AzureAD · neha-bhargava · Sep 12, 2025 · Sep 15, 2025 · Sep 18, 2025 · Oct 1, 2025
@@ -81,6 +81,7 @@ public string ClientVersion
         /// <summary>
         /// Kerberos Service Ticket container to be used.
         /// </summary>
+        [Obsolete]
         public KerberosTicketContainer TicketContainer { get; set; } = KerberosTicketContainer.IdToken;
 
         [Obsolete("Telemetry is sent automatically by MSAL.NET. See https://aka.ms/msal-net-telemetry.")]

@@ -2,7 +2,6 @@
 // Licensed under the MIT License.
 
 using System;
-using System.Collections;
 using System.Collections.Generic;
 using System.ComponentModel;
 using Microsoft.Identity.Client.Kerberos;
@@ -102,11 +101,15 @@ public abstract class ApplicationOptions : BaseApplicationOptions
         /// <summary>
         /// Service principal name for Kerberos Service Ticket.
         /// </summary>
+        [Obsolete]
+        [EditorBrowsable(EditorBrowsableState.Never)]
         public string KerberosServicePrincipalName { get; set; } = string.Empty;
 
         /// <summary>
         /// Kerberos Service Ticket container to be used.
-        /// </summary>
+        /// </summary>
+        [Obsolete]
+        [EditorBrowsable(EditorBrowsableState.Never)]
         public KerberosTicketContainer TicketContainer { get; set; } = KerberosTicketContainer.IdToken;
     }
 }
@@ -1,12 +1,6 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-using System;
-using System.Collections;
-using System.Collections.Generic;
-using System.ComponentModel;
-using Microsoft.Identity.Client.Kerberos;
-
 namespace Microsoft.Identity.Client
 {
     /// <summary>

@@ -51,8 +51,7 @@ public static PublicClientApplicationBuilder CreateWithApplicationOptions(Public
         {
             var config = new ApplicationConfiguration(MsalClientType.PublicClient);
             return new PublicClientApplicationBuilder(config)
-                .WithOptions(options)
-                .WithKerberosTicketClaim(options.KerberosServicePrincipalName, options.TicketContainer);
+                .WithOptions(options);
         }
 
         /// <summary>
@@ -324,10 +323,10 @@ public PublicClientApplicationBuilder WithParentActivityOrWindow(Func<IntPtr> wi
         /// The expiry of the Kerberos ticket is tied to the expiry of the token that contains it.
         /// MSAL provides several helper APIs to read and write Kerberos tickets from the Windows Ticket Cache - see <see cref="KerberosSupplementalTicketManager"/>.
         /// </remarks>
+        [Obsolete]
+        [EditorBrowsable(EditorBrowsableState.Never)]
         public PublicClientApplicationBuilder WithKerberosTicketClaim(string servicePrincipalName, KerberosTicketContainer ticketContainer)
         {
-            Config.KerberosServicePrincipalName = servicePrincipalName;
-            Config.TicketContainer = ticketContainer;
             return this;
         }
 

@@ -1,11 +1,16 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System;
+using System.ComponentModel;
+
 namespace Microsoft.Identity.Client.Kerberos
 {
     /// <summary>
     /// The Kerberos key types used in this assembly.
     /// </summary>
+    [Obsolete]
+    [EditorBrowsable(EditorBrowsableState.Never)]
     public enum KerberosKeyTypes
     {
         /// <summary>

@@ -1,5 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
+using System;
+using System.ComponentModel;
 
 #if SUPPORTS_SYSTEM_TEXT_JSON
 using JsonProperty = System.Text.Json.Serialization.JsonPropertyNameAttribute;
@@ -13,6 +15,8 @@ namespace Microsoft.Identity.Client.Kerberos
     /// Class for Kerberos tickets that are included as claims and used as a supplemental token in an OAuth/OIDC
     /// protocol response.
     /// </summary>
+    [Obsolete]
+    [EditorBrowsable(EditorBrowsableState.Never)]
     public class KerberosSupplementalTicket
     {
         /// <summary>

@@ -23,6 +23,8 @@ namespace Microsoft.Identity.Client.Kerberos
     /// <summary>
     /// Helper class to manage Kerberos Ticket Claims.
     /// </summary>
+    [Obsolete]
+    [EditorBrowsable(EditorBrowsableState.Never)]
     public static class KerberosSupplementalTicketManager
     {
         private const int DefaultLogonId = 0;
@@ -95,26 +97,7 @@ public static void SaveToWindowsTicketCache(KerberosSupplementalTicket ticket)
         /// </remarks>
         public static void SaveToWindowsTicketCache(KerberosSupplementalTicket ticket, long logonId)
         {
-#if !SUPPORTS_WIN32
-            throw new PlatformNotSupportedException("Ticket Cache interface is not supported for this .NET platform. It is supported on .NET Classic, .NET Core and NetStandadrd");
-#else
-            if (!DesktopOsHelper.IsWindows())
-            {
-                throw new PlatformNotSupportedException("Ticket Cache interface is not supported on this OS. It is supported on Windows only.");
-
-            }
-
-            if (ticket == null || string.IsNullOrEmpty(ticket.KerberosMessageBuffer))
-            {
-                throw new ArgumentException("Kerberos Ticket information is not valid");
-            }
-
-            using (var cache = Platforms.Features.DesktopOs.Kerberos.TicketCacheWriter.Connect())
-            {
-                byte[] krbCred = Convert.FromBase64String(ticket.KerberosMessageBuffer);
-                cache.ImportCredential(krbCred, logonId);
-            }
-#endif
+            throw new NotImplementedException("This method is deprecated.");
         }
 
         /// <summary>
@@ -144,20 +127,7 @@ public static byte[] GetKerberosTicketFromWindowsTicketCache(string servicePrinc
         /// </remarks>
         public static byte[] GetKerberosTicketFromWindowsTicketCache(string servicePrincipalName, long logonId)
         {
-#if !SUPPORTS_WIN32
-            throw new PlatformNotSupportedException("Ticket Cache interface is not supported for this .NET platform. It is supported on .NET Classic, .NET Core and NetStandadrd");
-#else
-            if (!DesktopOsHelper.IsWindows())
-            {
-                throw new PlatformNotSupportedException("Ticket Cache interface is not supported on this OS. It is supported on Windows only.");
-
-            }
-
-            using (var reader = new Platforms.Features.DesktopOs.Kerberos.TicketCacheReader(servicePrincipalName, logonId))
-            {
-                return reader.RequestToken();
-            }
-#endif
+            throw new NotImplementedException("This method is deprecated.");
         }
 
         /// <summary>
@@ -175,32 +145,5 @@ public static byte[] GetKrbCred(KerberosSupplementalTicket ticket)
 
             return null;
         }
-
-        /// <summary>
-        /// Generate a Kerberos Ticket Claim string.
-        /// </summary>
-        /// <param name="servicePrincipalName">Service principal name to use.</param>
-        /// <param name="ticketContainer">Ticket container to use.</param>
-        /// <returns>A Kerberos Ticket Claim string if valid service principal name was given. Empty string, otherwise.</returns>
-        internal static string GetKerberosTicketClaim(string servicePrincipalName, KerberosTicketContainer ticketContainer)
-        {
-            if (string.IsNullOrEmpty(servicePrincipalName))
-            {
-                return string.Empty;
-            }
-
-            if (ticketContainer == KerberosTicketContainer.IdToken)
-            {
-                return string.Format(
-                    CultureInfo.InvariantCulture,
-                    IdTokenAsRepTemplate,
-                    servicePrincipalName);
-            }
-
-            return string.Format(
-                CultureInfo.InvariantCulture,
-                AccessTokenAsRepTemplate,
-                servicePrincipalName);
-        }
     }
 }
@@ -1,11 +1,16 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System;
+using System.ComponentModel;
+
 namespace Microsoft.Identity.Client.Kerberos
 {
     /// <summary>
     /// Declares the type of container to use for Kerberos Ticket Claim.
     /// </summary>
+    [Obsolete]
+    [EditorBrowsable(EditorBrowsableState.Never)]
     public enum KerberosTicketContainer
     {
         /// <summary>

@@ -149,10 +149,7 @@ await _serviceBundle.Config.ClientCredential.AddConfidentialClientParametersAsyn
 
             _oAuth2Client.AddBodyParameter(OAuth2Parameter.Scope, scopes);
 
-            // Add Kerberos Ticket claims if there's valid service principal name in Configuration.
-            // Kerberos Ticket claim is only allowed at token request due to security issue.
-            // It should not be included for authorize request.
-            AddClaims();
+            _oAuth2Client.AddBodyParameter(OAuth2Parameter.Claims, _requestParams.ClaimsAndClientCapabilities);
 
             foreach (var kvp in additionalBodyParameters)
             {
@@ -183,42 +180,6 @@ await _serviceBundle.Config.ClientCredential.AddConfidentialClientParametersAsyn
             AddExtraHttpHeaders();
         }
 
-        /// <summary>
-        /// Add Claims, including ClientCapabilities, to body parameter for POST request.
-        /// </summary>
-        private void AddClaims()
-        {
-            string kerberosClaim = KerberosSupplementalTicketManager.GetKerberosTicketClaim(
-                _requestParams.RequestContext.ServiceBundle.Config.KerberosServicePrincipalName,
-                _requestParams.RequestContext.ServiceBundle.Config.TicketContainer);
-            string resolvedClaims;
-            if (string.IsNullOrEmpty(kerberosClaim))
-            {
-                resolvedClaims = _requestParams.ClaimsAndClientCapabilities;
-            }
-            else
-            {
-                if (!string.IsNullOrEmpty(_requestParams.ClaimsAndClientCapabilities))
-                {
-                    var existingClaims = JsonHelper.ParseIntoJsonObject(_requestParams.ClaimsAndClientCapabilities);
-                    var mergedClaims = ClaimsHelper.MergeClaimsIntoCapabilityJson(kerberosClaim, existingClaims);
-
-                    resolvedClaims = JsonHelper.JsonObjectToString(mergedClaims);
-                    _requestParams.RequestContext.Logger.Verbose(
-                        () => $"Adding kerberos claim + Claims/ClientCapabilities to request: {resolvedClaims}");
-                }
-                else
-                {
-                    resolvedClaims = kerberosClaim;
-                    _requestParams.RequestContext.Logger.Verbose(
-                        () => $"Adding kerberos claim to request: {resolvedClaims}");
-                }
-            }
-
-            // no-op if resolvedClaims is null
-            _oAuth2Client.AddBodyParameter(OAuth2Parameter.Claims, resolvedClaims);
-        }
-
         private void AddExtraHttpHeaders()
         {
             if (_requestParams.ExtraHttpHeaders != null)

@@ -1,15 +1,19 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System;
+using System.ComponentModel;
+
 namespace Microsoft.Identity.Client.Platforms.Features.DesktopOs.Kerberos
 {
     /// <summary>
     /// Previously authenticated logon data used by a security principal to establish its own identity, 
     /// such as a password, or a Kerberos protocol ticket.
     /// </summary>
+    [Obsolete]
+    [EditorBrowsable(EditorBrowsableState.Never)]
     public abstract class Credential
     {
-        internal abstract CredentialHandle Structify();
 
         /// <summary>
         /// Create a new <see cref="Credential"/> object.
@@ -22,10 +26,7 @@ public static Credential Current()
 
         private class CurrentCredential : Credential
         {
-            internal unsafe override CredentialHandle Structify()
-            {
-                return new CredentialHandle((void*)0);
-            }
+
         }
     }
 }