Merge pull request #408 from MaximeKjaer/isolate-exception

SteveSyfuhs · web-flow · commit da52236c3748 · 2025-10-13T13:34:20.000-07:00
Avoid exception when ClientRealmName is null and IsolateRealmsConsistently is off
diff --git a/Kerberos.NET/Entities/Krb/KrbKdcRep.cs b/Kerberos.NET/Entities/Krb/KrbKdcRep.cs
@@ -110,7 +110,11 @@ out MessageType messageType
             if (request.Compatibility.HasFlag(KerberosCompatibilityFlags.NormalizeRealmsUppercase))
             {
                 request.RealmName = request.RealmName?.ToUpperInvariant();
-                request.ClientRealmName = request.ClientRealmName?.ToUpperInvariant() ?? throw new InvalidOperationException("Unknown client realm name");
+
+                if (request.Compatibility.HasFlag(KerberosCompatibilityFlags.IsolateRealmsConsistently))
+                {
+                    request.ClientRealmName = request.ClientRealmName?.ToUpperInvariant() ?? throw new InvalidOperationException("Unknown client realm name");
+                }
             }
 
             authz ??= GenerateAuthorizationData(request);
diff --git a/Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs b/Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs
@@ -69,6 +69,42 @@ public void CreateServiceTicket_NullPrincipal()
             });
         }
 
+        [TestMethod]
+        public void CreateServiceTicket_NullClientRealmName()
+        {
+            var key = KrbEncryptionKey.Generate(EncryptionType.AES128_CTS_HMAC_SHA1_96).AsKey();
+
+            // This should not throw, as ClientRealmName is allowed to be null if CompatibilityFlags.IsolateRealmsConsistently is not set
+            var tgsRep = KrbKdcRep.GenerateServiceTicket<KrbTgsRep>(new ServiceTicketRequest
+            {
+                EncryptedPartKey = key,
+                ServicePrincipal = new FakeKerberosPrincipal("blah@blah.com"),
+                ServicePrincipalKey = key,
+                Principal = new FakeKerberosPrincipal("blah@blah2.com"),
+                RealmName = "blah.com",
+                ClientRealmName = null,
+                Compatibility = KerberosCompatibilityFlags.NormalizeRealmsUppercase,
+            });
+        }
+
+        [TestMethod]
+        [ExpectedException(typeof(InvalidOperationException))]
+        public void CreateServiceTicket_NullClientRealmName_IsolateRealmsConsistently()
+        {
+            var key = KrbEncryptionKey.Generate(EncryptionType.AES128_CTS_HMAC_SHA1_96).AsKey();
+
+            var tgsRep = KrbKdcRep.GenerateServiceTicket<KrbTgsRep>(new ServiceTicketRequest
+            {
+                EncryptedPartKey = key,
+                ServicePrincipal = new FakeKerberosPrincipal("blah@blah.com"),
+                ServicePrincipalKey = key,
+                Principal = new FakeKerberosPrincipal("blah@blah2.com"),
+                RealmName = "blah.com",
+                ClientRealmName = null,
+                Compatibility = KerberosCompatibilityFlags.NormalizeRealmsUppercase | KerberosCompatibilityFlags.IsolateRealmsConsistently,
+            });
+        }
+
         [TestMethod]
         public void CreateServiceTicket()
         {

Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,11 @@ out MessageType messageType`
`110`	`110`	`if (request.Compatibility.HasFlag(KerberosCompatibilityFlags.NormalizeRealmsUppercase))`
`111`	`111`	`{`
`112`	`112`	`request.RealmName = request.RealmName?.ToUpperInvariant();`
`113`		`- request.ClientRealmName = request.ClientRealmName?.ToUpperInvariant() ?? throw new InvalidOperationException("Unknown client realm name");`
	`113`	`+`
	`114`	`+ if (request.Compatibility.HasFlag(KerberosCompatibilityFlags.IsolateRealmsConsistently))`
	`115`	`+ {`
	`116`	`+ request.ClientRealmName = request.ClientRealmName?.ToUpperInvariant() ?? throw new InvalidOperationException("Unknown client realm name");`
	`117`	`+ }`
`114`	`118`	`}`
`115`	`119`
`116`	`120`	`authz ??= GenerateAuthorizationData(request);`