VaultSharp
VaultSharp copied to clipboard
Published
20 hours ago •
rajanadar
rajanadar
GetServicePrincipalNegotiationTokenAsync utility duplicates domain name ( user@domain@domain)
trafficstars
Describe the bug
Using KerberosAuthMethodHelper.GetServicePrincipalNegotiationTokenAsync duplicates the domain name.
VaultSharp Version
1.17.5.1
Vault Version
Vault v1.18.0 (77f26ba561a4b6b1ccd5071b8624cefef7a72e84), built 2024-10-08T09:12:52Z
Does this work with Vault CLI? Yes
Sample Code Snippet Output from Vault CLI
PS C:\Programs\vault> .\vault login -method=kerberos username=ion.mincu service=HTTP/im-ws2019-01 realm=DESKOVER.LOCAL keytab_path=ion.mincu.keytab krb5conf_path=krb5.conf disable_fast_negotiation=true
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.CAESIE289Dkbm3LysjR8NKVPP-BKKUt94wKzaQqBDesF-pVsGh4KHGh2cy5XbzBMR3NTVGhOaUtDblJOT3BJRlQ3WG4
token_accessor IKnwddD0Acz6JrLteuCdM9Un
token_duration 768h
token_renewable false
token_policies ["default"]
identity_policies []
policies ["default"]
token_meta_domain DESKOVER.LOCAL
token_meta_user ion.mincu
PS C:\Programs\vault> .\vault -v
Vault v1.18.0 (77f26ba561a4b6b1ccd5071b8624cefef7a72e84), built 2024-10-08T09:12:52Z
Using the exact same keytab
public async static Task PostRequest()
{
var token = await KerberosAuthMethodHelper.GetServicePrincipalNegotiationTokenAsync("ion.mincu", "HTTP/im-ws2019-01", "DESKOVER.LOCAL", _keyTabPath, _krb5conf, true, factory);
var handler = new HttpClientHandler()
{
// Proxy = new WebProxy { BypassProxyOnLocal = true },
PreAuthenticate = true,
UseDefaultCredentials = true,
AllowAutoRedirect = true,
// Credentials = CredentialCache.DefaultNetworkCredentials
};
using (var client = new HttpClient(handler))
{
client.BaseAddress = new Uri("http://im-ws2019-01.deskover.local:8200/");
client.DefaultRequestHeaders.Add("Authorization", token);
var content = new StringContent("null");
var response = await client.PostAsync("v1/auth/kerberos/login", content);
// If the request is successful, read the response body as string
if (response.IsSuccessStatusCode)
{
var responseBody = await response.Content.ReadAsStringAsync();
Console.WriteLine(responseBody);
}
else
{
Console.WriteLine($"Error when posting manually: {response.StatusCode}");
}
}
}
Exception Details/Stack Trace/Error Message Error message, stack trace you see
Any additional info Vault logs when logging in with CLI
10:34:11.688+0200 [INFO] auth.kerberos.auth_kerberos_6e6adb1a: 127.0.0.1:8080 [email protected] - SPNEGO authentication succeeded
10:34:11.689+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: identity: &{username:ion.mincu displayName:Ion Mincu realm:DESKOVER.LOCAL cname:{NameType:1 NameString:[ion.mincu]} keytab:0xc003304f80 password: attributes:map[gokrb5AttributeKeyADCredentials:{EffectiveName:ion.mincu FullName:Ion Mincu UserID:35254 PrimaryGroupID:513 LogOnTime:{wall:93939700 ext:63865960455 loc:<nil>} LogOffTime:{wall:709551516 ext:68937867273 loc:<nil>} PasswordLastSet:{wall:668273300 ext:63865351735 loc:<nil>} GroupMembershipSIDs:[S-1-5-21-1667818259-1789684151-1906802761-35255 S-1-5-21-1667818259-1789684151-1906802761-513 S-1-18-1] LogonDomainName:DESKOVER LogonDomainID:S-1-5-21-1667818259-1789684151-1906802761 LogonServer:ROINFRAWDDC01}] validUntil:{wall:0 ext:63865996455 loc:<nil>} authenticated:true human:true authTime:{wall:688330400 ext:63865960451 loc:<nil>} groupMembership:map[S-1-18-1:true S-1-5-21-1667818259-1789684151-1906802761-35255:true S-1-5-21-1667818259-1789684151-1906802761-513:true] sessionID:0643c91b-28a6-76d2-a078-6d193370ac40}
10:34:11.699+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: compiling search filter: search_filter="({{.UserAttr}}={{.Username}})"
10:34:11.699+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: discovering user: userdn="OU=deskover,DC=deskover,DC=local" filter="([email protected])"
10:34:11.700+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: auth/ldap: User BindDN fetched: username=ion.mincu binddn="CN=Ion Mincu,OU=Engineering,OU=deskover,DC=deskover,DC=local"
10:34:11.704+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: searching upn: userdn="OU=deskover,DC=deskover,DC=local" filter="([email protected])"
10:34:11.706+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: compiling group filter: group_filter="(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))"
10:34:11.706+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: searching: groupdn="DC=DESKOVER,DC=LOCAL" rendered_query="(|(memberUid=ion.mincu)(member=CN=Ion Mincu,OU=Engineering,OU=deskover,DC=deskover,DC=local)(uniqueMember=CN=Ion Mincu,OU=Engineering,OU=deskover,DC=deskover,DC=local))"
10:34:12.071+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: auth/ldap: Groups fetched from server: num_server_groups=1 server_groups=["Engineering_Local_Admins"]
10:34:12.071+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: unable to find Engineering_Local_Admins, does not currently exist
Vault logs when logging in with C# code notice the principal is [email protected]@DESKOVER.LOCAL
10:29:38.623 [INFO] auth.kerberos.auth_kerberos_6e6adb1a: 10.10.16.150:8080 [email protected]@DESKOVER.LOCAL - SPNEGO authentication succeeded
10:29:38.624 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: identity: &{username:[email protected] displayName:[email protected] realm:DESKOVER.LOCAL cname:{NameType:10 NameString:[[email protected]]} keytab:0xc0049ff1c0 password: attributes:map[] validUntil:{wall:0 ext:63865996177 loc:<nil>} authenticated:true human:true authTime:{wall:623712200 ext:63865960178 loc:<nil>} groupMembership:map[] sessionID:e6bad2f4-a60f-2f0d-c4e6-673c5c21013b}
10:29:38.632 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: compiling search filter: search_filter="({{.UserAttr}}={{.Username}})"
10:29:38.632 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: discovering user: userdn="OU=deskover,DC=deskover,DC=local" filter="([email protected]@DESKOVER.LOCAL)"
