// This will return a client token when conducted authentication on server side.
// This token can be used for impersonation. We use it to create a WindowsIdentity and hand it out to the server app.
internal SecurityContextTokenHandle GetContextToken(out Interop.SecurityStatus status)
{
if ((IsCompleted && IsValidContext) && GlobalLog.IsEnabled)
{
GlobalLog.AssertFormat("NTAuthentication#{0}::GetContextToken|Should be called only when completed with success, currently is not!", LoggingHash.HashString(this));
}
if (IsServer && GlobalLog.IsEnabled)
{
GlobalLog.AssertFormat("NTAuthentication#{0}::GetContextToken|The method must not be called by the client side!", LoggingHash.HashString(this));
}
if (!IsValidContext)
{
throw new Win32Exception((int)Interop.SecurityStatus.InvalidHandle);
}
SecurityContextTokenHandle token = null;
status = (Interop.SecurityStatus)SSPIWrapper.QuerySecurityContextToken(
GlobalSSPI.SSPIAuth,
_securityContext,
out token);
return(token);
}
internal static IIdentity GetIdentity(NTAuthentication context)
{
IIdentity result = null;
string name = context.IsServer ? context.AssociatedName : context.Spn;
string protocol = context.ProtocolName;
if (context.IsServer)
{
SecurityContextTokenHandle token = null;
try
{
SecurityStatusPal status;
SafeDeleteContext securityContext = context.GetContext(out status);
if (status.ErrorCode != SecurityStatusPalErrorCode.OK)
{
throw new Win32Exception((int)SecurityStatusAdapterPal.GetInteropFromSecurityStatusPal(status));
}
// This will return a client token when conducted authentication on server side.
// This token can be used for impersonation. We use it to create a WindowsIdentity and hand it out to the server app.
Interop.SECURITY_STATUS winStatus = (Interop.SECURITY_STATUS)SSPIWrapper.QuerySecurityContextToken(
GlobalSSPI.SSPIAuth,
securityContext,
out token);
if (winStatus != Interop.SECURITY_STATUS.OK)
{
throw new Win32Exception((int)winStatus);
}
string authtype = context.ProtocolName;
// TODO #5241:
// The following call was also specifying WindowsAccountType.Normal, true.
// WindowsIdentity.IsAuthenticated is no longer supported in CoreFX.
result = new WindowsIdentity(token.DangerousGetHandle(), authtype);
return(result);
}
catch (SecurityException)
{
// Ignore and construct generic Identity if failed due to security problem.
}
finally
{
if (token != null)
{
token.Dispose();
}
}
}
// On the client we don't have access to the remote side identity.
result = new GenericIdentity(name, protocol);
return(result);
}
internal SecurityContextTokenHandle GetContextToken()
{
Interop.SecurityStatus status;
SecurityContextTokenHandle token = GetContextToken(out status);
if (status != Interop.SecurityStatus.OK)
{
throw new Win32Exception((int)status);
}
return(token);
}
private static int GetSecurityContextToken(SafeDeleteContext phContext, out SecurityContextTokenHandle safeHandle)
{
safeHandle = null;
try
{
bool ignore = false;
phContext.DangerousAddRef(ref ignore);
return(Interop.SspiCli.QuerySecurityContextToken(ref phContext._handle, out safeHandle));
}
finally
{
phContext.DangerousRelease();
}
}
private static int GetSecurityContextToken(SafeDeleteContext phContext, out SecurityContextTokenHandle safeHandle)
{
int status = (int)Interop.SecurityStatus.InvalidHandle;
safeHandle = null;
try
{
bool ignore = false;
phContext.DangerousAddRef(ref ignore);
status = Interop.Secur32.QuerySecurityContextToken(ref phContext._handle, out safeHandle);
}
finally
{
phContext.DangerousRelease();
}
return(status);
}
internal IIdentity GetIdentity()
{
CheckThrow(true);
IIdentity result = null;
string name = _context.IsServer ? _context.AssociatedName : _context.Spn;
string protocol = "NTLM";
protocol = _context.ProtocolName;
if (_context.IsServer)
{
SecurityContextTokenHandle token = null;
try
{
token = _context.GetContextToken();
string authtype = _context.ProtocolName;
// TODO #5241:
// The following call was also specifying WindowsAccountType.Normal, true.
// WindowsIdentity.IsAuthenticated is no longer supported in CoreFX.
result = new WindowsIdentity(token.DangerousGetHandle(), authtype);
return(result);
}
catch (SecurityException)
{
// Ignore and construct generic Identity if failed due to security problem.
}
finally
{
if (token != null)
{
token.Dispose();
}
}
}
// On the client we don't have access to the remote side identity.
result = new GenericIdentity(name, protocol);
return(result);
}
public int QuerySecurityContextToken(SafeDeleteContext phContext, out SecurityContextTokenHandle phToken)
{
return(GetSecurityContextToken(phContext, out phToken));
}
private static int GetSecurityContextToken(SafeDeleteContext phContext, out SecurityContextTokenHandle safeHandle)
{
safeHandle = null;
try
{
bool ignore = false;
phContext.DangerousAddRef(ref ignore);
return Interop.SspiCli.QuerySecurityContextToken(ref phContext._handle, out safeHandle);
}
finally
{
phContext.DangerousRelease();
}
}
public int QuerySecurityContextToken(SafeDeleteContext phContext, out SecurityContextTokenHandle phToken)
{
return GetSecurityContextToken(phContext, out phToken);
}
internal static extern int QuerySecurityContextToken(
ref CredHandle phContext,
[Out] out SecurityContextTokenHandle handle);
internal static partial int QuerySecurityContextToken(
ref CredHandle phContext,
out SecurityContextTokenHandle handle);
public static int QuerySecurityContextToken(SSPIInterface secModule, SafeDeleteContext context, out SecurityContextTokenHandle token)
{
return(secModule.QuerySecurityContextToken(context, out token));
}
public static int QuerySecurityContextToken(SSPIInterface secModule, SafeDeleteContext context, out SecurityContextTokenHandle token)
{
return secModule.QuerySecurityContextToken(context, out token);
}
public int QuerySecurityContextToken(SafeDeleteContext phContext, out SecurityContextTokenHandle phToken)
{
throw new NotSupportedException();
}
public int QuerySecurityContextToken(SafeDeleteContext phContext, out SecurityContextTokenHandle phToken)
{
throw new NotSupportedException();
}
private static int GetSecurityContextToken(SafeDeleteContext phContext, out SecurityContextTokenHandle safeHandle)
{
int status = (int)Interop.SecurityStatus.InvalidHandle;
safeHandle = null;
try
{
bool ignore = false;
phContext.DangerousAddRef(ref ignore);
status = Interop.Secur32.QuerySecurityContextToken(ref phContext._handle, out safeHandle);
}
finally
{
phContext.DangerousRelease();
}
return status;
}
