Steve Syfuhs

Yeah, good feature. In theory this could be built out by an application directly by filling in the `DelegationInfo` object during AP-REQ creation, but that's certainly a pain.

I'm just eyeballing this so I haven’t looked at the Windows side, but I believe you’re missing the MD5 hash and/or MIC to bind the data to the session. https://www.rfc-editor.org/rfc/rfc6542.html#section-3.1...

The response is always an AP-REP, which is exposed through `KerberosIdentity.ApRep`. It's base64 and can be decoded into bytes. Or if you want it directly `identity.KrbApReq.CreateResponseMessage() [.EncodeApplication()];`. If this is...

What does error 82 mean? What client is making the request?

The encrypted part contains a structure: ```asn1 EncAPRepPart ::= [APPLICATION 27] SEQUENCE { ctime [0] KerberosTime, cusec [1] Microseconds, subkey [2] EncryptionKey OPTIONAL, seq-number [3] UInt32 OPTIONAL } ``` I'd...

Grab these scripts: https://aka.ms/authscripts 1. Extract, elevate powershell prompt 2. start-auth.ps1 3. klist.exe purge 4. 5. stop-auth.ps1 You will get an "authlogs" folder. Find the kerberos.etl, zip it, and send...

I should have clarified please run this on the client to see it receiving the response from Kerberos.NET so I can see why the Windows Kerberos code doesn't like it....

It's failing to decrypt the AP-REP. That generally means it picked the wrong key, which is surprising. Instead of using `identity.ApRep`, can you try something like this: ```csharp var aprep...

You're passing a WRAP message to the library through the AP-REQ decoder. That just won't work structurally. Additionally, this library doesn't support the WRAP functionality because it's...complicated.

> @SteveSyfuhs any ideas？ Thanks, I hate it. :) App isolation provides a great guarantee that other things can't capture the password, but you have to be careful with the...