public void SamrValidatePassword_Reset_Success()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
ConnectAndOpenDomain(
GetPdcDnsName(),
_samrProtocolAdapter.PrimaryDomainDnsName,
out _serverHandle,
out _domainHandle);
_SAM_VALIDATE_INPUT_ARG inputArg = new _SAM_VALIDATE_INPUT_ARG();
inputArg.ValidatePasswordResetInput = new _SAM_VALIDATE_PASSWORD_RESET_INPUT_ARG();
DateTime lockOutTime = DateTime.Now - TimeSpan.FromDays(5);
DateTime lastSetTime = DateTime.Now - TimeSpan.FromDays(6);
_FILETIME lockout = DtypUtility.ToFileTime(lockOutTime);
_FILETIME lastset = DtypUtility.ToFileTime(lastSetTime);
BaseTestSite.Log.Add(LogEntryKind.TestStep,
string.Format("Create InputArg for SamValidatePasswordReset, LockoutTime:{0}, PasswordLastSet:{1}, PasswordMustChangeAtNextLogon: {2}, PasswordHistoryLength: {3}.",
lockOutTime.ToString(),
lastSetTime.ToString(),
1,
0));
inputArg.ValidatePasswordResetInput.InputPersistedFields.LockoutTime.QuadPart = (((long)lockout.dwHighDateTime) << 32) | lockout.dwLowDateTime;
inputArg.ValidatePasswordResetInput.InputPersistedFields.PasswordLastSet.QuadPart = (((long)lastset.dwHighDateTime) << 32) | lastset.dwLowDateTime;
inputArg.ValidatePasswordResetInput.ClearPassword = DtypUtility.ToRpcUnicodeString("drowssaP02!");
inputArg.ValidatePasswordResetInput.InputPersistedFields.BadPasswordCount = 1;
inputArg.ValidatePasswordResetInput.PasswordMustChangeAtNextLogon = 1;
inputArg.ValidatePasswordResetInput.InputPersistedFields.PasswordHistoryLength = 0;
inputArg.ValidatePasswordResetInput.ClearLockout = 1;
inputArg.ValidatePasswordResetInput.InputPersistedFields.PasswordHistory = new _SAM_VALIDATE_PASSWORD_HASH[] { };
inputArg.ValidatePasswordResetInput.HashedPassword = new _SAM_VALIDATE_PASSWORD_HASH()
{
Hash = new byte[] { 0xDE, 0xAD, 0xBE, 0xEF },
Length = 4
};
BaseTestSite.Log.Add(LogEntryKind.TestStep, string.Format("Invoke SamrValidatePassword."));
_SAM_VALIDATE_OUTPUT_ARG?outputArg;
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrValidatePassword(
_domainHandle,
_PASSWORD_POLICY_VALIDATION_TYPE.SamValidatePasswordReset,
inputArg,
out outputArg
);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrValidatePassword returns success.");
PtfAssert.AreEqual(_SAM_VALIDATE_VALIDATION_STATUS.SamValidateSuccess, outputArg.Value.ValidatePasswordResetOutput.ValidationStatus,
"[MS-SAMR]3.1.5.13.7.3 ValidationStatus MUST be set to SamValidateSuccess.");
PtfAssert.AreEqual(0, outputArg.Value.ValidatePasswordResetOutput.ChangedPersistedFields.PasswordLastSet.QuadPart,
"[MS-SAMR]3.1.5.13.7.3 If PasswordMustChangeAtNextLogon is nonzero, PasswordLastSet MUST be set to 0.");
PtfAssert.AreEqual(0, outputArg.Value.ValidatePasswordResetOutput.ChangedPersistedFields.LockoutTime.QuadPart,
"[MS-SAMR]3.1.5.13.7.3 LockoutTime MUST be set to 0.");
PtfAssert.AreEqual(0u, outputArg.Value.ValidatePasswordResetOutput.ChangedPersistedFields.BadPasswordCount,
"[MS-SAMR]3.1.5.13.7.3 If ValidatePasswordResetInput.InputPersistedFields.BadPasswordCount is nonzero, BadPasswordCount MUST be set to 0.");
}
/// <summary>
/// Construct Kerberos PAC pass-through logon information
/// </summary>
/// <param name="parameterControl">
/// A set of bit flags that contain information pertaining to the logon validation processing.
/// </param>
/// <param name="domainName">domain name</param>
/// <param name="userName">user name</param>
/// <param name="serverName">NetBIOS name of server </param>
/// <param name="kerbVerifyPacRequest">KERB_VERIFY_PAC_REQUEST packet</param>
/// <returns>Kerberos PAC netlogon information structure </returns>
public static _NETLOGON_LEVEL CreatePacLogonInfo(
NrpcParameterControlFlags parameterControl,
string domainName,
string userName,
string serverName,
KERB_VERIFY_PAC_REQUEST kerbVerifyPacRequest)
{
_NETLOGON_LEVEL netLogonLevel = new _NETLOGON_LEVEL();
byte[] logonData = TypeMarshal.ToBytes <KERB_VERIFY_PAC_REQUEST>(kerbVerifyPacRequest);
//Identity: A NETLOGON_LOGON_IDENTITY_INFO structure, as specified in section MS-NRPC 2.2.1.4.15,
//that contains information about the logon identity.
_NETLOGON_LOGON_IDENTITY_INFO identityInfo = NrpcUtility.CreateNetlogonIdentityInfo(
parameterControl,
domainName,
userName,
serverName);
netLogonLevel.LogonGeneric = new _NETLOGON_GENERIC_INFO[1];
netLogonLevel.LogonGeneric[0].Identity = identityInfo;
netLogonLevel.LogonGeneric[0].PackageName = DtypUtility.ToRpcUnicodeString(KERBEROS_PACKAGENAME);
netLogonLevel.LogonGeneric[0].LogonData = logonData;
netLogonLevel.LogonGeneric[0].DataLength = (uint)logonData.Length;
return(netLogonLevel);
}
/// <summary>
/// Create DPSP logon information structure
/// </summary>
/// <param name="parameterControl">
/// A set of bit flags that contain information pertaining to the logon validation processing.
/// </param>
/// <param name="digestValidationReq">DIGEST_VALIDATION_REQ structure</param>
/// <returns>Dpsp netlogon information structure</returns>
public static _NETLOGON_LEVEL CreateDpspLogonInfo(
NrpcParameterControlFlags parameterControl,
DIGEST_VALIDATION_REQ digestValidationReq)
{
if (digestValidationReq.Payload == null)
{
throw new ArgumentException(
"invalid digestValidationReq parameter: the payload field is null",
"digestValidationReq");
}
_NETLOGON_LEVEL netLogonLevel = new _NETLOGON_LEVEL();
DIGEST_VALIDATION_REQ_Payload payload =
DIGEST_VALIDATION_REQ_Payload.Parse(digestValidationReq.Payload);
byte[] logonData = TypeMarshal.ToBytes <DIGEST_VALIDATION_REQ>(digestValidationReq);
//Identity: A NETLOGON_LOGON_IDENTITY_INFO structure, as specified in section MS-NRPC 2.2.1.4.15,
//that contains information about the logon identity.
_NETLOGON_LOGON_IDENTITY_INFO identityInfo = NrpcUtility.CreateNetlogonIdentityInfo(
parameterControl,
payload.Domain,
payload.Username,
payload.ServerName);
netLogonLevel.LogonGeneric = new _NETLOGON_GENERIC_INFO[1];
netLogonLevel.LogonGeneric[0].Identity = identityInfo;
netLogonLevel.LogonGeneric[0].PackageName = DtypUtility.ToRpcUnicodeString(DIGEST_PACKAGENAME);
netLogonLevel.LogonGeneric[0].LogonData = logonData;
netLogonLevel.LogonGeneric[0].DataLength = (uint)logonData.Length;
return(netLogonLevel);
}
public void SamrUnicodeChangePasswordUser2_SUCCESS()
{
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
string oldPassword = "******";
string newPassword = "******";
CreateTempUser createTempUser = new CreateTempUser(
_samrProtocolAdapter,
testUserName,
oldPassword,
AdtsUserAccountControl.ADS_UF_NORMAL_ACCOUNT);
BaseTestSite.Log.Add(LogEntryKind.TestStep,
string.Format("Create test user, username:{0} password:{1}.", testUserName, oldPassword));
Common.UpdatesStorage.GetInstance().PushUpdate(createTempUser);
BaseTestSite.Log.Add(LogEntryKind.TestStep,
string.Format("Set user must change password to user:{0}.", testUserName));
Common.Utilities.UserMustChangePassword(
_samrProtocolAdapter.pdcFqdn,
_samrProtocolAdapter.ADDSPortNum,
_samrProtocolAdapter.primaryDomainUserContainerDN,
testUserName);
Site.Log.Add(LogEntryKind.TestStep, "Initialize: Create Samr Bind to the server.");
_samrProtocolAdapter.SamrBind(
GetPdcDnsName(),
_samrProtocolAdapter.primaryDomainFqdn,
_samrProtocolAdapter.DomainAdministratorName,
_samrProtocolAdapter.DomainUserPassword,
false,
true);
SamrCryptography samrCryptography = new SamrCryptography(oldPassword, newPassword);
BaseTestSite.Log.Add(LogEntryKind.TestStep,
string.Format("SamrUnicodeChangePasswordUser2, OldPassword:{0}, NewPassword:{1}.", oldPassword, newPassword));
HRESULT hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrUnicodeChangePasswordUser2(
SAMRProtocolAdapter.RpcAdapter.Handle,
DtypUtility.ToRpcUnicodeString(_samrProtocolAdapter.pdcNetBIOSName),
DtypUtility.ToRpcUnicodeString(testUserName),
samrCryptography.GetNewPasswordEncryptedWithOldNt(),
samrCryptography.GetOldNtEncryptedWithNewNt(),
0x01,
samrCryptography.GetNewPasswordEncryptedWithOldLm(PasswordType.Unicode),
samrCryptography.GetOldLmOwfPasswordEncryptedWithNewNt());
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrOemChangePasSamrUnicodeChangePasswordUser2swordUser2 returns success.");
}
/// <summary>
/// Creates an S4uDelegationInfo instance using the specified s4U2proxyTarget and
/// s4UTransitedServices.
/// </summary>
/// <param name="s4U2proxyTarget">the name of the principal to whom the application
/// can be constraint delegated.</param>
/// <param name="s4UTransitedServices">The list of all services that configured to
/// be delegated.</param>
/// <returns>The created S4uDelegationInfo instance.</returns>
public static S4uDelegationInfo CreateS4uInfoBuffer(
string s4U2proxyTarget,
params string[] s4UTransitedServices)
{
S4uDelegationInfo s4uInfo = new S4uDelegationInfo();
s4uInfo.NativeS4uDelegationInfo.S4U2proxyTarget = DtypUtility.ToRpcUnicodeString(s4U2proxyTarget);
s4uInfo.NativeS4uDelegationInfo.TransitedListSize = (uint)s4UTransitedServices.Length;
_RPC_UNICODE_STRING[] transitedServiceArray = new _RPC_UNICODE_STRING[s4UTransitedServices.Length];
for (int i = 0; i < transitedServiceArray.Length; i++)
{
transitedServiceArray[i] = DtypUtility.ToRpcUnicodeString(s4UTransitedServices[i]);
}
s4uInfo.NativeS4uDelegationInfo.S4UTransitedServices = transitedServiceArray;
return(s4uInfo);
}
public void SamrLookupDomainInSamServer_NonDC()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword,
false,
false);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect5, Server:{0}, Desired Access: SAM_SERVER_LOOKUP_DOMAIN.", _samrProtocolAdapter.domainMemberFqdn));
hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
_samrProtocolAdapter.domainMemberFqdn,
(uint)SERVER_ACCESS_MASK.SAM_SERVER_LOOKUP_DOMAIN,
out _serverHandle);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrLookupDomainInSamServer, Name: {0}.", _samrProtocolAdapter.domainMemberNetBIOSName));
_RPC_SID?domainID;
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrLookupDomainInSamServer(
_serverHandle,
DtypUtility.ToRpcUnicodeString("Builtin"),
out domainID);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrLookupDomainInSamServer must return STATUS_SUCCESS.");
PtfAssert.IsNotNull(domainID, "DomainId is not null.");
string domainSid = DtypUtility.ToSddlString(domainID.Value);
PtfAssert.AreEqual(
"S-1-5-32",
domainSid,
"The objectSid of the builtin domain must be returend.");
}
public void SamrGetDomainPasswordInformation_SUCCESS()
{
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep, "Initialize: Create Samr Bind to the server.");
_samrProtocolAdapter.SamrBind(
GetPdcDnsName(),
_samrProtocolAdapter.primaryDomainFqdn,
_samrProtocolAdapter.DomainAdministratorName,
_samrProtocolAdapter.DomainUserPassword,
false,
true);
_USER_DOMAIN_PASSWORD_INFORMATION passwordInformation;
BaseTestSite.Log.Add(LogEntryKind.TestStep,
string.Format("Invoke SamrGetUserDomainPasswordInformation."));
HRESULT hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrGetDomainPasswordInformation(
SAMRProtocolAdapter.RpcAdapter.Handle,
DtypUtility.ToRpcUnicodeString(""),
out passwordInformation);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrGetUserDomainPasswordInformation returns success.");
var attributes = Microsoft.Protocols.TestSuites.ActiveDirectory.Common.Utilities.GetAttributesFromEntry(
_samrProtocolAdapter.primaryDomainDN,
new string[] { "minPwdLength", "pwdProperties" },
GetPdcDnsName(),
_samrProtocolAdapter.ADDSPortNum);
PtfAssert.AreEqual(
(int)attributes["minPwdLength"],
passwordInformation.MinPasswordLength,
"[MS-SAMR] 3.1.5.13.3 The output parameter PasswordInformation.MinPasswordLength MUST be set to the minPwdLength attribute value on the account domain object.");
PtfAssert.AreEqual(
(uint)(int)attributes["pwdProperties"],
passwordInformation.PasswordProperties,
"[MS-SAMR] 3.1.5.13.3 The output parameter PasswordInformation.PasswordProperties MUST be set to the pwdProperties attribute value on the account domain object.");
}
