From 2261812972138790eaed03626bfeb22b7fb1306c Mon Sep 17 00:00:00 2001 From: Maxime Kjaer Date: Tue, 23 Sep 2025 16:01:28 -0700 Subject: [PATCH 1/2] Add compatibility flag check before throwing exception on missing ClientRealmName --- Kerberos.NET/Entities/Krb/KrbKdcRep.cs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Kerberos.NET/Entities/Krb/KrbKdcRep.cs b/Kerberos.NET/Entities/Krb/KrbKdcRep.cs index 092ed87..508b7d8 100644 --- a/Kerberos.NET/Entities/Krb/KrbKdcRep.cs +++ b/Kerberos.NET/Entities/Krb/KrbKdcRep.cs @@ -116,7 +116,11 @@ out MessageType messageType if (request.Compatibility.HasFlag(KerberosCompatibilityFlags.NormalizeRealmsUppercase)) { request.RealmName = request.RealmName?.ToUpperInvariant(); - request.ClientRealmName = request.ClientRealmName?.ToUpperInvariant() ?? throw new InvalidOperationException("Unknown client realm name"); + + if (request.Compatibility.HasFlag(KerberosCompatibilityFlags.IsolateRealmsConsistently)) + { + request.ClientRealmName = request.ClientRealmName?.ToUpperInvariant() ?? throw new InvalidOperationException("Unknown client realm name"); + } } authz ??= GenerateAuthorizationData(request); From 6a83b991f98cdaf1549aa4fcdaf93ef629687d9d Mon Sep 17 00:00:00 2001 From: Maxime Kjaer Date: Wed, 8 Oct 2025 15:20:54 -0700 Subject: [PATCH 2/2] Add unit test --- .../Messages/KrbKdcRepTests.cs | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs b/Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs index 9c6d69c..01d7721 100644 --- a/Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs +++ b/Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs @@ -69,6 +69,42 @@ public void CreateServiceTicket_NullPrincipal() }); } + [TestMethod] + public void CreateServiceTicket_NullClientRealmName() + { + var key = KrbEncryptionKey.Generate(EncryptionType.AES128_CTS_HMAC_SHA1_96).AsKey(); + + // This should not throw, as ClientRealmName is allowed to be null if CompatibilityFlags.IsolateRealmsConsistently is not set + var tgsRep = KrbKdcRep.GenerateServiceTicket(new ServiceTicketRequest + { + EncryptedPartKey = key, + ServicePrincipal = new FakeKerberosPrincipal("blah@blah.com"), + ServicePrincipalKey = key, + Principal = new FakeKerberosPrincipal("blah@blah2.com"), + RealmName = "blah.com", + ClientRealmName = null, + Compatibility = KerberosCompatibilityFlags.NormalizeRealmsUppercase, + }); + } + + [TestMethod] + [ExpectedException(typeof(InvalidOperationException))] + public void CreateServiceTicket_NullClientRealmName_IsolateRealmsConsistently() + { + var key = KrbEncryptionKey.Generate(EncryptionType.AES128_CTS_HMAC_SHA1_96).AsKey(); + + var tgsRep = KrbKdcRep.GenerateServiceTicket(new ServiceTicketRequest + { + EncryptedPartKey = key, + ServicePrincipal = new FakeKerberosPrincipal("blah@blah.com"), + ServicePrincipalKey = key, + Principal = new FakeKerberosPrincipal("blah@blah2.com"), + RealmName = "blah.com", + ClientRealmName = null, + Compatibility = KerberosCompatibilityFlags.NormalizeRealmsUppercase | KerberosCompatibilityFlags.IsolateRealmsConsistently, + }); + } + [TestMethod] public void CreateServiceTicket() {