// Token: 0x06000286 RID: 646 RVA: 0x000118C4 File Offset: 0x0000FAC4 private static bool CheckClaimSetsForX509CertUser(AuthorizationContext authorizationContext, OperationContext operationContext) { HttpContext.Current.Items["AuthType"] = "X509Cert"; ReadOnlyCollection <ClaimSet> claimSets = authorizationContext.ClaimSets; claimSets.TraceClaimSets(); X509CertUser x509CertUser = null; if (!X509CertUser.TryCreateX509CertUser(claimSets, out x509CertUser)) { ExTraceGlobals.AuthenticationTracer.TraceDebug(0L, "[AutodiscoverAuthorizationManager.CheckClaimSetsForX509CertUser] unable to create the x509certuser"); AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "unable to create the X509CertUser based on the given claim sets."); return(false); } OrganizationId value; WindowsIdentity windowsIdentity; string arg; if (!x509CertUser.TryGetWindowsIdentity(out value, out windowsIdentity, out arg)) { ExTraceGlobals.AuthenticationTracer.TraceDebug <X509CertUser>(0L, "[AutodiscoverAuthorizationManager.CheckClaimSetsForX509CertUser] unable to find the windows identity for cert user: {0}", x509CertUser); string reason = string.Format("unable to find the windows identity for the given cert {0}, reason: {1}", x509CertUser, arg); AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, reason); return(false); } ExTraceGlobals.AuthenticationTracer.TraceDebug <string, string>(0L, "[AutodiscoverAuthorizationManager.CheckClaimSetsForX509CertUser] ws-security header contains the x509 cert user identity: {0}, upn: {1}", Common.GetIdentityNameForTrace(windowsIdentity), x509CertUser.UserPrincipalName); AutodiscoverAuthorizationManager.PushUserAndOrgInfoToContext(x509CertUser.UserPrincipalName, null); HttpContext.Current.User = new WindowsPrincipal(windowsIdentity); HttpContext.Current.Items["UserOrganizationId"] = value; return(true); }
// Token: 0x06000285 RID: 645 RVA: 0x000117FC File Offset: 0x0000F9FC private static bool CheckClaimSetsForPartnerUser(AuthorizationContext authorizationContext, OperationContext operationContext) { HttpContext.Current.Items["AuthType"] = "Partner"; PerformanceCounters.UpdateRequestsReceivedWithPartnerToken(); ReadOnlyCollection <ClaimSet> claimSets = authorizationContext.ClaimSets; claimSets.TraceClaimSets(); DelegatedPrincipal delegatedPrincipal = null; OrganizationId delegatedOrganizationId = null; string text = null; if (!PartnerToken.TryGetDelegatedPrincipalAndOrganizationId(claimSets, out delegatedPrincipal, out delegatedOrganizationId, out text)) { ExTraceGlobals.AuthenticationTracer.TraceError <string>(0L, "[AutodiscoverAuthorizationManager.CheckClaimSetsForPartnerUser] unable to create partner identity, error message: {0}", text); PerformanceCounters.UpdateUnauthorizedRequestsReceivedWithPartnerToken(); AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, text); return(false); } ExTraceGlobals.AuthenticationTracer.TraceDebug <DelegatedPrincipal>(0L, "[AutodiscoverAuthorizationManager.CheckClaimSetsForPartnerUser] ws-security header contains the partner identity: {0}", delegatedPrincipal); string text2 = delegatedPrincipal.ToString(); if (!string.IsNullOrEmpty(text2)) { AutodiscoverAuthorizationManager.PushUserAndOrgInfoToContext(text2, text2.Split(new char[] { '\\' })[0]); } HttpContext.Current.User = new WindowsPrincipal(PartnerIdentity.Create(delegatedPrincipal, delegatedOrganizationId)); return(true); }
// Token: 0x06000284 RID: 644 RVA: 0x000115F4 File Offset: 0x0000F7F4 private static bool CheckClaimSetsForExternalUser(AuthorizationContext authorizationContext, OperationContext operationContext) { HttpContext.Current.Items["AuthType"] = "External"; SamlSecurityToken samlSecurityToken = null; foreach (SupportingTokenSpecification supportingTokenSpecification in operationContext.SupportingTokens) { samlSecurityToken = (supportingTokenSpecification.SecurityToken as SamlSecurityToken); if (samlSecurityToken != null) { break; } } if (samlSecurityToken == null) { ExTraceGlobals.AuthenticationTracer.TraceError(0L, "Found no security token in authorization context"); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Cannot find security token in authorization context")); } ExternalAuthentication current = ExternalAuthentication.GetCurrent(); if (!current.Enabled) { ExTraceGlobals.AuthenticationTracer.TraceError(0L, "Federation is not enabled"); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Federation is not enabled")); } TokenValidationResults tokenValidationResults = current.TokenValidator.ValidateToken(samlSecurityToken, Offer.Autodiscover); if (tokenValidationResults.Result != TokenValidationResult.Valid || !SmtpAddress.IsValidSmtpAddress(tokenValidationResults.EmailAddress)) { ExTraceGlobals.AuthenticationTracer.TraceError <TokenValidationResults>(0L, "Validation of security token in WS-Security header failed: {0}", tokenValidationResults); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Validation of the delegation failed")); } SmtpAddress smtpAddress = SmtpAddress.Empty; int num = -1; try { num = operationContext.IncomingMessageHeaders.FindHeader("SharingSecurity", "http://schemas.microsoft.com/exchange/services/2006/types"); } catch (MessageHeaderException ex) { AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Exception when looking for SharingSecurity header in request: " + ex.ToString()); return(false); } if (num < 0) { ExTraceGlobals.AuthenticationTracer.TraceDebug(0L, "Request has no SharingSecurity header"); } else { XmlElement header = operationContext.IncomingMessageHeaders.GetHeader <XmlElement>(num); smtpAddress = SharingKeyHandler.Decrypt(header, tokenValidationResults.ProofToken); if (smtpAddress == SmtpAddress.Empty) { ExTraceGlobals.AuthenticationTracer.TraceError <string>(0L, "SharingSecurity is present but invalid: {0}", header.OuterXml); AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Validation of the SharingSecurity failed"); return(false); } ExTraceGlobals.AuthenticationTracer.TraceDebug <SmtpAddress>(0L, "SharingSecurity header contains external identity: {0}", smtpAddress); } AutodiscoverAuthorizationManager.PushUserAndOrgInfoToContext(tokenValidationResults.EmailAddress, null); HttpContext.Current.User = new GenericPrincipal(new ExternalIdentity(new SmtpAddress(tokenValidationResults.EmailAddress), smtpAddress), null); return(true); }
// Token: 0x0600027D RID: 637 RVA: 0x00010D88 File Offset: 0x0000EF88 private static bool CheckClaimSets(OperationContext operationContext, ReadOnlyCollection <ClaimSet> claimSets) { HttpContext.Current.Items["AuthType"] = "LiveIdToken"; claimSets.TraceClaimSets(); bool flag = false; bool flag2 = false; bool flag3 = false; string text = null; string text2 = null; foreach (ClaimSet claimSet in claimSets) { foreach (Claim claim in claimSet) { if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, "http://schemas.xmlsoap.org/claims/PUID", Rights.PossessProperty)) { flag = AutodiscoverAuthorizationManager.DoesClaimHaveProperResource <string>(claim, out text); } else if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, "http://schemas.xmlsoap.org/claims/ConsumerPUID", Rights.PossessProperty)) { flag2 = AutodiscoverAuthorizationManager.DoesClaimHaveProperResource <string>(claim, out text2); } else if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, ClaimTypes.Authentication, Rights.PossessProperty)) { flag3 = true; } if (flag && flag2 && flag3) { break; } } if (flag && flag2 && flag3) { break; } } if (!flag3 || (text == null && text2 == null)) { string reason = string.Format("Did not find all necessary claims. PUID: {0}; ConsumerPUID: {1}; Auth/Possess: {2}", flag, flag2, flag3); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, reason)); } string userId = (text2 == null) ? text : text2; RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("UserPUID", userId); SmtpAddress smtpAddress; if (!AutodiscoverAuthorizationManager.TryGetEmailAddressInClaimSets(claimSets, out smtpAddress)) { string reason2 = string.Format("Did not find EmailAddress claim for PUID: {0}; ", userId); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, reason2)); } PropertyDefinition[] propertyDefinitionArrayUPN = new PropertyDefinition[] { ADUserSchema.UserPrincipalName, ADMailboxRecipientSchema.SamAccountName, ADObjectSchema.OrganizationId }; ADRawEntry adRawEntry = null; try { bool isRootOrgLookup = false; RequestDetailsLoggerBase <RequestDetailsLogger> .Current.TrackLatency(ServiceLatencyMetadata.CallerADLatency, delegate() { DateTime utcNow = DateTime.UtcNow; ADSessionSettings adsessionSettings = Common.SessionSettingsFromAddress(smtpAddress.ToString()); RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("CheckClaimSets_SmtpAddress", smtpAddress.ToString()); RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("AD_ChkClaim_SessionSettingsFromAddress", (DateTime.UtcNow - utcNow).TotalMilliseconds); utcNow = DateTime.UtcNow; isRootOrgLookup = OrganizationId.ForestWideOrgId.Equals(adsessionSettings.CurrentOrganizationId); if (!isRootOrgLookup) { ITenantRecipientSession tenantRecipientSession = DirectorySessionFactory.Default.CreateTenantRecipientSession(true, ConsistencyMode.IgnoreInvalid, adsessionSettings, 596, "CheckClaimSets", "f:\\15.00.1497\\sources\\dev\\autodisc\\src\\WCF\\AutodiscoverAuthorizationManager.cs"); RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("AD_TenantRecipientSession", (DateTime.UtcNow - utcNow).TotalMilliseconds); utcNow = DateTime.UtcNow; adRawEntry = tenantRecipientSession.FindUniqueEntryByNetID(userId, propertyDefinitionArrayUPN); RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("AD_FindUniqueEntryByNetID", (DateTime.UtcNow - utcNow).TotalMilliseconds); } }); if (isRootOrgLookup) { return(AutodiscoverAuthorizationManager.Return403UnauthorizedResponse(operationContext, "NetID lookup for root org user is not allowed")); } } catch (NonUniqueRecipientException arg) { ExTraceGlobals.AuthenticationTracer.TraceDebug <NonUniqueRecipientException>(0L, "FindUniqueEntryByNetId threw exception: {0}", arg); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Found more than 1 user by NetID in AD")); } if (adRawEntry == null) { RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericError("Redirect as we are unable to find user:.", userId); return(AutodiscoverAuthorizationManager.RedirectCaller(operationContext, smtpAddress.ToString())); } string arg2 = (string)adRawEntry[ADMailboxRecipientSchema.SamAccountName]; string text3 = string.Format("{0}@{1}", arg2, adRawEntry.Id.GetPartitionId().ForestFQDN); string text4 = (string)adRawEntry[ADUserSchema.UserPrincipalName]; OrganizationId organizationId = (OrganizationId)adRawEntry[ADObjectSchema.OrganizationId]; HttpContext.Current.Items["UserOrganizationId"] = organizationId; OrganizationProperties organizationProperties; if (!OrganizationPropertyCache.TryGetOrganizationProperties(organizationId, out organizationProperties)) { ExTraceGlobals.AuthenticationTracer.TraceError <OrganizationId, string>(0L, "[AutodiscoverAuthorizationManager::CheckClaimSets] Logon failed: could not locate org info for organization {0} even though user from this org was found {1}", organizationId, text4); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Could not find organization info via OrganizationPropertyCache")); } if (!organizationProperties.SkipToUAndParentalControlCheck && !AutodiscoverAuthorizationManager.CheckClaimSetsForTOUClaims(operationContext, claimSets, true) && !AutodiscoverAuthorizationManager.CheckClaimSetsForTOUClaims(operationContext, claimSets, false)) { return(false); } WindowsIdentity windowsIdentity = null; try { windowsIdentity = new WindowsIdentity(text3); } catch (UnauthorizedAccessException ex) { RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendAuthError("WindowsIdentity_UnauthorizedAccessException", ex.ToString()); ExTraceGlobals.AuthenticationTracer.TraceError <string, string, object>(0L, "[AutodiscoverAuthorizationManager::CheckClaimSets] UnauthorizedAccessException encountered. UPN: {0}, Exception message: {1}, Identity: {2}", text3, ex.Message, (windowsIdentity == null) ? "<NULL>" : windowsIdentity.User); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Creating WindowsIdentity from UPN failed with a UnauthorizedAccessException")); } catch (SecurityException ex2) { RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendAuthError("WindowsIdentity_SecurityException", ex2.ToString()); ExTraceGlobals.AuthenticationTracer.TraceError <string, string, object>(0L, "[AutodiscoverAuthorizationManager::CheckClaimSets] SecurityException encountered. UPN: {0}, Exception message: {1}, Identity: {2}", text3, ex2.Message, (windowsIdentity == null) ? "<NULL>" : windowsIdentity.User); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Creating WindowsIdentity from UPN failed with a SecurityException")); } string org = null; if (organizationId != null && organizationId.OrganizationalUnit != null) { org = organizationId.OrganizationalUnit.Name; } AutodiscoverAuthorizationManager.PushUserAndOrgInfoToContext(text4, org); HttpContext.Current.User = new WindowsPrincipal(windowsIdentity); return(true); }