5

I'm trying to get a Kerberos ticket using the following code:

public static byte[] GetToken(string username, string password, string domain)
{
    using (var domainContext = new PrincipalContext(ContextType.Domain, domain))
    {
        string spn = UserPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, username).UserPrincipalName;
        var provider = new KerberosSecurityTokenProvider(spn, TokenImpersonationLevel.Impersonation, new NetworkCredential(username, password, domain));
        var token = provider.GetToken(TimeSpan.FromMinutes(1)) as KerberosRequestorSecurityToken;
        return token.GetRequest();
    }
}

My problem is the provider.GetToken() method throws a SecurityTokenValidationException with the message "The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details". The inner exception reads "Authenticating to a service running under a user account which requires Kerberos multilegs, is not supported". Any thoughts?

I got my code from this thread and it seems it worked in this guy's case: How to get Service Token from Kerberos using SSPI

Community
  • 1
  • 1
muku
  • 238
  • 1
  • 7
  • 20
  • Did you ever manage to resolve this? – Tom Makin Dec 19 '16 at 12:46
  • 1
    Not really. I ended up calling the unmanaged functions in SSPI to get the token. There is a very good example on pinvoke.net. You need to look for AcquireCredentialsHandle and InitializeSecurityContext functions. – muku Dec 19 '16 at 13:46
  • Thanks for the info, I assume you mean this one: http://pinvoke.net/default.aspx/secur32/InitializeSecurityContext.html – Tom Makin Dec 19 '16 at 14:00
  • Yep. That's it. – muku Dec 19 '16 at 14:12

0 Answers0