directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r558318 [2/2] - in /directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol: AbstractTicketGrantingServiceTest.java EncTktInSkeyTest.java TicketGrantingServiceTest.java
Date Sat, 21 Jul 2007 11:51:24 GMT
Added: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingServiceTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingServiceTest.java?view=auto&rev=558318
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingServiceTest.java (added)
+++ directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingServiceTest.java Sat Jul 21 04:51:23 2007
@@ -0,0 +1,1906 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.kerberos.protocol;
+
+
+import java.net.InetAddress;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
+import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
+import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
+import org.apache.directory.server.kerberos.shared.messages.ErrorMessage;
+import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
+import org.apache.directory.server.kerberos.shared.messages.MessageType;
+import org.apache.directory.server.kerberos.shared.messages.TicketGrantReply;
+import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPartModifier;
+import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
+import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
+import org.apache.directory.server.kerberos.shared.messages.value.HostAddress;
+import org.apache.directory.server.kerberos.shared.messages.value.HostAddresses;
+import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
+import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
+import org.apache.directory.server.kerberos.shared.messages.value.RequestBody;
+import org.apache.directory.server.kerberos.shared.messages.value.RequestBodyModifier;
+import org.apache.directory.server.kerberos.shared.messages.value.TicketFlags;
+import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
+
+
+/**
+ * Tests the Ticket-Granting Service (TGS) via the {@link KerberosProtocolHandler}.
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class TicketGrantingServiceTest extends AbstractTicketGrantingServiceTest
+{
+    private KdcConfiguration config;
+    private PrincipalStore store;
+    private KerberosProtocolHandler handler;
+    private DummySession session;
+
+
+    /**
+     * Creates a new instance of {@link TicketGrantingServiceTest}.
+     */
+    public TicketGrantingServiceTest()
+    {
+        config = new KdcConfiguration();
+
+        /*
+         * Body checksum verification must be disabled because we are bypassing
+         * the codecs, where the body bytes are set on the KdcRequest message.
+         */
+        config.setBodyChecksumVerified( false );
+
+        store = new MapPrincipalStoreImpl();
+        handler = new KerberosProtocolHandler( config, store );
+        session = new DummySession();
+        lockBox = new CipherTextHandler();
+    }
+
+
+    /**
+     * Tests the default minimum request, which consists of as little as the
+     * client name, service name, realm, till time, nonce, and encryption types.
+     * 
+     * This is the request archetype.
+     * 
+     * "The TGS exchange between a client and the Kerberos TGS is initiated by a
+     * client ... when it seeks to obtain authentication credentials for a given
+     * server (which might be registered in a remote realm)."
+     * 
+     * "In the first case, the client must already have acquired a ticket for the
+     * Ticket-Granting Service using the AS exchange (the TGT is usually obtained
+     * when a client initially authenticates to the system, such as when a user
+     * logs in)."
+     * 
+     * @throws Exception 
+     */
+    public void testRequestArchetype() throws Exception
+    {
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String serverPassword = "randomKey";
+
+        Ticket tgt = getTgt( clientPrincipal, serverPrincipal, serverPassword );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "hnelson" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long currentTime = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+    }
+
+
+    /**
+     * Tests the protocol version number, which must be '5'.
+     */
+    public void testProtocolVersionNumber()
+    {
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "hnelson" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+
+        KdcRequest message = new KdcRequest( 4, MessageType.KRB_TGS_REQ, null, modifier.getRequestBody() );
+
+        handler.messageReceived( session, message );
+
+        ErrorMessage error = ( ErrorMessage ) session.getMessage();
+        assertEquals( "Requested protocol version number not supported", 3, error.getErrorCode() );
+    }
+
+
+    /**
+     * Tests that a non-existent server principal returns the correct error message.
+     * 
+     * @throws Exception 
+     */
+    public void testServerNotFound() throws Exception
+    {
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String serverPassword = "randomKey";
+
+        Ticket tgt = getTgt( clientPrincipal, serverPrincipal, serverPassword );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "badservice" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long currentTime = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        ErrorMessage error = ( ErrorMessage ) session.getMessage();
+        assertEquals( "Server not found in Kerberos database", 7, error.getErrorCode() );
+    }
+
+
+    /**
+     * Tests when no ticket is found in the auth header that the request is rejected
+     * with the correct error message.
+     * 
+     * "If no ticket can be found in the padata field, the KDC_ERR_PADATA_TYPE_NOSUPP
+     * error is returned."
+     * 
+     * @throws Exception 
+     */
+    public void testNoTicketFound() throws Exception
+    {
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String serverPassword = "randomKey";
+
+        Ticket tgt = getTgt( clientPrincipal, serverPrincipal, serverPassword );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "hnelson" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long currentTime = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+
+        // Get the session key from the service ticket.
+        sessionKey = tgt.getSessionKey();
+
+        // Generate a new sequence number.
+        sequenceNumber = random.nextInt();
+        now = new KerberosTime();
+
+        KdcRequest message = new KdcRequest( 5, MessageType.KRB_TGS_REQ, null, requestBody );
+
+        handler.messageReceived( session, message );
+
+        ErrorMessage error = ( ErrorMessage ) session.getMessage();
+        assertEquals( "KDC has no support for padata type", 16, error.getErrorCode() );
+    }
+
+
+    /**
+     * Tests that an inappropriate checksum returns the correct error message.
+     * 
+     * @throws Exception 
+     */
+    public void testInappropriateChecksum() throws Exception
+    {
+        config.setBodyChecksumVerified( true );
+
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "tquist@EXAMPLE.COM" );
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String serverPassword = "randomKey";
+
+        Ticket tgt = getTgt( clientPrincipal, serverPrincipal, serverPassword );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "hnelson" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long currentTime = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        ErrorMessage error = ( ErrorMessage ) session.getMessage();
+        assertEquals( "Inappropriate type of checksum in message", 50, error.getErrorCode() );
+    }
+
+
+    /**
+     * Tests that an inappropriate checksum returns the correct error message.
+     * 
+     * @throws Exception 
+     */
+    public void testChecksumTypeNoSupport() throws Exception
+    {
+        config.setBodyChecksumVerified( true );
+
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "tquist@EXAMPLE.COM" );
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String serverPassword = "randomKey";
+
+        Ticket tgt = getTgt( clientPrincipal, serverPrincipal, serverPassword );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "hnelson" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long currentTime = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+
+        try
+        {
+            getKdcRequest( tgt, requestBody, ChecksumType.DES_MAC_K );
+        }
+        catch ( KerberosException ke )
+        {
+            assertEquals( "KDC has no support for checksum type", 15, ke.getErrorCode() );
+        }
+    }
+
+
+    /**
+     * "If any of the decryptions indicate failed integrity checks, the
+     * KRB_AP_ERR_BAD_INTEGRITY error is returned."
+     * 
+     * @throws Exception
+     */
+    public void testIntegrityCheckedFailed() throws Exception
+    {
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String serverPassword = "badpassword";
+
+        Ticket tgt = getTgt( clientPrincipal, serverPrincipal, serverPassword );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "hnelson" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long currentTime = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        ErrorMessage error = ( ErrorMessage ) session.getMessage();
+        assertEquals( "Integrity check on decrypted field failed", 31, error.getErrorCode() );
+    }
+
+
+    /**
+     * Tests when the ticket isn't for us that the correct error message is returned.
+     * 
+     * @throws Exception
+     */
+    public void testNotUs() throws Exception
+    {
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@APACHE.ORG" );
+        String serverPassword = "randomKey";
+
+        Ticket tgt = getTgt( clientPrincipal, serverPrincipal, serverPassword );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "hnelson" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long currentTime = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        ErrorMessage error = ( ErrorMessage ) session.getMessage();
+        assertEquals( "The ticket isn't for us", 35, error.getErrorCode() );
+    }
+
+
+    /**
+     * "The TGS exchange between a client and the Kerberos TGS is initiated by a
+     * client when ... it seeks to renew an existing ticket."
+     * 
+     * @throws Exception 
+     */
+    public void testRenewTicket() throws Exception
+    {
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String serverPassword = "randomKey";
+
+        Ticket tgt = getTgt( clientPrincipal, serverPrincipal, serverPassword );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "hnelson" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        kdcOptions.set( KdcOptions.RENEW );
+        modifier.setKdcOptions( kdcOptions );
+
+        long currentTime = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        KerberosTime expectedRenewTillTime = tgt.getRenewTill();
+        boolean isClose = Math.abs( reply.getRenewTill().getTime() - expectedRenewTillTime.getTime() ) < 5000;
+        assertTrue( "Expected renew till time", isClose );
+    }
+
+
+    /**
+     * "The TGS exchange between a client and the Kerberos TGS is initiated by a
+     * client when ... it seeks to validate an existing ticket."
+     * 
+     * @throws Exception 
+     */
+    public void testValidateTicket() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.INVALID );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "hnelson" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        kdcOptions.set( KdcOptions.VALIDATE );
+        modifier.setKdcOptions( kdcOptions );
+
+        long currentTime = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        KerberosTime expectedRenewTillTime = tgt.getRenewTill();
+        boolean isClose = Math.abs( reply.getRenewTill().getTime() - expectedRenewTillTime.getTime() ) < 5000;
+        assertTrue( "Expected renew till time", isClose );
+    }
+
+
+    /**
+     * "The TGS exchange between a client and the Kerberos TGS is initiated by a
+     * client when ... it seeks to obtain a proxy ticket."
+     * 
+     * @throws Exception 
+     */
+    public void testProxyTicket() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.PROXIABLE );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        kdcOptions.set( KdcOptions.PROXY );
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        HostAddress[] address =
+            { new HostAddress( InetAddress.getLocalHost() ) };
+        HostAddresses addresses = new HostAddresses( address );
+        modifier.setAddresses( addresses );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertTrue( "PROXY flag", reply.getFlags().get( TicketFlags.PROXY ) );
+        assertFalse( "INVALID flag", reply.getFlags().get( TicketFlags.INVALID ) );
+
+        assertTrue( "PROXY flag", reply.getTicket().getFlags().get( TicketFlags.PROXY ) );
+        assertFalse( "INVALID flag", reply.getTicket().getFlags().get( TicketFlags.INVALID ) );
+
+        assertNotNull( reply.getTicket().getClientAddresses() );
+    }
+
+
+    /**
+     * "The TGS exchange between a client and the Kerberos TGS is initiated by a
+     * client when ... it seeks to obtain a forwarded ticket."
+     * 
+     * @throws Exception 
+     */
+    public void testForwardedTicket() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.FORWARDABLE );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        kdcOptions.set( KdcOptions.FORWARDED );
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        HostAddress[] address =
+            { new HostAddress( InetAddress.getLocalHost() ) };
+        HostAddresses addresses = new HostAddresses( address );
+        modifier.setAddresses( addresses );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertTrue( "FORWARDED flag", reply.getFlags().get( TicketFlags.FORWARDED ) );
+        assertFalse( "INVALID flag", reply.getFlags().get( TicketFlags.INVALID ) );
+
+        assertTrue( "FORWARDED flag", reply.getTicket().getFlags().get( TicketFlags.FORWARDED ) );
+        assertFalse( "INVALID flag", reply.getTicket().getFlags().get( TicketFlags.INVALID ) );
+
+        assertNotNull( reply.getTicket().getClientAddresses() );
+    }
+
+
+    /**
+     * As is the case for all application servers, expired tickets are not
+     * accepted by the TGS, so once a renewable or TGT expires, the client
+     * must use a separate exchange to obtain valid tickets.
+     * 
+     * @throws Exception 
+     */
+    public void testExpiredTgt() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setEndTime( new KerberosTime( 0 ) );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "hnelson" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        ErrorMessage error = ( ErrorMessage ) session.getMessage();
+        assertEquals( "Ticket expired", 32, error.getErrorCode() );
+    }
+
+
+    /**
+     * As is the case for all application servers, expired tickets are not accepted
+     * by the TGS, so once a renewable or TGT expires, the client must use a separate
+     * exchange to obtain valid tickets.
+     * 
+     * @throws Exception 
+     */
+    public void testExpiredRenewableTicket() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.RENEWABLE );
+        encTicketPartModifier.setRenewTill( new KerberosTime( 0 ) );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "ldap/ldap.example.com@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        kdcOptions.set( KdcOptions.RENEW );
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        ErrorMessage error = ( ErrorMessage ) session.getMessage();
+        assertEquals( "Ticket expired", 32, error.getErrorCode() );
+    }
+
+
+    /**
+     * Tests when a renewable ticket is presented for renewal, that if the RENEW
+     * flag is NOT set, the ticket is renewed for the endtime of the presented
+     * ticket, as though it were a TGT.
+     *
+     * @throws Exception
+     */
+    public void testRenewableTicketNoRenew() throws Exception
+    {
+        long now = System.currentTimeMillis();
+
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.RENEWABLE );
+        encTicketPartModifier.setStartTime( new KerberosTime( now - KerberosTime.DAY / 2 ) );
+        encTicketPartModifier.setEndTime( new KerberosTime( now + KerberosTime.DAY / 2 ) );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "ldap/ldap.example.com@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.DAY / 2 );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        KerberosTime expectedEndTime = tgt.getEndTime();
+        boolean isClose = Math.abs( reply.getEndTime().getTime() - expectedEndTime.getTime() ) < 5000;
+        assertTrue( "Expected renew till time", isClose );
+    }
+
+
+    /**
+     * Tests when a renewable ticket is presented for renewal, that if the RENEW
+     * flag is set, the ticket is renewed for the lifetime of the presented ticket.
+     *
+     * @throws Exception
+     */
+    public void testRenewableTicketRenewal() throws Exception
+    {
+        long now = System.currentTimeMillis();
+
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.RENEWABLE );
+        encTicketPartModifier.setStartTime( new KerberosTime( now - KerberosTime.DAY / 2 ) );
+        encTicketPartModifier.setEndTime( new KerberosTime( now + KerberosTime.DAY / 2 ) );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "ldap/ldap.example.com@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        kdcOptions.set( KdcOptions.RENEW );
+        modifier.setKdcOptions( kdcOptions );
+
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.DAY / 2 );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        KerberosTime expectedEndTime = new KerberosTime( now + KerberosTime.DAY );
+        boolean isClose = Math.abs( reply.getEndTime().getTime() - expectedEndTime.getTime() ) < 5000;
+        assertTrue( "Expected renew till time", isClose );
+    }
+
+
+    /**
+     * Test when an unsupported encryption type is requested, that the request is
+     * rejected with the correct error message.
+     * 
+     * "If the server cannot accommodate any encryption type requested by the
+     * client, an error message with code KDC_ERR_ETYPE_NOSUPP is returned."
+     * 
+     * @throws Exception 
+     */
+    public void testEncryptionTypeNoSupport() throws Exception
+    {
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+
+        EncryptionType[] encryptionTypes = new EncryptionType[]
+            { EncryptionType.DES3_CBC_MD5 };
+
+        modifier.setEType( encryptionTypes );
+
+        modifier.setKdcOptions( new KdcOptions() );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        KdcRequest message = new KdcRequest( 5, MessageType.KRB_TGS_REQ, null, modifier.getRequestBody() );
+
+        handler.messageReceived( session, message );
+
+        ErrorMessage error = ( ErrorMessage ) session.getMessage();
+        assertEquals( "KDC has no support for encryption type", 14, error.getErrorCode() );
+    }
+
+
+    /**
+     * Tests that when a server principal is not configured with Kerberos keys that
+     * the correct error message is returned.
+     * 
+     * @throws Exception 
+     */
+    public void testServerNullKey() throws Exception
+    {
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String serverPassword = "randomKey";
+
+        Ticket tgt = getTgt( clientPrincipal, serverPrincipal, serverPassword );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "tquist" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long currentTime = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        ErrorMessage error = ( ErrorMessage ) session.getMessage();
+        assertEquals( "The client or server has a null key", 9, error.getErrorCode() );
+    }
+
+
+    /**
+     * Tests when the starttime is absent and the POSTDATED option has not been
+     * specified, that the starttime of the ticket is set to the authentication
+     * server's current time.
+     * 
+     * "If the requested starttime is absent, indicates a time in the past,
+     * or is within the window of acceptable clock skew for the KDC and the
+     * POSTDATE option has not been specified, then the starttime of the
+     * ticket is set to the authentication server's current time."
+     * 
+     * @throws Exception 
+     */
+    public void testStartTimeAbsentNoPostdate() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        modifier.setKdcOptions( new KdcOptions() );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        KerberosTime expectedStartTime = new KerberosTime( now );
+        boolean isClose = reply.getStartTime() == null
+            || Math.abs( reply.getStartTime().getTime() - expectedStartTime.getTime() ) < 5000;
+        assertTrue( "Expected start time", isClose );
+    }
+
+
+    /**
+     * Tests when the starttime indicates a time in the past and the POSTDATED option
+     * has not been specified, that the starttime of the ticket is set to the
+     * authentication server's current time.
+     * 
+     * "If the requested starttime is absent, indicates a time in the past,
+     * or is within the window of acceptable clock skew for the KDC and the
+     * POSTDATE option has not been specified, then the starttime of the
+     * ticket is set to the authentication server's current time."
+     * 
+     * @throws Exception 
+     */
+    public void testStartTimeInThePastNoPostdate() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        modifier.setKdcOptions( new KdcOptions() );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedStartTime = new KerberosTime( now + -1 * KerberosTime.DAY );
+        modifier.setFrom( requestedStartTime );
+
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        KerberosTime expectedStartTime = new KerberosTime( now );
+        boolean isClose = reply.getStartTime() == null
+            || Math.abs( reply.getStartTime().getTime() - expectedStartTime.getTime() ) < 5000;
+        assertTrue( "Expected start time", isClose );
+    }
+
+
+    /**
+     * Tests when the starttime is within the window of acceptable clock skew for
+     * the KDC and the POSTDATED option has not been specified, that the starttime
+     * of the ticket is set to the authentication server's current time.
+     * 
+     * "If the requested starttime is absent, indicates a time in the past,
+     * or is within the window of acceptable clock skew for the KDC and the
+     * POSTDATE option has not been specified, then the starttime of the
+     * ticket is set to the authentication server's current time."
+     * 
+     * @throws Exception 
+     */
+    public void testStartTimeAcceptableClockSkewNoPostdate() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        modifier.setKdcOptions( new KdcOptions() );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedStartTime = new KerberosTime( now );
+        modifier.setFrom( requestedStartTime );
+
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        KerberosTime expectedStartTime = new KerberosTime( now );
+        boolean isClose = reply.getStartTime() == null
+            || Math.abs( reply.getStartTime().getTime() - expectedStartTime.getTime() ) < 5000;
+        assertTrue( "Expected start time", isClose );
+    }
+
+
+    /**
+     * Tests when a start time is after an end time that the request is rejected with the
+     * correct error message.
+     * 
+     * "If the requested expiration time minus the starttime (as determined above)
+     * is less than a site-determined minimum lifetime, an error message with code
+     * KDC_ERR_NEVER_VALID is returned."
+     *
+     * @throws Exception
+     */
+    public void testStartTimeOrderNeverValid() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.MAY_POSTDATE );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        kdcOptions.set( KdcOptions.POSTDATED );
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedStartTime = new KerberosTime( now + KerberosTime.DAY );
+        modifier.setFrom( requestedStartTime );
+
+        KerberosTime requestedEndTime = new KerberosTime( now );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        ErrorMessage error = ( ErrorMessage ) session.getMessage();
+        assertEquals( "Requested start time is later than end time", 11, error.getErrorCode() );
+    }
+
+
+    /**
+     * Tests when the absolute value of the difference between the start time is
+     * and the end time is less than a configured minimum, that the request is
+     * rejected with the correct error message.
+     * 
+     * "If the requested expiration time minus the starttime (as determined above)
+     * is less than a site-determined minimum lifetime, an error message with code
+     * KDC_ERR_NEVER_VALID is returned."
+     *
+     * @throws Exception
+     */
+    public void testStartTimeMinimumNeverValid() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.MAY_POSTDATE );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedStartTime = new KerberosTime( now );
+        modifier.setFrom( requestedStartTime );
+
+        KerberosTime requestedEndTime = new KerberosTime( now + 4 * KerberosTime.MINUTE );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        ErrorMessage error = ( ErrorMessage ) session.getMessage();
+        assertEquals( "Requested start time is later than end time", 11, error.getErrorCode() );
+    }
+
+
+    /**
+     * Tests when a valid starttime is specified but the POSTDATE flag is not set,
+     * that the request is rejected with the correct error message.
+     * 
+     * "If it indicates a time in the future beyond the acceptable clock skew, but
+     * the POSTDATED option has not been specified, then the error
+     * KDC_ERR_CANNOT_POSTDATE is returned."
+     * 
+     * @throws Exception 
+     */
+    public void testStartTimeNoPostdated() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.MAY_POSTDATE );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        modifier.setKdcOptions( new KdcOptions() );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedStartTime = new KerberosTime( now + 10 * KerberosTime.MINUTE );
+        modifier.setFrom( requestedStartTime );
+
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        ErrorMessage error = ( ErrorMessage ) session.getMessage();
+        assertEquals( "Ticket not eligible for postdating", 10, error.getErrorCode() );
+    }
+
+
+    /**
+     * Tests that a user-specified start time is honored when that start time does not
+     * violate policy.
+     * 
+     * "Otherwise the requested starttime is checked against the policy of the local
+     * realm (the administrator might decide to prohibit certain types or ranges of
+     * postdated tickets), and if the ticket's starttime is acceptable, it is set as
+     * requested, and the INVALID flag is set in the new ticket.  The postdated
+     * ticket MUST be validated before use by presenting it to the KDC after the
+     * starttime has been reached."
+     * 
+     * "If the new ticket is postdated (the starttime is in the future), its
+     * INVALID flag will also be set."
+     * 
+     * "The flags field of the new ticket will have the following options set
+     * if they have been requested and if the policy of the local realm
+     * allows:  FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE."
+     * 
+     * @throws Exception
+     */
+    public void testSpecificStartTime() throws Exception
+    {
+        long now = System.currentTimeMillis();
+
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.MAY_POSTDATE );
+        // Service ticket end time will be limited by TGT end time.
+        encTicketPartModifier.setEndTime( new KerberosTime( now + 3 * KerberosTime.DAY ) );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "hnelson" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        kdcOptions.set( KdcOptions.POSTDATED );
+        modifier.setKdcOptions( kdcOptions );
+
+        KerberosTime requestedStartTime = new KerberosTime( now + KerberosTime.DAY );
+        modifier.setFrom( requestedStartTime );
+
+        KerberosTime requestedEndTime = new KerberosTime( now + 2 * KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertTrue( "Requested start time", requestedStartTime.equals( reply.getStartTime() ) );
+        assertTrue( "Requested end time", requestedEndTime.equals( reply.getEndTime() ) );
+        assertTrue( "POSTDATED flag", reply.getFlags().get( TicketFlags.POSTDATED ) );
+        assertTrue( "INVALID flag", reply.getFlags().get( TicketFlags.INVALID ) );
+
+        assertTrue( "Requested start time", requestedStartTime.equals( reply.getTicket().getStartTime() ) );
+        assertTrue( "Requested end time", requestedEndTime.equals( reply.getEndTime() ) );
+        assertTrue( "POSTDATED flag", reply.getTicket().getFlags().get( TicketFlags.POSTDATED ) );
+        assertTrue( "INVALID flag", reply.getTicket().getFlags().get( TicketFlags.INVALID ) );
+    }
+
+
+    /**
+     * Tests when pre-authentication used during initial authentication, that the flag
+     * is carried forward to derivative tickets.
+     *
+     * @throws Exception
+     */
+    public void testPreAuthenticationFlag() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.PRE_AUTHENT );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "hnelson" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertTrue( "PRE_AUTHENT flag", reply.getTicket().getFlags().get( TicketFlags.PRE_AUTHENT ) );
+    }
+
+
+    /**
+     * Tests that a user-specified end time is honored when that end time does not
+     * violate policy.
+     * 
+     * "The expiration time of the ticket will be set to the earlier of the
+     * requested endtime and a time determined by local policy, possibly by
+     * using realm- or principal-specific factors."
+     *
+     * @throws Exception
+     */
+    public void testSpecificEndTime() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "hnelson" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.DAY / 2 );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertTrue( "Requested end time", requestedEndTime.equals( reply.getEndTime() ) );
+    }
+
+
+    /**
+     * Tests when an end time is requested that exceeds the maximum end time as 
+     * configured in policy that the maximum allowable end time is returned instead
+     * of the requested end time.
+     * 
+     * "The expiration time of the ticket will be set to the earlier of the
+     * requested endtime and a time determined by local policy, possibly by
+     * using realm- or principal-specific factors."
+     *
+     * @throws Exception
+     */
+    public void testEndTimeExceedsMaximumAllowable() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "hnelson" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.WEEK );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        KerberosTime expectedEndTime = new KerberosTime( now + KerberosTime.DAY );
+        boolean isClose = Math.abs( reply.getEndTime().getTime() - expectedEndTime.getTime() ) < 5000;
+        assertTrue( "Expected end time", isClose );
+    }
+
+
+    /**
+     * Tests that a requested zulu end time of the epoch ("19700101000000Z") results
+     * in the maximum endtime permitted according to KDC policy.  The zulu epoch is
+     * the same as '0' (zero) milliseconds in Java.
+     * 
+     * @throws Exception
+     */
+    public void testEpochEndTime() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "hnelson" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        modifier.setKdcOptions( new KdcOptions() );
+
+        String epoch = "19700101000000Z";
+        KerberosTime requestedEndTime = KerberosTime.getTime( epoch );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        long now = System.currentTimeMillis();
+        KerberosTime expectedEndTime = new KerberosTime( now + KerberosTime.DAY );
+        boolean isClose = Math.abs( reply.getEndTime().getTime() - expectedEndTime.getTime() ) < 5000;
+        assertTrue( "Expected end time", isClose );
+    }
+
+
+    /**
+     * Tests whether a renewable ticket will be accepted in lieu of a non-renewable
+     * ticket if the requested ticket expiration date cannot be satisfied by a
+     * non-renewable ticket (due to configuration constraints).
+     * 
+     * "If the requested expiration time for the ticket exceeds what was determined
+     * as above, and if the 'RENEWABLE-OK' option was requested, then the 'RENEWABLE'
+     * flag is set in the new ticket, and the renew-till value is set as if the
+     * 'RENEWABLE' option were requested (the field and option names are described
+     * fully in Section 5.4.1).
+     * 
+     * @throws Exception 
+     */
+    public void testRenewableOk() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.RENEWABLE );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        kdcOptions.set( KdcOptions.RENEWABLE_OK );
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.WEEK );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        KerberosTime expectedEndTime = new KerberosTime( now + KerberosTime.DAY );
+        boolean isClose = Math.abs( reply.getEndTime().getTime() - expectedEndTime.getTime() ) < 5000;
+        assertTrue( "Expected end time", isClose );
+
+        assertTrue( "RENEWABLE flag", reply.getFlags().get( TicketFlags.RENEWABLE ) );
+        assertFalse( "INVALID flag", reply.getFlags().get( TicketFlags.INVALID ) );
+
+        KerberosTime expectedRenewTillTime = new KerberosTime( now + KerberosTime.WEEK );
+        isClose = Math.abs( reply.getRenewTill().getTime() - expectedRenewTillTime.getTime() ) < 5000;
+        assertTrue( "Expected renew-till time", isClose );
+    }
+
+
+    /**
+     * Tests forwardable tickets.
+     * 
+     * "The flags field of the new ticket will have the following options set
+     * if they have been requested and if the policy of the local realm
+     * allows:  FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE."
+     * 
+     * @throws Exception 
+     */
+    public void testForwardableTicket() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.FORWARDABLE );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        kdcOptions.set( KdcOptions.FORWARDABLE );
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertTrue( "FORWARDABLE flag", reply.getFlags().get( TicketFlags.FORWARDABLE ) );
+        assertFalse( "INVALID flag", reply.getFlags().get( TicketFlags.INVALID ) );
+
+        assertTrue( "FORWARDABLE flag", reply.getTicket().getFlags().get( TicketFlags.FORWARDABLE ) );
+        assertFalse( "INVALID flag", reply.getTicket().getFlags().get( TicketFlags.INVALID ) );
+    }
+
+
+    /**
+     * Tests allow postdating of derivative tickets.
+     * 
+     * "The flags field of the new ticket will have the following options set
+     * if they have been requested and if the policy of the local realm
+     * allows:  FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE."
+     * 
+     * @throws Exception 
+     */
+    public void testAllowPostdate() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.MAY_POSTDATE );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        kdcOptions.set( KdcOptions.ALLOW_POSTDATE );
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertTrue( "MAY_POSTDATE flag", reply.getFlags().get( TicketFlags.MAY_POSTDATE ) );
+        assertFalse( "INVALID flag", reply.getFlags().get( TicketFlags.INVALID ) );
+
+        assertTrue( "MAY_POSTDATE flag", reply.getTicket().getFlags().get( TicketFlags.MAY_POSTDATE ) );
+        assertFalse( "INVALID flag", reply.getTicket().getFlags().get( TicketFlags.INVALID ) );
+    }
+
+
+    /**
+     * Tests proxiable tickets.
+     * 
+     * "The flags field of the new ticket will have the following options set
+     * if they have been requested and if the policy of the local realm
+     * allows:  FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE."
+     * 
+     * @throws Exception 
+     */
+    public void testProxiableTicket() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.PROXIABLE );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        kdcOptions.set( KdcOptions.PROXIABLE );
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertTrue( "PROXIABLE flag", reply.getFlags().get( TicketFlags.PROXIABLE ) );
+        assertFalse( "INVALID flag", reply.getFlags().get( TicketFlags.INVALID ) );
+
+        assertTrue( "PROXIABLE flag", reply.getTicket().getFlags().get( TicketFlags.PROXIABLE ) );
+        assertFalse( "INVALID flag", reply.getTicket().getFlags().get( TicketFlags.INVALID ) );
+    }
+
+
+    /**
+     * Tests that a user-specified renew-till time is honored when that renew-till
+     * time does not violate policy.
+     * 
+     * "If the RENEWABLE option has been requested or if the RENEWABLE-OK
+     * option has been set and a renewable ticket is to be issued, then the
+     * renew-till field MAY be set to the earliest of ... its requested value [or]
+     * the starttime of the ticket plus the maximum renewable lifetime
+     * set by the policy of the local realm."
+     * 
+     * @throws Exception 
+     */
+    public void testRenewableTicket() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.RENEWABLE );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        kdcOptions.set( KdcOptions.RENEWABLE );
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        KerberosTime requestedRenewTillTime = new KerberosTime( now + KerberosTime.WEEK / 2 );
+        modifier.setRtime( requestedRenewTillTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertTrue( "RENEWABLE flag", reply.getFlags().get( TicketFlags.RENEWABLE ) );
+        assertFalse( "INVALID flag", reply.getFlags().get( TicketFlags.INVALID ) );
+
+        assertTrue( "RENEWABLE flag", reply.getTicket().getFlags().get( TicketFlags.RENEWABLE ) );
+        assertFalse( "INVALID flag", reply.getTicket().getFlags().get( TicketFlags.INVALID ) );
+
+        assertTrue( "Requested renew-till time", requestedRenewTillTime.equals( reply.getRenewTill() ) );
+    }
+
+
+    /**
+     * Tests when a renew-till time is requested that exceeds the maximum renew-till
+     * time as configured in policy that the maximum allowable renew-till time is
+     * returned instead of the requested renew-till time.
+     * 
+     * "If the RENEWABLE option has been requested or if the RENEWABLE-OK
+     * option has been set and a renewable ticket is to be issued, then the
+     * renew-till field MAY be set to the earliest of ... its requested value [or]
+     * the starttime of the ticket plus the maximum renewable lifetime
+     * set by the policy of the local realm."
+     * 
+     * @throws Exception 
+     */
+    public void testRenewableTicketExceedsMaximumAllowable() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+        encTicketPartModifier.setFlag( TicketFlags.RENEWABLE );
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        kdcOptions.set( KdcOptions.RENEWABLE );
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        KerberosTime requestedRenewTillTime = new KerberosTime( now + 2 * KerberosTime.WEEK );
+        modifier.setRtime( requestedRenewTillTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertTrue( "RENEWABLE flag", reply.getFlags().get( TicketFlags.RENEWABLE ) );
+        assertFalse( "INVALID flag", reply.getFlags().get( TicketFlags.INVALID ) );
+
+        assertTrue( "RENEWABLE flag", reply.getTicket().getFlags().get( TicketFlags.RENEWABLE ) );
+        assertFalse( "INVALID flag", reply.getTicket().getFlags().get( TicketFlags.INVALID ) );
+
+        KerberosTime expectedRenewTillTime = new KerberosTime( now + KerberosTime.WEEK );
+        boolean isClose = Math.abs( reply.getRenewTill().getTime() - expectedRenewTillTime.getTime() ) < 5000;
+        assertTrue( "Expected renew-till time", isClose );
+    }
+
+
+    /**
+     * "The ciphertext part of the response in the KRB_TGS_REP message is encrypted
+     * in the sub-session key from the Authenticator, if present, or in the session
+     * key from the TGT."
+     *     
+     * @throws Exception 
+     */
+    public void testAuthenticatorSubKey() throws Exception
+    {
+        // Get the mutable ticket part.
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+        // Make changes to test.
+
+        // Seal the ticket for the server.
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String passPhrase = "randomKey";
+        EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+        Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        modifier.setKdcOptions( kdcOptions );
+
+        long now = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        subSessionKey = RandomKeyFactory.getRandomKey( EncryptionType.DES_CBC_MD5 );
+
+        RequestBody requestBody = modifier.getRequestBody();
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        TicketGrantReply reply = ( TicketGrantReply ) session.getMessage();
+
+        assertFalse( "INVALID flag", reply.getFlags().get( TicketFlags.INVALID ) );
+        assertFalse( "INVALID flag", reply.getTicket().getFlags().get( TicketFlags.INVALID ) );
+    }
+
+
+    /**
+     * Tests that the option RESERVED, which is bad for a TGS_REQ, is rejected
+     * with the correct error message.
+     *
+     * @throws Exception
+     */
+    public void testBadOptionReserved() throws Exception
+    {
+        KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+        KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+        String serverPassword = "randomKey";
+
+        Ticket tgt = getTgt( clientPrincipal, serverPrincipal, serverPassword );
+
+        RequestBodyModifier modifier = new RequestBodyModifier();
+        modifier.setServerName( getPrincipalName( "hnelson" ) );
+        modifier.setRealm( "EXAMPLE.COM" );
+        modifier.setEType( config.getEncryptionTypes() );
+        modifier.setNonce( random.nextInt() );
+
+        KdcOptions kdcOptions = new KdcOptions();
+        kdcOptions.set( KdcOptions.RESERVED );
+        modifier.setKdcOptions( kdcOptions );
+
+        long currentTime = System.currentTimeMillis();
+
+        KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
+        modifier.setTill( requestedEndTime );
+
+        RequestBody requestBody = modifier.getRequestBody();
+
+        KdcRequest message = getKdcRequest( tgt, requestBody );
+
+        handler.messageReceived( session, message );
+
+        ErrorMessage error = ( ErrorMessage ) session.getMessage();
+        assertEquals( "KDC cannot accommodate requested option", 13, error.getErrorCode() );
+    }
+}

Propchange: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingServiceTest.java
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message