private static string GetPrincipalNameFromContext(SecurityHandle context)
{
// We must pass SSPI a pointer to a structure, where upon SSPI will allocate additional memory for the
// fields of the structure. We have to call back into SSPI to free the buffers it allocated, this code is
// pretty verbose, probably should be refactored
var name = new SecurityContextNamesBuffer();
var namePtr = Marshal.AllocHGlobal(Marshal.SizeOf(name));
Marshal.StructureToPtr(name, namePtr, false);
var status = SspiInterop.QueryContextAttributes(ref context, SspiInterop.SECPKG_ATTR_NATIVE_NAMES, namePtr);
if (status != SspiInterop.SEC_E_OK)
{
Marshal.FreeHGlobal(namePtr);
throw new AuthenticationException($"An unhandled exception occurred obtaining the username from the context (QueryContextAttributes returned: {status})");
}
var usernamePtr = Marshal.PtrToStructure <SecurityContextNamesBuffer>(namePtr).clientname;
var servernamePtr = Marshal.PtrToStructure <SecurityContextNamesBuffer>(namePtr).servername;
var username = Marshal.PtrToStringUni(usernamePtr);
SspiInterop.FreeContextBuffer(usernamePtr);
SspiInterop.FreeContextBuffer(servernamePtr);
Marshal.FreeHGlobal(namePtr);
return(username);
}
public void Dispose()
{
if (_context.HighPart != IntPtr.Zero || _context.LowPart != IntPtr.Zero)
{
FreeCredentialsHandle(_context);
_context = new SecurityHandle(0);
}
GC.SuppressFinalize(this);
}
private static extern int AcquireCredentialsHandle(
string pszPrincipal, // SEC_CHAR*
string pszPackage, // SEC_CHAR* // "Kerberos","NTLM","Negotiative"
int fCredentialUse,
IntPtr pAuthenticationId, // _LUID AuthenticationID,//pvLogonID, // PLUID
IntPtr pAuthData, // PVOID
int pGetKeyFn, // SEC_GET_KEY_FN
IntPtr pvGetKeyArgument, // PVOID
ref SecurityHandle phCredential, // SecHandle // PCtxtHandle ref
ref SecurityInteger ptsExpiry); // PTimeStamp // TimeStamp ref
private static extern int InitializeSecurityContext(ref SecurityHandle phCredential, // PCredHandle
ref SecurityHandle phContext, // PCtxtHandle
string pszTargetName,
int fContextReq,
int reserved1,
int targetDataRep,
ref SecurityBufferDesciption secBufferDesc, // PSecBufferDesc SecBufferDesc
int reserved2,
out SecurityHandle phNewContext, // PCtxtHandle
out SecurityBufferDesciption pOutput, // PSecBufferDesc SecBufferDesc
out uint pfContextAttr, // managed ulong == 64 bits!!!
out SecurityInteger ptsExpiry); // PTimeStamp
private static string[] GetGroupMembershipFromContext(SecurityHandle context)
{
// Query the context to obtain the Win32 Access Token, this will enable us to get the list of SID's that
// represent group membership for the principal, we will use these to populate the Roles property
var accessToken = new SecurityContextBuffer();
var accessTokenPtr = Marshal.AllocHGlobal(Marshal.SizeOf(accessToken));
Marshal.StructureToPtr(accessToken, accessTokenPtr, false);
var status = SspiInterop.QueryContextAttributes(ref context, SspiInterop.SECPKG_ATTR_ACCESS_TOKEN, accessTokenPtr);
if (status != SspiInterop.SEC_E_OK)
{
Marshal.FreeHGlobal(accessTokenPtr);
throw new AuthenticationException($"An unhandled exception occurred obtaining the access token from the context (QueryContextAttributes returned: {status})");
}
// who closes the access token, I assume when we delete the context
var tokenPtr = Marshal.PtrToStructure <SecurityContextBuffer>(accessTokenPtr).Buffer;
var groups = GetMemebershipSids(tokenPtr).ToArray();
Marshal.FreeHGlobal(accessTokenPtr);
return(groups);
}
public static partial int ldap_get_option_sechandle(ConnectionHandle ldapHandle, LdapOption option, ref SecurityHandle outValue);
public static extern int ldap_get_option_sechandle([In] ConnectionHandle ldapHandle, [In] LdapOption option, ref SecurityHandle outValue);
internal WindowsHandshake(SecurityHandle ntlmHandle)
{
_ntlmHandle = ntlmHandle;
}
public SspiInitiator(SspiCredentials credentials, string target)
{
_target = target;
_credentials = credentials.Credentials;
}
internal static extern SEC_RESULT DeleteSecurityContext(SecurityHandle phCredential);
internal static extern SEC_RESULT FreeCredentialsHandle(SecurityHandle phCredential);
internal static extern SEC_RESULT QuerySecurityContextToken(ref SecurityHandle phContext, out IntPtr phToken);
public static extern SEC_RESULT AcquireCredentialsHandle(string pszPrincipal, string pszPackage, CredentialsUse fCredentialUse,
IntPtr pvLogonID, IntPtr pAuthData, int pGetKeyFn, IntPtr pvGetKeyArgument, out SecurityHandle phCredential,
out SecurityInteger ptsExpiry);
public SspiAcceptor(SspiCredentials credentials)
{
_credentials = credentials.Credentials;
}
internal static extern SEC_RESULT AcceptSecurityContext(SecurityHandle phCredential, ref SecurityHandle phContext,
ref SecBufferDesc pInput, ASC_REQ fContextReq, Data_Rep TargetDataRep, out SecurityHandle phNewContext,
ref SecBufferDesc pOutput, out uint pfContextAttr, out SecurityInteger ptsTimeStamp);
internal WindowsHandshake(string sessionId, SecurityHandle ntlmHandle)
{
_sessionId = sessionId;
_ntlmHandle = ntlmHandle;
}
