From be09a6811534857393e8e4e32730dbef23ce558c Mon Sep 17 00:00:00 2001
From: Steve Syfuhs <steve@syfuhs.net>
Date: Tue, 11 Nov 2025 09:32:08 -0800
Subject: [PATCH] Allow caller to pass client to authenticator

This allows the authenticator delegation to use the existing client configuration.
---
 Kerberos.NET/Client/KerberosClient.cs | 24 ++++++++++++++++++++++++
 Kerberos.NET/KerberosAuthenticator.cs | 11 ++++++++---
 Kerberos.NET/S4UProviderFactory.cs    |  4 ++--
 3 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/Kerberos.NET/Client/KerberosClient.cs b/Kerberos.NET/Client/KerberosClient.cs
index e0def520..ee1519d2 100644
--- a/Kerberos.NET/Client/KerberosClient.cs
+++ b/Kerberos.NET/Client/KerberosClient.cs
@@ -259,6 +259,30 @@ public string UserPrincipalName
             }
         }
 
+        /// <summary>
+        /// Create a new Kerberos client based on the configuration of an existing client or create a new one from scratch.
+        /// </summary>
+        /// <param name="delegationClient">The client to copy from</param>
+        /// <param name="config">The config to pass in if the client is null</param>
+        /// <param name="logger">The logger to use for the new client</param>
+        /// <returns></returns>
+        internal static KerberosClient CopyOrCreate(KerberosClient delegationClient, Krb5Config config, ILoggerFactory logger)
+        {
+            if (delegationClient == null)
+            {
+                return new KerberosClient(config, logger) { CacheInMemory = true };
+            }
+
+            return new KerberosClient(
+                delegationClient.Configuration ?? config,
+                delegationClient.loggerFactory ?? logger,
+                delegationClient.Transports.ToArray()
+            )
+            {
+                CacheInMemory = true
+            };
+        }
+
         /// <summary>
         /// Reset any connection state that may be cached from previous attempts.
         /// </summary>
diff --git a/Kerberos.NET/KerberosAuthenticator.cs b/Kerberos.NET/KerberosAuthenticator.cs
index abf76eaa..4c52176c 100644
--- a/Kerberos.NET/KerberosAuthenticator.cs
+++ b/Kerberos.NET/KerberosAuthenticator.cs
@@ -9,6 +9,7 @@
 using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
+using Kerberos.NET.Client;
 using Kerberos.NET.Configuration;
 using Kerberos.NET.Crypto;
 using Kerberos.NET.Entities;
@@ -27,17 +28,21 @@ public class KerberosAuthenticator
 
         public UserNameFormat UserNameFormat { get; set; } = UserNameFormat.UserPrincipalName;
 
-        public KerberosAuthenticator(string upn, KeyTable keytab, Krb5Config config, ILoggerFactory logger = null)
+        public KerberosAuthenticator(string upn, KeyTable keytab, KerberosClient delegationClient, ILoggerFactory logger = null)
             : this(new KerberosValidator(keytab, logger))
         {
             if (!string.IsNullOrWhiteSpace(upn))
             {
-                this.s4uProvider = new S4UProviderFactory(upn, keytab, config, logger);
+                this.s4uProvider = new S4UProviderFactory(upn, keytab, delegationClient, delegationClient?.Configuration, logger);
             }
         }
 
+        public KerberosAuthenticator(string upn, KeyTable keytab, Krb5Config config = null, ILoggerFactory logger = null)
+            : this(upn, keytab, new KerberosClient(config, logger) { CacheInMemory = true }, logger)
+        { }
+
         public KerberosAuthenticator(KeyTable keytab, ILoggerFactory logger = null)
-            : this(null, keytab, null, logger)
+            : this(null, keytab, (Krb5Config)null, logger)
         {
 
         }
diff --git a/Kerberos.NET/S4UProviderFactory.cs b/Kerberos.NET/S4UProviderFactory.cs
index c4718afd..cb657766 100644
--- a/Kerberos.NET/S4UProviderFactory.cs
+++ b/Kerberos.NET/S4UProviderFactory.cs
@@ -16,9 +16,9 @@ internal class S4UProviderFactory : IS4UProviderFactory
         private readonly KerberosClient client;
         private readonly KerberosCredential credential;
 
-        public S4UProviderFactory(string upn, KeyTable keytab, Krb5Config config = null, ILoggerFactory logger = null)
+        public S4UProviderFactory(string upn, KeyTable keytab, KerberosClient delegationClient, Krb5Config config = null, ILoggerFactory logger = null)
         {
-            this.client = new KerberosClient(config, logger) { CacheInMemory = true };
+            this.client = KerberosClient.CopyOrCreate(delegationClient, config, logger);
             this.credential = new KeytabCredential(upn, keytab);
         }