FOR_USER_PDU, S4URequest );
}
return Kerberr;
}
//--------------------------------------------------------------------
//
// Name: HandleTGSRequest
//
// Synopsis: Gets a ticket using a KDC ticket (TGT).
//
// Effects: Allocates and encrypts a KDC reply
//
// Arguments: ClientAddress - Optionally contains client IP address
// RequestMessage - contains the TGS request message
// RequestRealm - The realm of the request, from the request
// message
// OutputMessage - Contains the buffer to send back to the client
// Requires:
//
// Returns: KDC_ERR_ or KRB_AP_ERR errors only
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRHandleTGSRequest( IN OPTIONAL SOCKADDR * ClientAddress, IN PKERB_TGS_REQUEST RequestMessage, IN PUNICODE_STRING RequestRealm, OUT PKERB_MESSAGE_BUFFER OutputMessage, OUT PKERB_EXT_ERROR pExtendedError ){ KERBERR KerbErr = KDC_ERR_NONE;
KDC_TICKET_INFO ServerTicketInfo = {0}; KDC_TICKET_INFO TgtTicketInfo = {0};
KERB_TICKET SourceTicket = {0}; KERB_TICKET NewTicket = {0}; KERB_ENCRYPTED_TICKET EncryptedTicket = {0}; PKERB_ENCRYPTED_TICKET SourceEncryptPart = NULL; PKERB_ENCRYPTED_TICKET AdditionalTicket = NULL;
PKERB_KDC_REQUEST_BODY RequestBody = &RequestMessage->request_body; KERB_TGS_REPLY Reply = {0}; KERB_ENCRYPTED_KDC_REPLY ReplyBody = {0}; PKERB_AP_REQUEST UnmarshalledApRequest = NULL; PKERB_AUTHENTICATOR UnmarshalledAuthenticator = NULL; PKERB_PA_DATA ApRequest = NULL; PKERB_PA_DATA_LIST ReplyPaData = NULL; KERB_ENCRYPTION_KEY ReplyKey = {0}; PKERB_ENCRYPTION_KEY ServerKey;
PKERB_INTERNAL_NAME ServerName = NULL; PKERB_INTERNAL_NAME ClientName = NULL; PKERB_INTERNAL_NAME S4UClientName = NULL; UNICODE_STRING ClientRealm = {0}; UNICODE_STRING ClientStringName = {0}; UNICODE_STRING ServerStringName = {0}; UNICODE_STRING S4UClientRealm = {0}; PUNICODE_STRING S4URealm = NULL;
ULONG CommonEType; ULONG KdcOptions = 0; ULONG TicketFlags = 0; ULONG ReplyTicketFlags = 0;
BOOLEAN Validating = FALSE; BOOLEAN UseSubKey = FALSE; BOOLEAN Renew = FALSE; BOOLEAN CheckAdditionalTicketMatch = FALSE;
KDC_TGS_EVENT_INFO TGSEventTraceInfo = {0};
TRACE(KDC, HandleTGSRequest, DEB_FUNCTION);
//
// Initialize [out] structures, so if we terminate early, they can
// be correctly marshalled by the stub
//
NewTicket.encrypted_part.cipher_text.value = (PUCHAR) &EncryptedTicket;
EncryptedTicket.flags.value = (PUCHAR) &TicketFlags; EncryptedTicket.flags.length = sizeof(ULONG) * 8; ReplyBody.flags.value = (PUCHAR) &ReplyTicketFlags; ReplyBody.flags.length = sizeof(ULONG) * 8;
KdcOptions = KerbConvertFlagsToUlong( &RequestBody->kdc_options );
//
// Start event tracing
//
if (KdcEventTraceFlag){
TGSEventTraceInfo.EventTrace.Guid = KdcHandleTGSRequestGuid; TGSEventTraceInfo.EventTrace.Class.Type = EVENT_TRACE_TYPE_START; TGSEventTraceInfo.EventTrace.Flags = WNODE_FLAG_TRACED_GUID; TGSEventTraceInfo.EventTrace.Size = sizeof (EVENT_TRACE_HEADER) + sizeof (ULONG); TGSEventTraceInfo.KdcOptions = KdcOptions;
TraceEvent( KdcTraceLoggerHandle, (PEVENT_TRACE_HEADER)&TGSEventTraceInfo ); }
//
// Check for additional tickets
//
if ((RequestBody->bit_mask & additional_tickets_present) != 0) { //
// The ticket must be unpacked with the krbtgt key
//
KerbErr = KdcUnpackAdditionalTickets( RequestBody->additional_tickets, &AdditionalTicket ); if (!KERB_SUCCESS(KerbErr)) { D_DebugLog((DEB_ERROR,"KLIN(%x) Failed to unpack additional tickets: 0x%x\n", KLIN(FILENO, __LINE__),KerbErr)); goto Cleanup; } }
//
// Make sure that if there is a ticket, then enc_tkt_in_skey is set and
// if not, then it isn't set
//
//
// TBD: S4UToProxy (E) Ok to have additional ticket if
// CNAME-IN-ADDL-TKT set.
//
if ((((KdcOptions & KERB_KDC_OPTIONS_enc_tkt_in_skey) != 0) ^ (AdditionalTicket != NULL))) {
// tbd: more logic for determining if multiple addl tickets are "bad option"
D_DebugLog((DEB_ERROR,"KLIN(%x) Client didn't match enc_tkt_in_skey with additional tickts : %d vs %d\n", KLIN(FILENO, __LINE__),((KdcOptions & KERB_KDC_OPTIONS_enc_tkt_in_skey) != 0), (AdditionalTicket != NULL))); KerbErr = KDC_ERR_BADOPTION; goto Cleanup; }
//
// Pass data to next level, w/ flag
//
// TBD: S4UToProxy (D)
// Forwardable flag must be set in the service ticket
// Check our options, that the additional ticket has bit set.
// This additional service ticket must have the fwdable flag set,
// and must validate correctly.
//
// We'll need to crack the server key, and the ticket, as validation of
// identity.
//
//
// The server name is optional.
//
if ((RequestBody->bit_mask & KERB_KDC_REQUEST_BODY_server_name_present) != 0) { KerbErr = KerbConvertPrincipalNameToKdcName( &ServerName, &RequestBody->KERB_KDC_REQUEST_BODY_server_name );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// Verify the at the server name is the same as the client name
// from the addional ticket by getting the ticket info for supplied
// TGT for the server. Later on we will compare it against the real
// ticket info.
//
if (AdditionalTicket != NULL) { PKERB_INTERNAL_NAME TgtClientName = NULL; UNICODE_STRING TgtRealmName = {0}; UNICODE_STRING CrackedRealm = {0}; BOOLEAN Referral = FALSE;
KerbErr = KerbConvertPrincipalNameToKdcName( &TgtClientName, &AdditionalTicket->client_name ); if (KERB_SUCCESS(KerbErr)) {
KerbErr = KerbConvertRealmToUnicodeString( &TgtRealmName, &AdditionalTicket->client_realm ); if (KERB_SUCCESS(KerbErr)) {
// TBD: make sure normalize takes into account
// deleg restrictions, but not here, for god' sake.
// .
KerbErr = KdcNormalize( TgtClientName, &TgtRealmName, &TgtRealmName, KDC_NAME_CLIENT | KDC_NAME_INBOUND, &Referral, &CrackedRealm, &TgtTicketInfo, pExtendedError, NULL, // no user handle
0L, // no fields to fetch
0L, // no extended fields
NULL, // no user all
NULL // no group membership
); if (KERB_SUCCESS(KerbErr)) { KerbFreeString(&CrackedRealm); if (Referral) { KerbErr = KRB_AP_ERR_BADMATCH; } else { CheckAdditionalTicketMatch = FALSE; } }
KerbFreeString(&TgtRealmName); } KerbFreeKdcName(&TgtClientName); } if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"KLIN(%x) Failed to normalize client name from supplied ticket\n", KLIN(FILENO, __LINE__))); goto Cleanup; } } } else { //
// There must be an additional ticket.
//
if (AdditionalTicket == NULL) { KerbErr = KDC_ERR_S_PRINCIPAL_UNKNOWN; goto Cleanup; } KerbErr = KerbConvertPrincipalNameToKdcName( &ServerName, &AdditionalTicket->client_name );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
}
//
// Convert the server name to a string for auditing.
//
KerbErr = KerbConvertKdcNameToString( &ServerStringName, ServerName, NULL ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
D_DebugLog((DEB_TRACE, "GetTGSTicket called. Service=" )); D_KerbPrintKdcName(DEB_TRACE, ServerName );
//
// The TGS and authenticator are in an AP request in the pre-auth data.
// Find it and decode the AP request now.
//
if ((RequestMessage->bit_mask & KERB_KDC_REQUEST_preauth_data_present) == 0) { D_DebugLog((DEB_ERROR, "KLIN(%x) No pre-auth data in TGS request - not allowed.\n", KLIN(FILENO, __LINE__))); KerbErr = KDC_ERR_PADATA_TYPE_NOSUPP; goto Cleanup; }
//
// Get the TGT from the PA data.
//
ApRequest = KerbFindPreAuthDataEntry( KRB5_PADATA_TGS_REQ, RequestMessage->KERB_KDC_REQUEST_preauth_data ); if (ApRequest == NULL) { D_DebugLog((DEB_ERROR,"KLIN(%x) No pre-auth data in TGS request - not allowed.\n", KLIN(FILENO, __LINE__))); FILL_EXT_ERROR(pExtendedError, STATUS_NO_PA_DATA, FILENO, __LINE__); KerbErr = KDC_ERR_PADATA_TYPE_NOSUPP; goto Cleanup; }
//
// Verify the request. This includes decoding the AP request,
// finding the appropriate key to decrypt the ticket, and checking
// the ticket.
//
KerbErr = KdcVerifyKdcRequest( ApRequest->preauth_data.value, ApRequest->preauth_data.length, ClientAddress, TRUE, // this is a kdc request
&UnmarshalledApRequest, &UnmarshalledAuthenticator, &SourceEncryptPart, &ReplyKey, NULL, // no ticket key
&ServerTicketInfo, &UseSubKey, pExtendedError ); //
// If you want to validate a ticket, then it's OK if it isn't
// currently valid.
//
if (KerbErr == KRB_AP_ERR_TKT_NYV && (KdcOptions & KERB_KDC_OPTIONS_validate)) { D_DebugLog((DEB_TRACE,"Validating a not-yet-valid ticket\n")); KerbErr = KDC_ERR_NONE; } else if (KerbErr == KRB_AP_ERR_MODIFIED) { //
// Bug 276943: When the authenticator is encrypted with something other
// than the session key, KRB_AP_ERR_BAD_INTEGRITY must be
// returned per RFC 1510
//
D_DebugLog((DEB_TRACE,"Could not decrypt the ticket\n")); KerbErr = KRB_AP_ERR_BAD_INTEGRITY; }
//
// Verify the checksum on the ticket, if present
//
if ( KERB_SUCCESS(KerbErr) && (UnmarshalledAuthenticator != NULL) && (UnmarshalledAuthenticator->bit_mask & checksum_present) != 0) { KerbErr = KdcVerifyTgsChecksum( &RequestMessage->request_body, &ReplyKey, &UnmarshalledAuthenticator->checksum );
}
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"KLIN(%x) Failed to verify TGS request: 0x%x\n", KLIN(FILENO, __LINE__),KerbErr)); FILL_EXT_ERROR(pExtendedError, STATUS_KDC_INVALID_REQUEST, FILENO, __LINE__); goto Cleanup; }
//
// Now that we've validated the request,
// Check to see if the cname in padata bit is set, and
// we have the KDC option set.
//
if ((KdcOptions & KERB_KDC_OPTIONS_cname_in_pa_data) != 0) { KerbErr = KdcFindS4UClientAndRealm( RequestMessage->KERB_KDC_REQUEST_preauth_data, &S4UClientRealm, &S4UClientName );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR, "KdcFindS4UClientAndRealm failed\n")); FILL_EXT_ERROR(pExtendedError, STATUS_NO_PA_DATA, FILENO, __LINE__); goto Cleanup; } S4URealm = &S4UClientRealm; } KerbErr = KerbConvertPrincipalNameToKdcName( &ClientName, &SourceEncryptPart->client_name );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KerbConvertKdcNameToString( &ClientStringName, ClientName, NULL ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// And the realm
//
KerbErr = KerbConvertRealmToUnicodeString( &ClientRealm, &SourceEncryptPart->client_realm ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// If the client is in this domain and if we are supposed to
// verify the client's account is still good,
// do it now.
//
if ((SecData.KdcFlags() & AUTH_REQ_VALIDATE_CLIENT) != 0) { LARGE_INTEGER AuthTime; LARGE_INTEGER CurrentTime;
NtQuerySystemTime(&CurrentTime); KerbConvertGeneralizedTimeToLargeInt( &AuthTime, &SourceEncryptPart->authtime, 0 );
//
// Only check if we haven't checked recently
//
if ((CurrentTime.QuadPart > AuthTime.QuadPart) && ((CurrentTime.QuadPart - AuthTime.QuadPart) > SecData.KdcRestrictionLifetime().QuadPart)) {
KerbErr = KdcCheckTgsLogonRestrictions( ClientName, &ClientRealm, pExtendedError ); if (!KERB_SUCCESS(KerbErr)) { D_DebugLog((DEB_WARN, "KLIN(%x) Client failed TGS logon restrictions: 0x%x : ", KLIN(FILENO, __LINE__),KerbErr)); KerbPrintKdcName(DEB_WARN, ClientName); goto Cleanup; } }
}
//
// Build a ticket struture to pass to the worker functions
//
SourceTicket = UnmarshalledApRequest->ticket; SourceTicket.encrypted_part.cipher_text.value = (PUCHAR) SourceEncryptPart;
//
// Build the new ticket
//
D_DebugLog((DEB_TRACE, "Handle TGS request: Client = %wZ,\n ",&ClientRealm)); D_KerbPrintKdcName(DEB_TRACE, ClientName); D_DebugLog((DEB_TRACE, "\t ServerName = \n")); D_KerbPrintKdcName(DEB_TRACE, ServerName);
//
// Pass off the work to the worker routines
//
if (KdcOptions & KERB_KDC_OPTIONS_renew) { D_DebugLog((DEB_T_KDC,"Renewing ticket ticket\n"));
Renew = TRUE; KerbErr = I_RenewTicket( &SourceTicket, ServerName, &ServerTicketInfo, RequestBody, &CommonEType, &NewTicket, pExtendedError ); } else if (KdcOptions & KERB_KDC_OPTIONS_validate) { D_DebugLog((DEB_T_KDC,"Validating ticket\n"));
KerbErr = I_Validate( &SourceTicket, ServerName, &ClientRealm, RequestBody, &CommonEType, &NewTicket, pExtendedError );
Validating = TRUE;
} else { D_DebugLog((DEB_T_KDC,"Getting TGS ticket\n"));
KerbErr = I_GetTGSTicket( &SourceTicket, ServerName, RequestRealm, RequestBody, &ServerTicketInfo, AdditionalTicket != NULL ? &AdditionalTicket->key : NULL, S4UClientName, S4URealm, &CommonEType, &NewTicket, &ReplyPaData, pExtendedError ); }
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_WARN,"KLIN(%x) TGS ticket worker failed: 0x%x\n", KLIN(FILENO, __LINE__),KerbErr)); goto Cleanup; }
DsysAssert(ServerTicketInfo.Passwords != NULL);
//
// Check to see if the additional ticket supplied is the one for this
// server, if necessary
//
if (CheckAdditionalTicketMatch ) { if (ServerTicketInfo.UserId != TgtTicketInfo.UserId) { D_DebugLog((DEB_ERROR,"KLIN(%x) Supplied ticket is not for server: %wZ vs. %wZ\n", KLIN(FILENO, __LINE__),&TgtTicketInfo.AccountName, &ServerTicketInfo.AccountName )); KerbErr = KRB_AP_ERR_BADMATCH; goto Cleanup; } }
//
// Determine the keys to encrypt the ticket with. (The key to encrypt the
// reply with was determined by CheckTicket.)
if ((KdcOptions & KERB_KDC_OPTIONS_enc_tkt_in_skey) && (AdditionalTicket != NULL)) { //
// Use the session key from the tgt
//
ServerKey = &AdditionalTicket->key; } else { ServerKey = KerbGetKeyFromList( ServerTicketInfo.Passwords, CommonEType ); DsysAssert(ServerKey != NULL); if (ServerKey == NULL) { D_DebugLog((DEB_ERROR, "KLIN(%x) BADERROR: cannot find server key while validating\n", KLIN(FILENO, __LINE__))); KerbErr = KDC_ERR_ETYPE_NOTSUPP; goto Cleanup; } }
KerbErr = BuildReply( NULL, RequestBody->nonce, &NewTicket.server_name, NewTicket.realm, ((EncryptedTicket.bit_mask & KERB_ENCRYPTED_TICKET_client_addresses_present) != 0) ? EncryptedTicket.KERB_ENCRYPTED_TICKET_client_addresses : NULL, &NewTicket, &ReplyBody );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// Put in any PA data for the reply
//
if (ReplyPaData != NULL) { ReplyBody.encrypted_pa_data = (struct KERB_ENCRYPTED_KDC_REPLY_encrypted_pa_data_s *) ReplyPaData; ReplyBody.bit_mask |= encrypted_pa_data_present; }
//
// Now build the real reply and return it.
//
Reply.version = KERBEROS_VERSION; Reply.message_type = KRB_TGS_REP; Reply.KERB_KDC_REPLY_preauth_data = NULL; Reply.bit_mask = 0;
Reply.client_realm = SourceEncryptPart->client_realm; Reply.client_name = SourceEncryptPart->client_name;
//
// Copy in the ticket
//
KerbErr = KerbPackTicket( &NewTicket, ServerKey, CommonEType, &Reply.ticket );
if (!KERB_SUCCESS(KerbErr)) { D_DebugLog((DEB_ERROR,"KLIN(%x) Failed to pack ticket: 0x%x\n", KLIN(FILENO, __LINE__),KerbErr)); goto Cleanup; }
//
// Copy in the encrypted part
//
KerbErr = KerbPackKdcReplyBody( &ReplyBody, &ReplyKey, ReplyKey.keytype, KERB_ENCRYPTED_TGS_REPLY_PDU, &Reply.encrypted_part ); if (!KERB_SUCCESS(KerbErr)) { D_DebugLog((DEB_ERROR,"KLIN(%x)Failed to pack KDC reply body: 0x%x\n", KLIN(FILENO, __LINE__),KerbErr)); goto Cleanup; }
//
// Now build the real reply message
//
KerbErr = KerbPackData( &Reply, KERB_TGS_REPLY_PDU, &OutputMessage->BufferSize, &OutputMessage->Buffer );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// Audit the successful ticket generation
//
if (SecData.AuditKdcEvent(KDC_AUDIT_TGS_SUCCESS)) { BYTE ServerSid[MAX_SID_LEN]; GUID LogonGuid; NTSTATUS Status = STATUS_SUCCESS; PKERB_TIME pStartTime;
pStartTime = &(((PKERB_ENCRYPTED_TICKET) NewTicket.encrypted_part.cipher_text.value)->KERB_ENCRYPTED_TICKET_starttime); Status = LsaIGetLogonGuid( &ClientStringName, &ClientRealm, (PBYTE) pStartTime, sizeof(KERB_TIME), &LogonGuid ); ASSERT(NT_SUCCESS( Status )); KdcMakeAccountSid(ServerSid, ServerTicketInfo.UserId); KdcLsaIAuditKdcEvent( Renew ? SE_AUDITID_TICKET_RENEW_SUCCESS : SE_AUDITID_TGS_TICKET_REQUEST, &ClientStringName, &ClientRealm, NULL, // no client SID
&ServerTicketInfo.AccountName, ServerSid, (PULONG) &KdcOptions, NULL, // success
&CommonEType, NULL, // no preauth type
GET_CLIENT_ADDRESS(ClientAddress), &LogonGuid ); }
Cleanup:
//
// Complete the event
//
if (KdcEventTraceFlag){
//These variables point to either a unicode string struct containing
//the corresponding string or a pointer to KdcNullString
PUNICODE_STRING pStringToCopy; WCHAR UnicodeNullChar = 0; UNICODE_STRING UnicodeEmptyString = {sizeof(WCHAR),sizeof(WCHAR),&UnicodeNullChar};
TGSEventTraceInfo.EventTrace.Class.Type = EVENT_TRACE_TYPE_END; TGSEventTraceInfo.EventTrace.Flags = WNODE_FLAG_USE_MOF_PTR | WNODE_FLAG_TRACED_GUID;
// Always output error code. KdcOptions was captured on the start event
TGSEventTraceInfo.eventInfo[0].DataPtr = (ULONGLONG) &KerbErr; TGSEventTraceInfo.eventInfo[0].Length = sizeof(ULONG); TGSEventTraceInfo.EventTrace.Size = sizeof (EVENT_TRACE_HEADER) + sizeof(MOF_FIELD);
// Build counted MOF strings from the unicode strings.
// If data is unavailable then output a NULL string
if (ClientStringName.Buffer != NULL && ClientStringName.Length > 0) { pStringToCopy = &ClientStringName; } else { pStringToCopy = &UnicodeEmptyString; }
TGSEventTraceInfo.eventInfo[1].DataPtr = (ULONGLONG) &pStringToCopy->Length; TGSEventTraceInfo.eventInfo[1].Length = sizeof(pStringToCopy->Length); TGSEventTraceInfo.eventInfo[2].DataPtr = (ULONGLONG) pStringToCopy->Buffer; TGSEventTraceInfo.eventInfo[2].Length = pStringToCopy->Length; TGSEventTraceInfo.EventTrace.Size += sizeof(MOF_FIELD)*2;
if (ServerStringName.Buffer != NULL && ServerStringName.Length > 0) { pStringToCopy = &ServerStringName;
} else { pStringToCopy = &UnicodeEmptyString; }
TGSEventTraceInfo.eventInfo[3].DataPtr = (ULONGLONG) &pStringToCopy->Length; TGSEventTraceInfo.eventInfo[3].Length = sizeof(pStringToCopy->Length); TGSEventTraceInfo.eventInfo[4].DataPtr = (ULONGLONG) pStringToCopy->Buffer; TGSEventTraceInfo.eventInfo[4].Length = pStringToCopy->Length; TGSEventTraceInfo.EventTrace.Size += sizeof(MOF_FIELD)*2;
if (ClientRealm.Buffer != NULL && ClientRealm.Length > 0) { pStringToCopy = &ClientRealm; } else { pStringToCopy = &UnicodeEmptyString; }
TGSEventTraceInfo.eventInfo[5].DataPtr = (ULONGLONG) &pStringToCopy->Length; TGSEventTraceInfo.eventInfo[5].Length = sizeof(pStringToCopy->Length); TGSEventTraceInfo.eventInfo[6].DataPtr = (ULONGLONG) pStringToCopy->Buffer; TGSEventTraceInfo.eventInfo[6].Length = pStringToCopy->Length; TGSEventTraceInfo.EventTrace.Size += sizeof(MOF_FIELD)*2;
TraceEvent( KdcTraceLoggerHandle, (PEVENT_TRACE_HEADER)&TGSEventTraceInfo ); }
//
// Audit *most* failures (see bug 37126)
//
if (!KERB_SUCCESS(KerbErr) && SecData.AuditKdcEvent(KDC_AUDIT_TGS_FAILURE)) { // it is not uncommon to hit this error when
// clients attempt to get a ticket outside of their
// realm...
if (KerbErr != KDC_ERR_S_PRINCIPAL_UNKNOWN && SecData.IsOurRealm(RequestRealm)) { KdcLsaIAuditKdcEvent( SE_AUDITID_TGS_TICKET_REQUEST, (ClientStringName.Buffer != NULL) ? &ClientStringName : &KdcNullString, &ClientRealm, // no domain name
NULL, &ServerStringName, NULL, &KdcOptions, (PULONG) &KerbErr, NULL, // no etype
NULL, // no preauth type
GET_CLIENT_ADDRESS(ClientAddress), NULL // no logon guid
); }
}
KerbFreeKdcName( &ClientName ); KerbFreeString( &ClientRealm );
KerbFreeKdcName( &S4UClientName );
KerbFreeString( &S4UClientRealm );
KerbFreeKdcName( &ServerName ); KerbFreeKey( &ReplyKey );
KdcFreeKdcReplyBody( &ReplyBody ); KerbFreeString( &ClientStringName ); KerbFreeString( &ServerStringName );
//
// If we are validating the ticket key is in the serverticketinfo
//
if (AdditionalTicket != NULL) { KerbFreeTicket(AdditionalTicket); }
if (ReplyPaData != NULL) { KerbFreePreAuthData(ReplyPaData); }
KerbFreeApRequest(UnmarshalledApRequest); KerbFreeAuthenticator(UnmarshalledAuthenticator); KerbFreeTicket(SourceEncryptPart);
KdcFreeInternalTicket(&NewTicket); FreeTicketInfo(&ServerTicketInfo); FreeTicketInfo(&TgtTicketInfo);
KdcFreeKdcReply( &Reply );
return(KerbErr);}
|
