Add troubleshooting guide, add kdc test to sample app

Author: macsux

README.MD

@@ -18,10 +18,10 @@ applications:
 - name: TestKerberos
   path: bin/Debug/net5.0/publish
   random-route: true
-  memory: 256M
+  memory: 512M
   health-check-type: none
   buildpacks: 
-    - https://github.com/macsux/kerberos-buildpack/releases/download/v0.1.0/KerberosBuildpack-linux-x64-0.1.0.zip
+    - https://github.com/macsux/kerberos-buildpack/releases/download/WIP/KerberosBuildpack-linux-x64-WIP.zip
     - dotnet_core_buildpack
   env:
     KRB5_KDC: ad.almirex.com
@@ -38,4 +38,37 @@ applications:
 
 Core libraries used by .NET and Java apps use MIT Kerberos to do Kerberos (aka Integrated) authentication when running on Linux. This buildpack configures MIT Kerberos, and obtains the necessary initial TGT tickets necessary for the app to acquire authentication tickets.
 
-A sidecar runs in background that will obtain tickets Kerberos .NET 
+A sidecar runs in background that will obtain tickets Kerberos .NET 
+
+## Troubleshooting
+
+Recommendation is to start with sample app included, which exposes the folowing endpoints:
+`/user` - which will authenticate incoming HTTP principal and print caller's identity. Simply call this endpoint on domain joined box from browser
+`sql` - tests kerberos connection to SQL Server. Set connection string either in `appsettings.json` or via environmental variable `CONNECTIONSTRINGS__SQLSERVER`.
+`/testkdc` - verify that connection can be established to KDC server on port 88.
+
+After the app starts up you should see logs emitted from sidecar process that look like this:
+```csharp
+   2022-01-26T16:04:52.80-0500 [PROXY/0] OUT Exit status 137
+   2022-01-26T16:04:52.87-0500 [APP/PROC/WEB/0] OUT info: Microsoft.Hosting.Lifetime[14]
+   2022-01-26T16:04:52.87-0500 [APP/PROC/WEB/0] OUT       Now listening on: http://0.0.0.0:9090
+   2022-01-26T16:04:52.88-0500 [APP/PROC/WEB/0] OUT info: Microsoft.Hosting.Lifetime[0]
+   2022-01-26T16:04:52.88-0500 [APP/PROC/WEB/0] OUT       Application started. Press Ctrl+C to shut down.
+   2022-01-26T16:04:52.88-0500 [APP/PROC/WEB/0] OUT info: Microsoft.Hosting.Lifetime[0]
+   2022-01-26T16:04:52.88-0500 [APP/PROC/WEB/0] OUT       Hosting environment: Production
+   2022-01-26T16:04:52.88-0500 [APP/PROC/WEB/0] OUT info: Microsoft.Hosting.Lifetime[0]
+   2022-01-26T16:04:52.88-0500 [APP/PROC/WEB/0] OUT       Content root path: /home/vcap/app/
+   2022-01-26T16:04:53.23-0500 [APP/PROC/WEB/0] OUT info: KerberosSidecar.KerberosWorker[0]
+   2022-01-26T16:04:53.23-0500 [APP/PROC/WEB/0] OUT       Service authenticated successfully as 'iwaclient'
+   2022-01-26T16:04:53.24-0500 [APP/PROC/WEB/0] OUT info: KerberosSidecar.Spn.LoggingSpnClient[0]
+   2022-01-26T16:04:53.24-0500 [APP/PROC/WEB/0] OUT       Ensure that the following SPN for the service exists: http/kerberosdemo.apps.longbeach.cf-app.com
+```
+
+If you have not received a message similar to `Service authenticated successfully as 'iwaclient'`, it means that the worker sidecar has been unable to obtain ticket from your KDC.
+
+#### Things to check 
+
+- Sidecar process started, as indicated by log entry containing `Now listening on: http://0.0.0.0:9090`. (note port 9090 - there maybe similar log entry but for port 8080 - that one is for the main app).
+- Credentials are correct and specified in the right format
+- KDC is accessible from the container. Use `/testkdc` endpoint of sample app to test.
+- Any other errors coming from the logs

sample/KerberosDemo/Controllers/HomeController.cs

@@ -1,6 +1,9 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Net;
+using System.Net.NetworkInformation;
+using System.Net.Sockets;
 using System.Security.Claims;
 using System.Text;
 using System.Threading.Tasks;
@@ -107,6 +110,30 @@ public ActionResult<string> SqlTest()
 
             return sb.ToString();
         }
+
+        [HttpGet("/testkdc")]
+        public async Task<string> TestKDC(string kdc)
+        {
+            
+            if (string.IsNullOrEmpty(kdc))
+            {
+                kdc = Environment.GetEnvironmentVariable("KRB5_KDC");
+                if (string.IsNullOrEmpty(kdc))
+                    return "KRB5_KDC env var is not configured";
+            }
+            using var socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
+            try
+            {
+                await socket.ConnectAsync(kdc, 88);
+                return $"Successfully connected to {kdc} on port 88";
+            }
+            catch (Exception e)
+            {
+                return $"Failed connection test to {kdc} on port 88\n{e}";
+            }
+        }
+        
+        
     }
 
     public class SqlServerInfo

sample/KerberosDemo/Properties/launchSettings.json

@@ -1,30 +1,15 @@
 {
   "$schema": "http://json.schemastore.org/launchsettings.json",
-  "iisSettings": {
-    "windowsAuthentication": false,
-    "anonymousAuthentication": true,
-    "iisExpress": {
-      "applicationUrl": "http://localhost:13453",
-      "sslPort": 44328
-    }
-  },
   "profiles": {
-    "IIS Express": {
-      "commandName": "IISExpress",
-      "launchBrowser": true,
-      "launchUrl": "swagger",
-      "environmentVariables": {
-        "ASPNETCORE_ENVIRONMENT": "Development"
-      }
-    },
     "KerberosDemo": {
       "commandName": "Project",
       "dotnetRunMessages": "true",
       "launchBrowser": true,
       "launchUrl": "swagger",
-      "applicationUrl": "https://localhost:5001;http://localhost:5000",
+      "applicationUrl": "http://localhost:5000",
       "environmentVariables": {
-        "ASPNETCORE_ENVIRONMENT": "Development"
+        "ASPNETCORE_ENVIRONMENT": "Development",
+        "KRB5_KDC": "dc1.macsux.com"
       }
     }
   }

sample/KerberosDemo/Startup.cs

@@ -47,11 +47,11 @@ public void ConfigureServices(IServiceCollection services)
                 // .AddNegotiate(c => c
                 //     .EnableLdap(ldap =>
                 //     {
-                        ldap.LdapConnection = new LdapConnection(new LdapDirectoryIdentifier(ldapAddress, true, false), new NetworkCredential(serviceAccount, password), AuthType.Basic);
+                        // ldap.LdapConnection = new LdapConnection(new LdapDirectoryIdentifier(ldapAddress, true, false), new NetworkCredential(serviceAccount, password), AuthType.Basic);
                 //         ldap.Domain = domain;
                 //         ldap.LdapConnection.SessionOptions.ReferralChasing = ReferralChasingOptions.None;
                 //         ldap.LdapConnection.SessionOptions.ProtocolVersion = 3; //Setting LDAP Protocol to latest version
-                        ldap.LdapConnection.Timeout = TimeSpan.FromMinutes(1);
+                        // ldap.LdapConnection.Timeout = TimeSpan.FromMinutes(1);
                 //         ldap.LdapConnection.AutoBind = true;
                         // ldap.LdapConnection.Bind();
                 //     }));

sample/KerberosDemo/manifest.yml

@@ -2,7 +2,7 @@
 applications:
 - name: KerberosDemo
   path: bin/Debug/net5.0/linux-x64/publish
-  memory: 256M
+  memory: 512M
   health-check-type: none
   buildpacks: 
     - https://github.com/macsux/kerberos-buildpack/releases/download/WIP/KerberosBuildpack-linux-x64-WIP.zip