internal AuthType GetLdapAuthenticationTypes(ActiveDirectoryConnectionProtection connectionProtection, CredentialsType type)
{
return(this.ldapAuthTypes[(int)connectionProtection, (int)type]);
}
internal DirectoryInformation(string adspath, NetworkCredential credentials, string connProtection, int clientSearchTimeout, int serverSearchTimeout, bool enablePasswordReset)
{
System.DirectoryServices.AuthenticationTypes[,] typesArray = new System.DirectoryServices.AuthenticationTypes[3, 2];
typesArray[1, 0] = System.DirectoryServices.AuthenticationTypes.Encryption | System.DirectoryServices.AuthenticationTypes.Secure;
typesArray[1, 1] = System.DirectoryServices.AuthenticationTypes.Encryption;
typesArray[2, 0] = System.DirectoryServices.AuthenticationTypes.Sealing | System.DirectoryServices.AuthenticationTypes.Signing | System.DirectoryServices.AuthenticationTypes.Secure;
typesArray[2, 1] = System.DirectoryServices.AuthenticationTypes.Sealing | System.DirectoryServices.AuthenticationTypes.Signing | System.DirectoryServices.AuthenticationTypes.Secure;
this.authTypes = typesArray;
this.ldapAuthTypes = new AuthType[, ] {
{ AuthType.Negotiate, AuthType.Basic }, { AuthType.Negotiate, AuthType.Basic }, { AuthType.Negotiate, AuthType.Negotiate }
};
this.adspath = adspath;
this.credentials = credentials;
this.clientSearchTimeout = clientSearchTimeout;
this.serverSearchTimeout = serverSearchTimeout;
if (!adspath.StartsWith("LDAP", StringComparison.Ordinal))
{
throw new ProviderException(System.Web.SR.GetString("ADMembership_OnlyLdap_supported"));
}
System.Web.Security.NativeComInterfaces.IAdsPathname pathname = (System.Web.Security.NativeComInterfaces.IAdsPathname) new System.Web.Security.NativeComInterfaces.Pathname();
try
{
pathname.Set(adspath, 1);
}
catch (COMException exception)
{
if (exception.ErrorCode == -2147463168)
{
throw new ProviderException(System.Web.SR.GetString("ADMembership_invalid_path"));
}
throw;
}
try
{
this.serverName = pathname.Retrieve(9);
}
catch (COMException exception2)
{
if (exception2.ErrorCode == -2147463168)
{
throw new ProviderException(System.Web.SR.GetString("ADMembership_ServerlessADsPath_not_supported"));
}
throw;
}
this.creationContainerDN = this.containerDN = pathname.Retrieve(7);
int index = this.serverName.IndexOf(':');
if (index != -1)
{
string serverName = this.serverName;
this.serverName = serverName.Substring(0, index);
this.port = int.Parse(serverName.Substring(index + 1), NumberFormatInfo.InvariantInfo);
this.portSpecified = true;
}
if (string.Compare(connProtection, "Secure", StringComparison.Ordinal) != 0)
{
goto Label_039F;
}
bool flag = false;
bool flag2 = false;
if (!this.IsDefaultCredential())
{
this.authenticationType = this.GetAuthenticationTypes(ActiveDirectoryConnectionProtection.Ssl, CredentialsType.NonWindows);
this.ldapAuthType = this.GetLdapAuthenticationTypes(ActiveDirectoryConnectionProtection.Ssl, CredentialsType.NonWindows);
try
{
this.rootdse = new DirectoryEntry(this.GetADsPath("rootdse"), this.GetUsername(), this.GetPassword(), this.authenticationType);
this.rootdse.RefreshCache();
this.connectionProtection = ActiveDirectoryConnectionProtection.Ssl;
if (!this.portSpecified)
{
this.port = 0x27c;
this.portSpecified = true;
}
goto Label_0282;
}
catch (COMException exception3)
{
if (exception3.ErrorCode != -2147023570)
{
if (exception3.ErrorCode != -2147016646)
{
throw;
}
flag = true;
}
else
{
flag2 = true;
}
goto Label_0282;
}
}
flag2 = true;
Label_0282:
if (flag2)
{
this.authenticationType = this.GetAuthenticationTypes(ActiveDirectoryConnectionProtection.Ssl, CredentialsType.Windows);
this.ldapAuthType = this.GetLdapAuthenticationTypes(ActiveDirectoryConnectionProtection.Ssl, CredentialsType.Windows);
try
{
this.rootdse = new DirectoryEntry(this.GetADsPath("rootdse"), this.GetUsername(), this.GetPassword(), this.authenticationType);
this.rootdse.RefreshCache();
this.connectionProtection = ActiveDirectoryConnectionProtection.Ssl;
if (!this.portSpecified)
{
this.port = 0x27c;
this.portSpecified = true;
}
}
catch (COMException exception4)
{
if (exception4.ErrorCode != -2147016646)
{
throw;
}
flag = true;
}
}
if (!flag)
{
goto Label_0405;
}
this.authenticationType = this.GetAuthenticationTypes(ActiveDirectoryConnectionProtection.SignAndSeal, CredentialsType.Windows);
this.ldapAuthType = this.GetLdapAuthenticationTypes(ActiveDirectoryConnectionProtection.SignAndSeal, CredentialsType.Windows);
try
{
this.rootdse = new DirectoryEntry(this.GetADsPath("rootdse"), this.GetUsername(), this.GetPassword(), this.authenticationType);
this.rootdse.RefreshCache();
this.connectionProtection = ActiveDirectoryConnectionProtection.SignAndSeal;
goto Label_0405;
}
catch (COMException exception5)
{
throw new ProviderException(System.Web.SR.GetString("ADMembership_Secure_connection_not_established", new object[] { exception5.Message }), exception5);
}
Label_039F:
if (this.IsDefaultCredential())
{
throw new NotSupportedException(System.Web.SR.GetString("ADMembership_Default_Creds_not_supported"));
}
this.authenticationType = this.GetAuthenticationTypes(this.connectionProtection, CredentialsType.NonWindows);
this.ldapAuthType = this.GetLdapAuthenticationTypes(this.connectionProtection, CredentialsType.NonWindows);
this.rootdse = new DirectoryEntry(this.GetADsPath("rootdse"), this.GetUsername(), this.GetPassword(), this.authenticationType);
Label_0405:
if (this.rootdse == null)
{
this.rootdse = new DirectoryEntry(this.GetADsPath("RootDSE"), this.GetUsername(), this.GetPassword(), this.authenticationType);
}
this.directoryType = this.GetDirectoryType();
if ((this.directoryType == System.Web.Security.DirectoryType.ADAM) && (this.connectionProtection == ActiveDirectoryConnectionProtection.SignAndSeal))
{
throw new ProviderException(System.Web.SR.GetString("ADMembership_Ssl_connection_not_established"));
}
if ((this.directoryType == System.Web.Security.DirectoryType.AD) && ((this.port == 0xcc4) || (this.port == 0xcc5)))
{
throw new ProviderException(System.Web.SR.GetString("ADMembership_GCPortsNotSupported"));
}
if (string.IsNullOrEmpty(this.containerDN))
{
if (this.directoryType == System.Web.Security.DirectoryType.AD)
{
this.containerDN = (string)this.rootdse.Properties["defaultNamingContext"].Value;
if (this.containerDN == null)
{
throw new ProviderException(System.Web.SR.GetString("ADMembership_DefContainer_not_specified"));
}
DirectoryEntry entry = new DirectoryEntry(this.GetADsPath("<WKGUID=a9d1ca15768811d1aded00c04fd8d5cd," + this.containerDN + ">"), this.GetUsername(), this.GetPassword(), this.authenticationType);
try
{
this.creationContainerDN = (string)System.Web.Security.PropertyManager.GetPropertyValue(entry, "distinguishedName");
goto Label_05DE;
}
catch (COMException exception6)
{
if (exception6.ErrorCode == -2147016656)
{
throw new ProviderException(System.Web.SR.GetString("ADMembership_DefContainer_does_not_exist"));
}
throw;
}
}
throw new ProviderException(System.Web.SR.GetString("ADMembership_Container_must_be_specified"));
}
DirectoryEntry directoryEntry = new DirectoryEntry(this.GetADsPath(this.containerDN), this.GetUsername(), this.GetPassword(), this.authenticationType);
try
{
this.creationContainerDN = this.containerDN = (string)System.Web.Security.PropertyManager.GetPropertyValue(directoryEntry, "distinguishedName");
}
catch (COMException exception7)
{
if (exception7.ErrorCode == -2147016656)
{
throw new ProviderException(System.Web.SR.GetString("ADMembership_Container_does_not_exist"));
}
throw;
}
Label_05DE:
using (LdapConnection connection = new LdapConnection(new LdapDirectoryIdentifier(this.serverName + ":" + this.port), GetCredentialsWithDomain(credentials), this.ldapAuthType)
{
SessionOptions = { ProtocolVersion = 3 }
})
{
SearchResponse response;
connection.SessionOptions.ReferralChasing = ReferralChasingOptions.None;
this.SetSessionOptionsForSecureConnection(connection, false);
connection.Bind();
SearchRequest request = new SearchRequest {
DistinguishedName = this.containerDN,
Filter = "(objectClass=*)",
Scope = System.DirectoryServices.Protocols.SearchScope.Base
};
request.Attributes.Add("distinguishedName");
request.Attributes.Add("objectClass");
if (this.ServerSearchTimeout != -1)
{
request.TimeLimit = new TimeSpan(0, this.ServerSearchTimeout, 0);
}
try
{
response = (SearchResponse)connection.SendRequest(request);
if ((response.ResultCode == ResultCode.Referral) || (response.ResultCode == ResultCode.NoSuchObject))
{
throw new ProviderException(System.Web.SR.GetString("ADMembership_Container_does_not_exist"));
}
if (response.ResultCode != ResultCode.Success)
{
throw new ProviderException(response.ErrorMessage);
}
}
catch (DirectoryOperationException exception8)
{
SearchResponse response2 = (SearchResponse)exception8.Response;
if (response2.ResultCode == ResultCode.NoSuchObject)
{
throw new ProviderException(System.Web.SR.GetString("ADMembership_Container_does_not_exist"));
}
throw;
}
DirectoryAttribute objectClass = response.Entries[0].Attributes["objectClass"];
if (!this.ContainerIsSuperiorOfUser(objectClass))
{
throw new ProviderException(System.Web.SR.GetString("ADMembership_Container_not_superior"));
}
if ((this.connectionProtection == ActiveDirectoryConnectionProtection.None) || (this.connectionProtection == ActiveDirectoryConnectionProtection.Ssl))
{
this.concurrentBindSupported = this.IsConcurrentBindSupported(connection);
}
}
if (this.directoryType == System.Web.Security.DirectoryType.ADAM)
{
this.adamPartitionDN = this.GetADAMPartitionFromContainer();
}
else if (enablePasswordReset)
{
DirectoryEntry entry3 = new DirectoryEntry(this.GetADsPath((string)System.Web.Security.PropertyManager.GetPropertyValue(this.rootdse, "defaultNamingContext")), this.GetUsername(), this.GetPassword(), this.AuthenticationTypes);
System.Web.Security.NativeComInterfaces.IAdsLargeInteger propertyValue = (System.Web.Security.NativeComInterfaces.IAdsLargeInteger)System.Web.Security.PropertyManager.GetPropertyValue(entry3, "lockoutDuration");
long num2 = (propertyValue.HighPart * 0x100000000L) + ((uint)propertyValue.LowPart);
this.adLockoutDuration = new TimeSpan(-num2);
}
}
internal AuthType GetLdapAuthenticationTypes(ActiveDirectoryConnectionProtection connectionProtection, CredentialsType type)
{
return ldapAuthTypes[(int) connectionProtection, (int) type];
}
internal System.DirectoryServices.AuthenticationTypes GetAuthenticationTypes(ActiveDirectoryConnectionProtection connectionProtection, CredentialsType type)
{
return(this.authTypes[(int)connectionProtection, (int)type]);
}
internal DirectoryInformation(string adspath,
NetworkCredential credentials,
string connProtection,
int clientSearchTimeout,
int serverSearchTimeout,
bool enablePasswordReset)
{
//
// all parameters have already been validated at this point
//
this.adspath = adspath;
this.credentials = credentials;
this.clientSearchTimeout = clientSearchTimeout;
this.serverSearchTimeout = serverSearchTimeout;
Debug.Assert(adspath != null);
Debug.Assert(adspath.Length > 0);
//
// Provider must be LDAP
//
if (!(adspath.StartsWith("LDAP", StringComparison.Ordinal)))
throw new ProviderException(SR.GetString(SR.ADMembership_OnlyLdap_supported));
//
// Parse out the server/domain information
//
NativeComInterfaces.IAdsPathname pathCracker = (NativeComInterfaces.IAdsPathname) new NativeComInterfaces.Pathname();
try {
pathCracker.Set(adspath, NativeComInterfaces.ADS_SETTYPE_FULL);
}
catch (COMException e)
{
if (e.ErrorCode == unchecked((int) 0x80005000))
throw new ProviderException(SR.GetString(SR.ADMembership_invalid_path));
else
throw;
}
// Get the server and container names
try
{
serverName = pathCracker.Retrieve(NativeComInterfaces.ADS_FORMAT_SERVER);
}
catch (COMException e)
{
if (e.ErrorCode == unchecked((int) 0x80005000))
throw new ProviderException(SR.GetString(SR.ADMembership_ServerlessADsPath_not_supported));
else
throw;
}
Debug.Assert(serverName != null);
creationContainerDN = containerDN = pathCracker.Retrieve(NativeComInterfaces.ADS_FORMAT_X500_DN);
//
// Parse out the port number if specified
//
int index = serverName.IndexOf(':');
if (index != -1)
{
string tempStr = serverName;
serverName = tempStr.Substring(0, index);
Debug.Assert(tempStr.Length > index);
port = Int32.Parse(tempStr.Substring(index + 1), NumberFormatInfo.InvariantInfo);
portSpecified = true;
}
if (String.Compare(connProtection, "Secure", StringComparison.Ordinal) == 0)
{
//
// The logic is as follows:
// 1. Try Ssl first and check if concurrent binds are possible for validating users
// 2. If Ssl is not supported, try signing and sealing
// 3. If both the above are not supported, then we will fail
//
bool trySignAndSeal = false;
bool trySslWithSecureAuth = false;
// first try with simple bind
if (!IsDefaultCredential())
{
authenticationType = GetAuthenticationTypes(ActiveDirectoryConnectionProtection.Ssl, CredentialsType.NonWindows);
ldapAuthType = GetLdapAuthenticationTypes(ActiveDirectoryConnectionProtection.Ssl, CredentialsType.NonWindows);
try
{
rootdse = new DirectoryEntry(GetADsPath("rootdse"), GetUsername(), GetPassword(), authenticationType);
// this will force a bind
rootdse.RefreshCache();
this.connectionProtection = ActiveDirectoryConnectionProtection.Ssl;
if (!portSpecified)
{
port = SSL_PORT;
portSpecified = true;
}
}
catch (COMException ce)
{
if (ce.ErrorCode == unchecked((int) 0x8007052e))
{
//
// this could be an ADAM target with windows user (in that case simple bind will not work)
//
trySslWithSecureAuth = true;
}
else if (ce.ErrorCode == unchecked((int) 0x8007203a))
{
// server is not operational error, do nothing, we need to fall back to SignAndSeal
trySignAndSeal = true;
}
else
throw;
}
}
else
{
// default credentials, so we have to do secure bind
trySslWithSecureAuth = true;
}
if (trySslWithSecureAuth)
{
authenticationType = GetAuthenticationTypes(ActiveDirectoryConnectionProtection.Ssl, CredentialsType.Windows);
ldapAuthType = GetLdapAuthenticationTypes(ActiveDirectoryConnectionProtection.Ssl, CredentialsType.Windows);
try
{
rootdse = new DirectoryEntry(GetADsPath("rootdse"), GetUsername(), GetPassword(), authenticationType);
// this will force a bind
rootdse.RefreshCache();
this.connectionProtection = ActiveDirectoryConnectionProtection.Ssl;
if (!portSpecified)
{
port = SSL_PORT;
portSpecified = true;
}
}
catch (COMException ce)
{
if (ce.ErrorCode == unchecked((int) 0x8007203a))
{
// server is not operational error, do nothing, we need to fall back to SignAndSeal
trySignAndSeal = true;
}
else
throw;
}
}
if (trySignAndSeal)
{
authenticationType = GetAuthenticationTypes(ActiveDirectoryConnectionProtection.SignAndSeal, CredentialsType.Windows);
ldapAuthType = GetLdapAuthenticationTypes(ActiveDirectoryConnectionProtection.SignAndSeal, CredentialsType.Windows);
try
{
rootdse = new DirectoryEntry(GetADsPath("rootdse"), GetUsername(), GetPassword(), authenticationType);
rootdse.RefreshCache();
this.connectionProtection = ActiveDirectoryConnectionProtection.SignAndSeal;
}
catch (COMException e)
{
throw new ProviderException(SR.GetString(SR.ADMembership_Secure_connection_not_established, e.Message), e);
}
}
}
else
{
//
// No connection protection
//
//
// we will do a simple bind but we must ensure that the credentials are explicitly specified
// since in the case of default credentials we cannot honor it (default credentials become anonymous in the case of
// simple bind)
//
if (IsDefaultCredential())
throw new NotSupportedException(SR.GetString(SR.ADMembership_Default_Creds_not_supported));
// simple bind
authenticationType = GetAuthenticationTypes(connectionProtection, CredentialsType.NonWindows);
ldapAuthType = GetLdapAuthenticationTypes(connectionProtection, CredentialsType.NonWindows);
rootdse = new DirectoryEntry(GetADsPath("rootdse"), GetUsername(), GetPassword(), authenticationType);
}
//
// Determine whether this is AD or ADAM by binding to the rootdse and
// checking the supported capabilities
//
if (rootdse == null)
rootdse = new DirectoryEntry(GetADsPath("RootDSE"), GetUsername(), GetPassword(), authenticationType);
directoryType = GetDirectoryType();
//
// if the directory type is ADAM and the conntectionProtection was selected
// as sign and seal, then we should throw an ProviderException. This is becuase validate user will always fail for ADAM
// because ADAM does not support secure authentication for ADAM users.
//
if ((directoryType == DirectoryType.ADAM) && (this.connectionProtection == ActiveDirectoryConnectionProtection.SignAndSeal))
throw new ProviderException(SR.GetString(SR.ADMembership_Ssl_connection_not_established));
//
// for AD, we need to block the GC ports
//
if ((directoryType == DirectoryType.AD) && ((port == GC_PORT) || (port == GC_SSL_PORT)))
throw new ProviderException(SR.GetString(SR.ADMembership_GCPortsNotSupported));
//
// if container dn is null, we need to get the default naming context
// (containerDN cannot be null for ADAM)
//
if (String.IsNullOrEmpty(containerDN))
{
if (directoryType == DirectoryType.AD)
{
containerDN = (string)rootdse.Properties["defaultNamingContext"].Value;
if (containerDN == null)
throw new ProviderException(SR.GetString(SR.ADMembership_DefContainer_not_specified));
//
// we will create users in the default users container, check that it exists
//
string wkUsersContainerPath = GetADsPath("<WKGUID=" + GUID_USERS_CONTAINER_W + "," + containerDN + ">");
DirectoryEntry containerEntry = new DirectoryEntry(wkUsersContainerPath, GetUsername(), GetPassword(), authenticationType);
try
{
creationContainerDN = (string) PropertyManager.GetPropertyValue(containerEntry, "distinguishedName");
}
catch (COMException ce)
{
if (ce.ErrorCode == unchecked((int) 0x80072030))
throw new ProviderException(SR.GetString(SR.ADMembership_DefContainer_does_not_exist));
else
throw;
}
}
else
{
// container must be specified for ADAM
throw new ProviderException(SR.GetString(SR.ADMembership_Container_must_be_specified));
}
}
else
{
//
// Normalize the container name (incase it was specified as GUID or WKGUID)
//
DirectoryEntry containerEntry = new DirectoryEntry(GetADsPath(containerDN), GetUsername(), GetPassword(), authenticationType);
try
{
creationContainerDN = containerDN = (string) PropertyManager.GetPropertyValue(containerEntry, "distinguishedName");
}
catch (COMException ce)
{
if (ce.ErrorCode == unchecked((int) 0x80072030))
throw new ProviderException(SR.GetString(SR.ADMembership_Container_does_not_exist));
else
throw;
}
}
//
// Check if the specified path(container) exists on the specified server/domain
// (NOTE: We need to do this using S.DS.Protocols rather than S.DS because we need to
// bypass the referral chasing which is automatic in S.DS)
//
LdapConnection tempConnection = new LdapConnection(new LdapDirectoryIdentifier(serverName + ":" + port), GetCredentialsWithDomain(credentials), ldapAuthType);
tempConnection.SessionOptions.ProtocolVersion = 3;
try
{
tempConnection.SessionOptions.ReferralChasing = System.DirectoryServices.Protocols.ReferralChasingOptions.None;
SetSessionOptionsForSecureConnection(tempConnection, false /*useConcurrentBind */);
tempConnection.Bind();
SearchRequest request = new SearchRequest();
request.DistinguishedName = containerDN;
request.Filter = "(objectClass=*)";
request.Scope = System.DirectoryServices.Protocols.SearchScope.Base;
request.Attributes.Add("distinguishedName");
request.Attributes.Add("objectClass");
if (ServerSearchTimeout != -1)
request.TimeLimit = new TimeSpan(0, ServerSearchTimeout, 0);
SearchResponse response;
try
{
response = (SearchResponse) tempConnection.SendRequest(request);
if (response.ResultCode == ResultCode.Referral || response.ResultCode == ResultCode.NoSuchObject)
throw new ProviderException(SR.GetString(SR.ADMembership_Container_does_not_exist));
else if (response.ResultCode != ResultCode.Success)
throw new ProviderException(response.ErrorMessage);
}
catch (DirectoryOperationException oe)
{
SearchResponse errorResponse = (SearchResponse) oe.Response;
if (errorResponse.ResultCode == ResultCode.NoSuchObject)
throw new ProviderException(SR.GetString(SR.ADMembership_Container_does_not_exist));
else throw;
}
//
// check that the container is of an object type that can be a superior of a user object
//
DirectoryAttribute objectClass = response.Entries[0].Attributes["objectClass"];
if (!ContainerIsSuperiorOfUser(objectClass))
throw new ProviderException(SR.GetString(SR.ADMembership_Container_not_superior));
//
// Determine whether concurrent bind is supported
//
if ((connectionProtection == ActiveDirectoryConnectionProtection.None) || (connectionProtection == ActiveDirectoryConnectionProtection.Ssl))
{
this.concurrentBindSupported = IsConcurrentBindSupported(tempConnection);
}
}
finally
{
tempConnection.Dispose();
}
//
// if this is ADAM, get the partition DN
//
if (directoryType == DirectoryType.ADAM)
{
adamPartitionDN = GetADAMPartitionFromContainer();
}
else
{
if (enablePasswordReset)
{
// for AD, get the lockout duration for user account auto unlock
DirectoryEntry de = new DirectoryEntry(GetADsPath((string) PropertyManager.GetPropertyValue(rootdse, "defaultNamingContext")), GetUsername(), GetPassword(), AuthenticationTypes);
NativeComInterfaces.IAdsLargeInteger largeIntValue = (NativeComInterfaces.IAdsLargeInteger) PropertyManager.GetPropertyValue(de, "lockoutDuration");
Int64 int64Value = largeIntValue.HighPart * 0x100000000 + (uint) largeIntValue.LowPart;
// int64Value is the negative of the number of 100 nanoseconds interval that makes up the lockout duration
adLockoutDuration = new TimeSpan(-int64Value);
}
}
}
