private static ObjectSecurity GetServerAdminSecurity()
{
FileSecurity securityDescriptor = null;
ADNotificationAdapter.TryRunADOperation(delegate()
{
ITopologyConfigurationSession topologyConfigurationSession = DirectorySessionFactory.Default.CreateTopologyConfigurationSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 578, "GetServerAdminSecurity", "f:\\15.00.1497\\sources\\dev\\data\\src\\ApplicationLogic\\ProcessAccessManager.cs");
Server server = null;
try
{
server = topologyConfigurationSession.FindLocalServer();
}
catch (LocalServerNotFoundException)
{
return;
}
RawSecurityDescriptor rawSecurityDescriptor = server.ReadSecurityDescriptor();
if (rawSecurityDescriptor != null)
{
securityDescriptor = new FileSecurity();
byte[] array = new byte[rawSecurityDescriptor.BinaryLength];
rawSecurityDescriptor.GetBinaryForm(array, 0);
securityDescriptor.SetSecurityDescriptorBinaryForm(array);
IRootOrganizationRecipientSession rootOrganizationRecipientSession = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 605, "GetServerAdminSecurity", "f:\\15.00.1497\\sources\\dev\\data\\src\\ApplicationLogic\\ProcessAccessManager.cs");
SecurityIdentifier exchangeServersUsgSid = rootOrganizationRecipientSession.GetExchangeServersUsgSid();
FileSystemAccessRule fileSystemAccessRule = new FileSystemAccessRule(exchangeServersUsgSid, FileSystemRights.ReadData, AccessControlType.Allow);
securityDescriptor.SetAccessRule(fileSystemAccessRule);
SecurityIdentifier identity = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
fileSystemAccessRule = new FileSystemAccessRule(identity, FileSystemRights.ReadData, AccessControlType.Allow);
securityDescriptor.AddAccessRule(fileSystemAccessRule);
return;
}
}, 3);
return(securityDescriptor);
}
private static IEnumerable <ADRawEntry> ReadDkmAdObjects(IRootOrganizationRecipientSession session, string dkmContainerName, string rootDomain, StringBuilder detailStatus)
{
string dkmContainerDN = TestDataCenterDKMAccess.CreateDkmContainerDN(dkmContainerName, rootDomain);
ADRawEntry[] dkmObjects = null;
ADOperationResult adoperationResult = ADNotificationAdapter.TryRunADOperation(delegate()
{
dkmObjects = session.Find(new ADObjectId(dkmContainerDN), QueryScope.SubTree, new CustomLdapFilter("(objectClass=contact)"), null, -1, new ADPropertyDefinition[]
{
ADObjectSchema.Name
});
});
if (!adoperationResult.Succeeded)
{
detailStatus.AppendFormat("Failed to read DKM objects under DN {0} with exception {1}", dkmContainerDN, (adoperationResult.Exception == null) ? "N/A" : adoperationResult.Exception.Message);
return(null);
}
if (dkmObjects.Length == 0)
{
detailStatus.AppendFormat("Failed to find any DKM objects under DN {0}. Examine the ACL settings on DKM objects to ensure the Exchange Servers group is allowed.", dkmContainerDN);
return(null);
}
return(dkmObjects);
}
protected override void InternalProcessRecord()
{
bool flag = true;
StringBuilder stringBuilder = new StringBuilder();
ADDomain addomain = ADForest.GetLocalForest().FindRootDomain(true);
if (addomain == null)
{
flag = false;
stringBuilder.AppendLine("Failed to read root domain");
}
else
{
IRootOrganizationRecipientSession session = TestDataCenterDKMAccess.CreateAdSession();
foreach (Tuple <string, Dictionary <SecurityIdentifier, ActiveDirectoryRights> > tuple in this.ExpectedAccessRights)
{
flag &= TestDataCenterDKMAccess.VerifyDkmObjectPermissions(session, tuple.Item1, addomain.Id.ToDNString(), tuple.Item2, stringBuilder);
}
}
if (flag)
{
stringBuilder.Append("DKM has correct ACL settings");
}
this.ReportDkmAclStatus(flag, stringBuilder);
}
// Token: 0x06000026 RID: 38 RVA: 0x00002938 File Offset: 0x00000B38
private static ObjectSecurity GetRpcSecurityDescriptor()
{
FileSecurity fileSecurity = new FileSecurity();
IRootOrganizationRecipientSession rootOrganizationRecipientSession = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 348, "GetRpcSecurityDescriptor", "f:\\15.00.1497\\sources\\dev\\data\\src\\ThrottlingService\\Service\\ThrottlingRpcServerImpl.cs");
ThrottlingService.StartStopBreadcrumbs.Drop("Calling GetExchangeServersUsgSid", new object[0]);
SecurityIdentifier exchangeServersUsgSid = rootOrganizationRecipientSession.GetExchangeServersUsgSid();
ThrottlingService.StartStopBreadcrumbs.Drop("GetExchangeServersUsgSid call completed", new object[0]);
FileSystemAccessRule fileSystemAccessRule = new FileSystemAccessRule(exchangeServersUsgSid, FileSystemRights.ReadData, AccessControlType.Allow);
fileSecurity.SetAccessRule(fileSystemAccessRule);
if (ThrottlingAppConfig.AuthenticatedUsersRpcEnabled)
{
SecurityIdentifier identity = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null);
fileSystemAccessRule = new FileSystemAccessRule(identity, FileSystemRights.ReadData, AccessControlType.Allow);
fileSecurity.AddAccessRule(fileSystemAccessRule);
ThrottlingService.Tracer.TraceDebug(0L, "RPC calls are allowed for all authenticated users.");
}
SecurityIdentifier securityIdentifier = new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null);
fileSystemAccessRule = new FileSystemAccessRule(securityIdentifier, FileSystemRights.ReadData, AccessControlType.Allow);
fileSecurity.AddAccessRule(fileSystemAccessRule);
SecurityIdentifier identity2 = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
fileSystemAccessRule = new FileSystemAccessRule(identity2, FileSystemRights.ReadData, AccessControlType.Allow);
fileSecurity.AddAccessRule(fileSystemAccessRule);
fileSecurity.SetOwner(securityIdentifier);
return(fileSecurity);
}
// Token: 0x0600018B RID: 395 RVA: 0x00007A68 File Offset: 0x00005C68
public void Init()
{
ExTraceGlobals.DatabaseManagerTracer.TraceDebug <DatabaseManager>((long)this.GetHashCode(), "{0}: Really starting", this);
AIBreadcrumbs.DatabaseStatusTrail.Drop("Init Starting. Waiting on lock.");
bool flag = false;
try
{
Monitor.Enter(this, ref flag);
AIBreadcrumbs.DatabaseStatusTrail.Drop("Init startup progressing. Lock acquired.");
SecurityIdentifier exchangeServersSid = null;
ADOperationResult adoperationResult = ADNotificationAdapter.TryRunADOperation(delegate()
{
IRootOrganizationRecipientSession rootOrganizationRecipientSession = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 514, "Init", "f:\\15.00.1497\\sources\\dev\\assistants\\src\\Assistants\\DatabaseManager.cs");
exchangeServersSid = rootOrganizationRecipientSession.GetExchangeServersUsgSid();
});
if (exchangeServersSid == null)
{
AIBreadcrumbs.DatabaseStatusTrail.Drop("Database Manager unable to contact AD.");
TransientServerException ex = new TransientServerException(adoperationResult.Exception);
ExTraceGlobals.DatabaseManagerTracer.TraceDebug <DatabaseManager, ADOperationErrorCode, TransientServerException>((long)this.GetHashCode(), "{0}: Unable to contact AD. Will not continue to start at this time. Code: {1}, Exception: {2}", this, adoperationResult.ErrorCode, ex);
throw ex;
}
if (this.startState != DatabaseManager.StartState.Started)
{
ExTraceGlobals.DatabaseManagerTracer.TraceDebug <DatabaseManager, DatabaseManager.StartState>((long)this.GetHashCode(), "{0}: Init when not started: {1}", this, this.startState);
return;
}
this.performanceCountersTotal = new PerformanceCountersPerDatabaseInstance(this.serviceName + "-Total", null);
this.performanceCountersTotal.Reset();
if (this.timeBasedDriverManager != null)
{
this.timeBasedDriverManager.Start(exchangeServersSid);
}
this.databaseStatusTimer = new Timer(new TimerCallback(this.CheckDatabaseStatusTimerProc));
this.databaseStatusTimer.Change(TimeSpan.Zero, DatabaseManager.DatabaseStatusPollingInterval);
base.TracePfd("PFD AIS {0} {1}: Started", new object[]
{
23383,
this
});
this.startState = DatabaseManager.StartState.Initialized;
}
finally
{
if (flag)
{
Monitor.Exit(this);
}
}
AIBreadcrumbs.DatabaseStatusTrail.Drop("Database manager startup completed.");
}
internal override AdminRoleDefinition[] ComputeAdminRoles(IRootOrganizationRecipientSession recipientSession, ITopologyConfigurationSession configSession)
{
string containerDN = configSession.ConfigurationNamingContext.ToDNString();
ADGroup adgroup = recipientSession.ResolveWellKnownGuid <ADGroup>(WellKnownGuid.EmaWkGuid, containerDN);
return(new AdminRoleDefinition[]
{
new AdminRoleDefinition(adgroup.Sid, "RecipientAdmins"),
new AdminRoleDefinition(recipientSession.GetExchangeServersUsgSid(), "ExchangeServers"),
new AdminRoleDefinition(new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), "LocalSystem"),
new AdminRoleDefinition(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null), "BuiltinAdmins")
});
}
// Token: 0x060006FA RID: 1786 RVA: 0x0001A1CC File Offset: 0x000183CC
public static OrganizationId ResolveCurrentUserOrganization(out ADObjectId userId)
{
userId = null;
try
{
using (WindowsIdentity current = WindowsIdentity.GetCurrent())
{
if (current == null)
{
return(null);
}
IRootOrganizationRecipientSession rootOrganizationRecipientSession = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(true, ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 1263, "ResolveCurrentUserOrganization", "f:\\15.00.1497\\sources\\dev\\Configuration\\src\\ObjectModel\\BaseTasks\\TaskHelper.cs");
ADRawEntry adrawEntry = rootOrganizationRecipientSession.FindADRawEntryBySid(current.User, new ADPropertyDefinition[]
{
ADObjectSchema.RawName,
ADObjectSchema.Name,
ADObjectSchema.Id,
ADObjectSchema.ExchangeVersion,
ADObjectSchema.OrganizationalUnitRoot,
ADObjectSchema.ConfigurationUnit
});
if (adrawEntry == null)
{
return(null);
}
userId = adrawEntry.Id;
return((OrganizationId)adrawEntry[ADObjectSchema.OrganizationId]);
}
}
catch (InvalidOperationException e)
{
TaskLogger.LogError(e);
}
catch (DataSourceOperationException e2)
{
TaskLogger.LogError(e2);
}
catch (TransientException e3)
{
TaskLogger.LogError(e3);
}
catch (DataValidationException e4)
{
TaskLogger.LogError(e4);
}
return(null);
}
internal override AdminRoleDefinition[] ComputeAdminRoles(IRootOrganizationRecipientSession recipientSession, ITopologyConfigurationSession configSession)
{
string containerDN = configSession.ConfigurationNamingContext.ToDNString();
ADGroup adgroup = recipientSession.ResolveWellKnownGuid <ADGroup>(WellKnownGuid.EmaWkGuid, containerDN);
List <AdminRoleDefinition> list = new List <AdminRoleDefinition>(4);
list.Add(new AdminRoleDefinition(adgroup.Sid, "RecipientAdmins"));
list.Add(new AdminRoleDefinition(recipientSession.GetExchangeServersUsgSid(), "ExchangeServers"));
list.Add(new AdminRoleDefinition(new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), "LocalSystem"));
list.Add(new AdminRoleDefinition(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null), "BuiltinAdmins"));
SecurityIdentifier[] additionalSids = this.GetAdditionalSids();
for (int i = 0; i < additionalSids.Length; i++)
{
string roleName = string.Format("AdditionalAdminRoleFromConfiguration {0}", i);
list.Add(new AdminRoleDefinition(additionalSids[i], roleName));
}
return(list.ToArray());
}
private AdminRoleDefinition[] GetAdminRoles()
{
if (this.adminRoles == null)
{
lock (this.adminRolesLock)
{
if (this.adminRoles == null)
{
CommonUtils.CatchKnownExceptions(delegate
{
IRootOrganizationRecipientSession recipientSession = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(true, ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromRootOrgScopeSet(), 241, "GetAdminRoles", "f:\\15.00.1497\\sources\\dev\\mrs\\src\\Common\\AuthorizationManagerBase.cs");
ITopologyConfigurationSession configSession = DirectorySessionFactory.Default.CreateTopologyConfigurationSession(ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromRootOrgScopeSet(), 246, "GetAdminRoles", "f:\\15.00.1497\\sources\\dev\\mrs\\src\\Common\\AuthorizationManagerBase.cs");
this.adminRoles = this.ComputeAdminRoles(recipientSession, configSession);
}, null);
}
}
}
return(this.adminRoles);
}
private ADSystemMailbox FindSystemMailbox(ADSessionSettings settings)
{
IRootOrganizationRecipientSession session = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(true, ConsistencyMode.IgnoreInvalid, settings, 796, "FindSystemMailbox", "f:\\15.00.1497\\sources\\dev\\data\\src\\storage\\ResourceHealth\\MdbSystemMailboxPinger.cs");
ADRecipient[] adRecipients = null;
ADOperationResult adoperationResult = ADNotificationAdapter.TryRunADOperation(delegate()
{
adRecipients = session.Find(null, QueryScope.SubTree, new ComparisonFilter(ComparisonOperator.Equal, ADObjectSchema.Name, this.systemMailboxName), null, 1);
});
if (!adoperationResult.Succeeded)
{
throw adoperationResult.Exception;
}
if (adRecipients.Length != 1 || !(adRecipients[0] is ADSystemMailbox))
{
throw new ObjectNotFoundException(ServerStrings.AdUserNotFoundException(string.Format("SystemMailbox {0} was not found", this.systemMailboxName)));
}
return((ADSystemMailbox)adRecipients[0]);
}
private static ADUser[] InternalFindEnterprise(OrganizationCapability capability, ADObjectId databaseId)
{
ADSessionSettings sessionSettings = ADSessionSettings.FromRootOrgScopeSet();
IRootOrganizationRecipientSession session = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(null, null, LcidMapper.DefaultLcid, true, ConsistencyMode.IgnoreInvalid, null, sessionSettings, 558, "InternalFindEnterprise", "f:\\15.00.1497\\sources\\dev\\data\\src\\storage\\OrganizationMailbox\\OrganizationMailbox.cs");
QueryFilter optionalFilter;
if (databaseId != null)
{
optionalFilter = new ComparisonFilter(ComparisonOperator.Equal, ADMailboxRecipientSchema.Database, databaseId);
}
else
{
optionalFilter = OrganizationMailbox.GetOrganizationMailboxQueryFilterForLocalServer();
}
List <ADUser> organizationMailboxesByCapability = OrganizationMailbox.GetOrganizationMailboxesByCapability(session, capability, optionalFilter);
List <ADUser> list = new List <ADUser>(1);
if (organizationMailboxesByCapability.Count >= 1)
{
list.Add(organizationMailboxesByCapability[0]);
}
return(list.ToArray());
}
protected void PersistManagedAvailabilityServersUsgSid()
{
SecurityIdentifier securityIdentifier = null;
try
{
IRootOrganizationRecipientSession rootOrganizationRecipientSession = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(true, ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 153, "PersistManagedAvailabilityServersUsgSid", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\Monitoring\\Service\\ManageHealthManagerService.cs");
securityIdentifier = rootOrganizationRecipientSession.GetWellKnownExchangeGroupSid(WellKnownGuid.MaSWkGuid);
}
catch (Exception)
{
}
if (securityIdentifier != null)
{
using (RegistryKey registryKey = Registry.LocalMachine.CreateSubKey(ManageHealthManagerService.RegistryPathBase))
{
registryKey.SetValue("ManagedAvailabilityServersUsgSid", securityIdentifier.ToString());
}
string name = "SOFTWARE\\Microsoft\\ExchangeServer";
using (RegistryKey registryKey2 = Registry.LocalMachine.OpenSubKey(name, true))
{
if (registryKey2 != null)
{
RegistrySecurity accessControl = registryKey2.GetAccessControl();
accessControl.AddAccessRule(new RegistryAccessRule(securityIdentifier, RegistryRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
registryKey2.SetAccessControl(accessControl);
using (RegistryKey registryKey3 = Registry.LocalMachine.OpenSubKey("SYSTEM\\CurrentControlSet\\Control\\SecurePipeServers\\winreg", true))
{
RegistrySecurity accessControl2 = registryKey3.GetAccessControl();
accessControl2.AddAccessRule(new RegistryAccessRule(securityIdentifier, RegistryRights.ExecuteKey, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
registryKey3.SetAccessControl(accessControl2);
}
}
}
}
}
private ADRootOrganizationRecipientSessionWrapper(IRootOrganizationRecipientSession session)
{
ExAssert.RetailAssert(session != null, "'session' instance to wrap must not be null!");
this.m_session = session;
}
public static ADRootOrganizationRecipientSessionWrapper CreateWrapper(IRootOrganizationRecipientSession session)
{
ExAssert.RetailAssert(session != null, "'session' instance to wrap must not be null!");
return(new ADRootOrganizationRecipientSessionWrapper(session));
}
public IADRootOrganizationRecipientSession CreateIgnoreInvalidRootOrgRecipientSession()
{
IRootOrganizationRecipientSession session = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 226, "CreateIgnoreInvalidRootOrgRecipientSession", "f:\\15.00.1497\\sources\\dev\\data\\src\\HA\\DirectoryServices\\ADSessionFactory.cs");
return(ADRootOrganizationRecipientSessionWrapper.CreateWrapper(session));
}
private static bool CheckPermissionsOnDkmObjects(IEnumerable <ADRawEntry> dkmObjects, IRootOrganizationRecipientSession session, Dictionary <SecurityIdentifier, ActiveDirectoryRights> expectedAccessRights, StringBuilder detailStatus)
{
bool result = true;
foreach (ADRawEntry adrawEntry in dkmObjects)
{
RawSecurityDescriptor rawSecurityDescriptor;
ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor(adrawEntry, session, null, out rawSecurityDescriptor);
if (activeDirectorySecurity == null)
{
result = false;
detailStatus.AppendFormat("Failed to read security descriptor for DKM object {0}. Examine the ACL settings on DKM objects.\r\n", adrawEntry.Id.DistinguishedName);
}
else
{
AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.AppendLine(string.Format("Object DN: {0}\r\n", adrawEntry.Id.DistinguishedName));
bool flag = false;
Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>();
foreach (object obj in accessRules)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj;
try
{
if (!expectedAccessRights.ContainsKey((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference))
{
int num = AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed);
if (num != 0)
{
stringBuilder.AppendFormat("Unexpected ACE with Identity: {0}, Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), (ActiveDirectoryRights)num);
result = false;
flag = true;
}
}
else
{
dictionary[(SecurityIdentifier)activeDirectoryAccessRule.IdentityReference] = (ActiveDirectoryRights)AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed);
}
}
catch (Win32Exception ex)
{
stringBuilder.AppendFormat("Failed to check ACL for Identity: {0} with Win32Exception {1} and ErrorCode {2}\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), ex.Message, ex.ErrorCode);
result = false;
flag = true;
}
}
Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary2 = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>(expectedAccessRights);
foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair in dictionary)
{
if (dictionary2[keyValuePair.Key] != keyValuePair.Value)
{
stringBuilder.AppendFormat("Wrong rights in ACE for Identity {0}\r\nExpected Rights: {1}\r\nActual Rights: {2}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair.Key.ToString()), dictionary2[keyValuePair.Key], keyValuePair.Value);
result = false;
flag = true;
}
dictionary2.Remove(keyValuePair.Key);
}
if (dictionary2.Count > 0)
{
foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair2 in dictionary2)
{
stringBuilder.AppendFormat("Missing expected ACE for Identity {0}\r\nExpected Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair2.Key.ToString()), keyValuePair2.Value);
result = false;
flag = true;
}
}
if (flag)
{
detailStatus.AppendLine(stringBuilder.ToString());
}
}
}
return(result);
}
private static bool VerifyDkmObjectPermissions(IRootOrganizationRecipientSession session, string dkmContainerName, string rootDomain, Dictionary <SecurityIdentifier, ActiveDirectoryRights> expectedRights, StringBuilder detailStatus)
{
IEnumerable <ADRawEntry> enumerable = TestDataCenterDKMAccess.ReadDkmAdObjects(session, dkmContainerName, rootDomain, detailStatus);
return(enumerable != null && TestDataCenterDKMAccess.CheckPermissionsOnDkmObjects(enumerable, session, expectedRights, detailStatus));
}
private IAuthenticationInfo GetPrincipal(OperationContext operationContext)
{
MRSProxyAuthorizationManager.AuthenticationData authenticationData = this.GetAuthenticationData(operationContext);
if (authenticationData.AuthenticationInfo != null)
{
return(authenticationData.AuthenticationInfo);
}
IAuthenticationInfo authenticationInfo = base.Authenticate(operationContext);
if (authenticationInfo == null)
{
return(null);
}
if (operationContext.Channel.LocalAddress.Uri.Scheme == "net.tcp" || this.TestIntegration.UseHttpsForLocalMoves)
{
return(authenticationInfo);
}
WindowsPrincipal windowsPrincipal = authenticationInfo.WindowsPrincipal;
WindowsIdentity windowsIdentity = windowsPrincipal.Identity as WindowsIdentity;
using (ClientSecurityContext clientSecurityContext = new ClientSecurityContext(windowsIdentity))
{
if (!LocalServer.AllowsTokenSerializationBy(clientSecurityContext))
{
MrsTracer.ProxyService.Debug("MRSProxyAuthorizationManager: User {0} does not have the permission to serialize security token.", new object[]
{
authenticationInfo.PrincipalName
});
return(null);
}
}
object obj;
if (!OperationContext.Current.IncomingMessageProperties.TryGetValue(HttpRequestMessageProperty.Name, out obj))
{
return(null);
}
HttpRequestMessageProperty httpRequestMessageProperty = obj as HttpRequestMessageProperty;
if (httpRequestMessageProperty == null)
{
return(null);
}
string[] values = httpRequestMessageProperty.Headers.GetValues("X-CommonAccessToken");
if (values == null || values.Length != 1)
{
return(null);
}
string text = values[0];
if (string.IsNullOrEmpty(text))
{
return(null);
}
using (ClientSecurityContext clientSecurityContext2 = new ClientSecurityContext(windowsIdentity))
{
if (!LocalServer.AllowsTokenSerializationBy(clientSecurityContext2))
{
MrsTracer.ProxyService.Debug("MRSProxyAuthorizationManager: User {0} does not have the permission to serialize security token.", new object[]
{
windowsIdentity
});
return(null);
}
}
CommonAccessToken commonAccessToken = CommonAccessToken.Deserialize(text);
SecurityIdentifier securityIdentifier = new SecurityIdentifier(commonAccessToken.WindowsAccessToken.UserSid);
IRootOrganizationRecipientSession rootOrganizationRecipientSession = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(true, ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromRootOrgScopeSet(), 300, "GetPrincipal", "f:\\15.00.1497\\sources\\dev\\mrs\\src\\ProxyService\\MRSProxyAuthorizationManager.cs");
ADRawEntry adrawEntry = rootOrganizationRecipientSession.FindADRawEntryBySid(securityIdentifier, MRSProxyAuthorizationManager.userPrincipalName);
if (adrawEntry == null)
{
authenticationData.AuthenticationInfo = new AuthenticationInfo(securityIdentifier);
}
else
{
string sUserPrincipalName = (string)adrawEntry[ADUserSchema.UserPrincipalName];
windowsIdentity = new WindowsIdentity(sUserPrincipalName);
authenticationData.AuthenticationInfo = new AuthenticationInfo(windowsIdentity, windowsIdentity.Name);
}
return(authenticationData.AuthenticationInfo);
}
internal abstract AdminRoleDefinition[] ComputeAdminRoles(IRootOrganizationRecipientSession recipientSession, ITopologyConfigurationSession configSession);
