public GetSspiCredentialAsyncResult(SspiSecurityTokenProvider credentialProvider, TimeSpan timeout,
AsyncCallback callback, object state)
: base(callback, state)
{
this.allowNtlm = ConnectionOrientedTransportDefaults.AllowNtlm;
this.impersonationLevel = TokenImpersonationLevel.Identification;
if (credentialProvider == null)
{
this.EnsureCredentialInitialized();
base.Complete(true);
return;
}
this.credentialProvider = credentialProvider;
if (onGetToken == null)
{
onGetToken = Fx.ThunkCallback(new AsyncCallback(OnGetToken));
}
IAsyncResult result = credentialProvider.BeginGetToken(timeout, onGetToken, this);
if (result.CompletedSynchronously)
{
CompleteGetToken(result);
base.Complete(true);
}
}
// core Cred lookup code
static async Task <NetworkCredential> GetSspiCredentialAsync(SspiSecurityTokenProvider tokenProvider,
OutWrapper <TokenImpersonationLevel> impersonationLevelWrapper,
OutWrapper <bool> allowNtlmWrapper, CancellationToken cancellationToken)
{
NetworkCredential credential = null;
impersonationLevelWrapper.Value = TokenImpersonationLevel.Identification;
allowNtlmWrapper.Value = ConnectionOrientedTransportDefaults.AllowNtlm;
if (tokenProvider != null)
{
SspiSecurityToken token = await TransportSecurityHelpers.GetTokenAsync <SspiSecurityToken>(tokenProvider, cancellationToken);
if (token != null)
{
impersonationLevelWrapper.Value = token.ImpersonationLevel;
allowNtlmWrapper.Value = token.AllowNtlm;
if (token.NetworkCredential != null)
{
credential = token.NetworkCredential;
SecurityUtils.FixNetworkCredential(ref credential);
}
}
}
// Initialize to the default value if no token provided. A partial trust app should not have access to the
// default network credentials but should be able to provide credentials. The DefaultNetworkCredentials
// getter will throw under partial trust.
if (credential == null)
{
credential = CredentialCache.DefaultNetworkCredentials;
}
return(credential);
}
private static NetworkCredential GetSspiCredential(SspiSecurityTokenProvider tokenProvider, TimeSpan timeout, out bool extractGroupsForWindowsAccounts, out TokenImpersonationLevel impersonationLevel, out bool allowNtlm)
{
NetworkCredential networkCredential = null;
extractGroupsForWindowsAccounts = true;
impersonationLevel = TokenImpersonationLevel.Identification;
allowNtlm = true;
if (tokenProvider != null)
{
SspiSecurityToken token = GetToken <SspiSecurityToken>(tokenProvider, timeout);
if (token != null)
{
extractGroupsForWindowsAccounts = token.ExtractGroupsForWindowsAccounts;
impersonationLevel = token.ImpersonationLevel;
allowNtlm = token.AllowNtlm;
if (token.NetworkCredential != null)
{
networkCredential = token.NetworkCredential;
System.ServiceModel.Security.SecurityUtils.FixNetworkCredential(ref networkCredential);
}
}
}
if (networkCredential == null)
{
networkCredential = CredentialCache.DefaultNetworkCredentials;
}
return(networkCredential);
}
// used by client WindowsStream security (from InitiateUpgrade)
public static NetworkCredential GetSspiCredential(SspiSecurityTokenProvider tokenProvider, TimeSpan timeout,
out TokenImpersonationLevel impersonationLevel, out bool allowNtlm)
{
bool dummyExtractWindowsGroupClaims;
return(GetSspiCredential(tokenProvider, timeout,
out dummyExtractWindowsGroupClaims, out impersonationLevel, out allowNtlm));
}
// used by client WindowsStream security (from InitiateUpgrade)
public static async Task <NetworkCredential> GetSspiCredentialAsync(SspiSecurityTokenProvider tokenProvider,
OutWrapper <TokenImpersonationLevel> impersonationLevel, OutWrapper <bool> allowNtlm, CancellationToken cancellationToken)
{
OutWrapper <bool> dummyExtractWindowsGroupClaimsWrapper = new OutWrapper <bool>();
return(await GetSspiCredentialAsync(tokenProvider,
dummyExtractWindowsGroupClaimsWrapper, impersonationLevel, allowNtlm, cancellationToken));
}
// used by client WindowsStream security (from InitiateUpgrade)
public static Task <NetworkCredential> GetSspiCredentialAsync(SspiSecurityTokenProvider tokenProvider,
OutWrapper <TokenImpersonationLevel> impersonationLevel, OutWrapper <bool> allowNtlm, TimeSpan timeout)
{
OutWrapper <bool> dummyExtractWindowsGroupClaimsWrapper = new OutWrapper <bool>();
return(GetSspiCredentialAsync(tokenProvider,
dummyExtractWindowsGroupClaimsWrapper, impersonationLevel, allowNtlm, timeout));
}
public WindowsStreamSecurityUpgradeInitiator(
WindowsStreamSecurityUpgradeProvider parent, EndpointAddress remoteAddress, Uri via)
: base(FramingUpgradeString.Negotiate, remoteAddress, via)
{
_parent = parent;
_clientTokenProvider = TransportSecurityHelpers.GetSspiTokenProvider(
parent._securityTokenManager, remoteAddress, via, parent.Scheme, out _identityVerifier);
}
public static SspiSecurityTokenProvider GetSspiTokenProvider(SecurityTokenManager tokenManager, EndpointAddress target, Uri via, string transportScheme, out IdentityVerifier identityVerifier)
{
identityVerifier = null;
if (tokenManager == null)
{
return(null);
}
SspiSecurityTokenProvider provider = tokenManager.CreateSecurityTokenProvider(CreateSspiTokenRequirement(target, via, transportScheme)) as SspiSecurityTokenProvider;
if (provider != null)
{
identityVerifier = IdentityVerifier.CreateDefault();
}
return(provider);
}
public static SspiSecurityTokenProvider GetSspiTokenProvider(
SecurityTokenManager tokenManager, EndpointAddress target, Uri via, string transportScheme, AuthenticationSchemes authenticationScheme, ChannelParameterCollection channelParameters)
{
if (tokenManager != null)
{
SecurityTokenRequirement sspiRequirement = CreateSspiTokenRequirement(target, via, transportScheme);
sspiRequirement.Properties[ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty] = authenticationScheme;
if (channelParameters != null)
{
sspiRequirement.Properties[ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty] = channelParameters;
}
SspiSecurityTokenProvider tokenProvider = tokenManager.CreateSecurityTokenProvider(sspiRequirement) as SspiSecurityTokenProvider;
return(tokenProvider);
}
return(null);
}
// core Cred lookup code
static NetworkCredential GetSspiCredential(SspiSecurityTokenProvider tokenProvider, TimeSpan timeout,
out bool extractGroupsForWindowsAccounts, out TokenImpersonationLevel impersonationLevel,
out bool allowNtlm)
{
NetworkCredential credential = null;
extractGroupsForWindowsAccounts = TransportDefaults.ExtractGroupsForWindowsAccounts;
impersonationLevel = TokenImpersonationLevel.Identification;
allowNtlm = ConnectionOrientedTransportDefaults.AllowNtlm;
if (tokenProvider != null)
{
SspiSecurityToken token = TransportSecurityHelpers.GetToken <SspiSecurityToken>(tokenProvider, timeout);
if (token != null)
{
extractGroupsForWindowsAccounts = token.ExtractGroupsForWindowsAccounts;
impersonationLevel = token.ImpersonationLevel;
allowNtlm = token.AllowNtlm;
if (token.NetworkCredential != null)
{
credential = token.NetworkCredential;
SecurityUtils.FixNetworkCredential(ref credential);
}
}
}
// Initialize to the default value if no token provided. A partial trust app should not have access to the
// default network credentials but should be able to provide credentials. The DefaultNetworkCredentials
// getter will throw under partial trust.
if (credential == null)
{
credential = CredentialCache.DefaultNetworkCredentials;
}
return(credential);
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenRequirement));
}
SecurityTokenProvider result = null;
if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
// this is the uncorrelated duplex case
if (ClientCredentials.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials)));
}
result = new X509SecurityTokenProvider(ClientCredentials.ClientCertificate.Certificate, ClientCredentials.ClientCertificate.CloneCertificate);
}
else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
{
InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
string tokenType = initiatorRequirement.TokenType;
if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider (IsIssuedSecurityTokenRequirement(initiatorRequirement)");
}
else if (tokenType == SecurityTokenTypes.X509Certificate)
{
if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider X509Certificate - SecurityKeyUsage.Exchange");
}
else
{
if (ClientCredentials.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials)));
}
result = new X509SecurityTokenProvider(ClientCredentials.ClientCertificate.Certificate, ClientCredentials.ClientCertificate.CloneCertificate);
}
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
string spn = GetServicePrincipalName(initiatorRequirement);
result = new KerberosSecurityTokenProviderWrapper(
new KerberosSecurityTokenProvider(spn, ClientCredentials.Windows.AllowedImpersonationLevel, SecurityUtils.GetNetworkCredentialOrDefault(ClientCredentials.Windows.ClientCredential)));
}
else if (tokenType == SecurityTokenTypes.UserName)
{
if (ClientCredentials.UserName.UserName == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.UserNamePasswordNotProvidedOnClientCredentials));
}
result = new UserNameSecurityTokenProvider(ClientCredentials.UserName.UserName, ClientCredentials.UserName.Password);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
{
if (IsDigestAuthenticationScheme(initiatorRequirement))
{
result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(ClientCredentials.HttpDigest.ClientCredential), true, TokenImpersonationLevel.Delegation);
}
else
{
#pragma warning disable 618 // to disable AllowNtlm obsolete warning.
result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(ClientCredentials.Windows.ClientCredential),
ClientCredentials.Windows.AllowNtlm,
ClientCredentials.Windows.AllowedImpersonationLevel);
#pragma warning restore 618
}
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
result = CreateSecureConversationSecurityTokenProvider(initiatorRequirement);
}
}
if ((result == null) && !tokenRequirement.IsOptionalToken)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement)));
}
return(result);
}
internal SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, bool disableInfoCard)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
SecurityTokenProvider result = null;
// Where CardSpace is not supported, CardSpaceTryCreateSecurityTokenProviderStub(...) always returns false
if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
throw ExceptionHelper.PlatformNotSupported("uncorrelated duplex case - not supported");
}
else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
{
InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
// initiatorRequirement will never be null due to the preceding 'is' validation.
string tokenType = initiatorRequirement.TokenType;
if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
{
throw ExceptionHelper.PlatformNotSupported("Security tokens are not supported for security. ");
}
else if (tokenType == SecurityTokenTypes.X509Certificate)
{
throw ExceptionHelper.PlatformNotSupported("X509Certificates are not supported for security. ");
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
throw ExceptionHelper.PlatformNotSupported("Kerberos is not supported for security yet. ");
}
else if (tokenType == SecurityTokenTypes.UserName)
{
if (_parent.UserName.UserName == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.UserNamePasswordNotProvidedOnClientCredentials));
}
result = new UserNameSecurityTokenProvider(_parent.UserName.UserName, _parent.UserName.Password);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
{
if (IsDigestAuthenticationScheme(initiatorRequirement))
{
result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(_parent.HttpDigest.ClientCredential), true, _parent.HttpDigest.AllowedImpersonationLevel);
}
else
{
throw ExceptionHelper.PlatformNotSupported("NTLM is not supported for security yet. ");
}
}
else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
throw ExceptionHelper.PlatformNotSupported("Spnego is not supported for security yet. ");
}
else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
{
throw ExceptionHelper.PlatformNotSupported("MutualSslnego is not supported for security yet. ");
//result = CreateTlsnegoTokenProvider(initiatorRequirement, true);
}
else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
{
throw ExceptionHelper.PlatformNotSupported("AnonymousSslnego is not supported for security yet. ");
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
throw ExceptionHelper.PlatformNotSupported("SecureConversation is not supported for security yet. ");
}
}
if ((result == null) && !tokenRequirement.IsOptionalToken)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new NotSupportedException(string.Format(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement)));
}
return(result);
}
public WindowsStreamSecurityUpgradeInitiator(WindowsStreamSecurityUpgradeProvider parent, EndpointAddress remoteAddress, Uri via) : base("application/negotiate", remoteAddress, via)
{
this.parent = parent;
this.clientTokenProvider = TransportSecurityHelpers.GetSspiTokenProvider(parent.securityTokenManager, remoteAddress, via, parent.Scheme, out this.identityVerifier);
}
// core Cred lookup code
static async Task <(NetworkCredential, bool, TokenImpersonationLevel, bool)> GetSspiCredentialAsync(SspiSecurityTokenProvider tokenProvider, CancellationToken cancellationToken)
{
NetworkCredential credential = null;
bool extractGroupsForWindowsAccounts = TransportDefaults.ExtractGroupsForWindowsAccounts;
TokenImpersonationLevel impersonationLevel = TokenImpersonationLevel.Identification;
bool allowNtlm = ConnectionOrientedTransportDefaults.AllowNtlm;
if (tokenProvider != null)
{
SspiSecurityToken token = await TransportSecurityHelpers.GetTokenAsync <SspiSecurityToken>(tokenProvider, cancellationToken);
if (token != null)
{
extractGroupsForWindowsAccounts = token.ExtractGroupsForWindowsAccounts;
impersonationLevel = token.ImpersonationLevel;
allowNtlm = token.AllowNtlm;
if (token.NetworkCredential != null)
{
credential = token.NetworkCredential;
SecurityUtils.FixNetworkCredential(ref credential);
}
}
}
// Initialize to the default value if no token provided. A partial trust app should not have access to the
// default network credentials but should be able to provide credentials. The DefaultNetworkCredentials
// getter will throw under partial trust.
if (credential == null)
{
credential = CredentialCache.DefaultNetworkCredentials;
}
return(credential, extractGroupsForWindowsAccounts, impersonationLevel, allowNtlm);
}
public static NetworkCredential GetSspiCredential(SspiSecurityTokenProvider tokenProvider, TimeSpan timeout, out TokenImpersonationLevel impersonationLevel, out bool allowNtlm)
{
bool flag;
return(GetSspiCredential(tokenProvider, timeout, out flag, out impersonationLevel, out allowNtlm));
}
internal SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, bool disableInfoCard)
{
if (tokenRequirement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
SecurityTokenProvider provider = null;
if (disableInfoCard || !this.CardSpaceTryCreateSecurityTokenProviderStub(tokenRequirement, this, out provider))
{
if (((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && (tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)) && (tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange))
{
if (this.parent.ClientCertificate.Certificate == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvidedOnClientCredentials")));
}
provider = new X509SecurityTokenProvider(this.parent.ClientCertificate.Certificate);
}
else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
{
InitiatorServiceModelSecurityTokenRequirement requirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
string tokenType = requirement.TokenType;
if (this.IsIssuedSecurityTokenRequirement(requirement))
{
provider = this.CreateIssuedSecurityTokenProvider(requirement);
}
else if (tokenType == SecurityTokenTypes.X509Certificate)
{
if (requirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && (requirement.KeyUsage == SecurityKeyUsage.Exchange))
{
provider = this.CreateServerX509TokenProvider(requirement.TargetAddress);
}
else
{
if (this.parent.ClientCertificate.Certificate == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvidedOnClientCredentials")));
}
provider = new X509SecurityTokenProvider(this.parent.ClientCertificate.Certificate);
}
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
provider = new KerberosSecurityTokenProviderWrapper(new KerberosSecurityTokenProvider(this.GetServicePrincipalName(requirement), this.parent.Windows.AllowedImpersonationLevel, System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.Windows.ClientCredential)), this.GetCredentialsHandle(requirement));
}
else if (tokenType == SecurityTokenTypes.UserName)
{
if (this.parent.UserName.UserName == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("UserNamePasswordNotProvidedOnClientCredentials")));
}
provider = new UserNameSecurityTokenProvider(this.parent.UserName.UserName, this.parent.UserName.Password);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
{
if (this.IsDigestAuthenticationScheme(requirement))
{
provider = new SspiSecurityTokenProvider(System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.HttpDigest.ClientCredential), true, this.parent.HttpDigest.AllowedImpersonationLevel);
}
else
{
provider = new SspiSecurityTokenProvider(System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.Windows.ClientCredential), this.parent.Windows.AllowNtlm, this.parent.Windows.AllowedImpersonationLevel);
}
}
else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
provider = this.CreateSpnegoTokenProvider(requirement);
}
else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
{
provider = this.CreateTlsnegoTokenProvider(requirement, true);
}
else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
{
provider = this.CreateTlsnegoTokenProvider(requirement, false);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
provider = this.CreateSecureConversationSecurityTokenProvider(requirement);
}
}
}
if (provider == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateProviderForRequirement", new object[] { tokenRequirement })));
}
return(provider);
}
internal SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, bool disableInfoCard)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
SecurityTokenProvider result = null;
if (disableInfoCard || !CardSpaceTryCreateSecurityTokenProviderStub(tokenRequirement, this, out result))
{
if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
// this is the uncorrelated duplex case
if (parent.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnClientCredentials)));
}
result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate);
}
else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
{
InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
#pragma warning suppress 56506 // initiatorRequirement will never be null due to the preceding 'is' validation.
string tokenType = initiatorRequirement.TokenType;
if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
{
FederatedClientCredentialsParameters additionalParameters = this.FindFederatedChannelParameters(tokenRequirement);
if (additionalParameters != null && additionalParameters.IssuedSecurityToken != null)
{
return(new SimpleSecurityTokenProvider(additionalParameters.IssuedSecurityToken, tokenRequirement));
}
result = CreateIssuedSecurityTokenProvider(initiatorRequirement, additionalParameters);
}
else if (tokenType == SecurityTokenTypes.X509Certificate)
{
if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
result = CreateServerX509TokenProvider(initiatorRequirement.TargetAddress);
}
else
{
if (parent.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnClientCredentials)));
}
result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate);
}
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
string spn = GetServicePrincipalName(initiatorRequirement);
result = new KerberosSecurityTokenProviderWrapper(
new KerberosSecurityTokenProvider(spn, parent.Windows.AllowedImpersonationLevel, SecurityUtils.GetNetworkCredentialOrDefault(parent.Windows.ClientCredential)),
GetCredentialsHandle(initiatorRequirement));
}
else if (tokenType == SecurityTokenTypes.UserName)
{
if (parent.UserName.UserName == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UserNamePasswordNotProvidedOnClientCredentials)));
}
result = new UserNameSecurityTokenProvider(parent.UserName.UserName, parent.UserName.Password);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
{
if (IsDigestAuthenticationScheme(initiatorRequirement))
{
result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(parent.HttpDigest.ClientCredential), true, parent.HttpDigest.AllowedImpersonationLevel);
}
else
{
#pragma warning disable 618 // to disable AllowNtlm obsolete wanring.
result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(parent.Windows.ClientCredential),
parent.Windows.AllowNtlm,
parent.Windows.AllowedImpersonationLevel);
#pragma warning restore 618
}
}
else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
result = CreateSpnegoTokenProvider(initiatorRequirement);
}
else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
{
result = CreateTlsnegoTokenProvider(initiatorRequirement, true);
}
else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
{
result = CreateTlsnegoTokenProvider(initiatorRequirement, false);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
result = CreateSecureConversationSecurityTokenProvider(initiatorRequirement);
}
}
}
if ((result == null) && !tokenRequirement.IsOptionalToken)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement)));
}
return(result);
}
