public static bool IsADomainAccount(NTAccount userAccount)
{
if (userAccount == null)
{
return(false);
}
SecurityIdentifier sid;
try
{
sid = UserAccountHelper.GetSecurityIdentifier(userAccount);
}
catch (Exception e)
{
return(false);
}
if (UserAccountHelper.IsLocalAccount(sid) || (UserAccountHelper.IsBuiltInGroup(sid)))
{
return(false);
}
return(true);
}
public static String GetBinarySidString(String accountName)
{
NTAccount ntAccount = new NTAccount(accountName);
SecurityIdentifier id = (SecurityIdentifier)ntAccount.Translate(typeof(SecurityIdentifier));
byte[] binarySid = UserAccountHelper.GetBinarySid(id);
return("0x" + BitConverter.ToString(binarySid).Replace("-", string.Empty));
}
public static bool IsADomainAccount(string userAccount)
{
if (String.IsNullOrEmpty(userAccount))
{
return(false);
}
return(IsADomainAccount(UserAccountHelper.GetNTAccountFromName(userAccount)));
}
/// <summary>
/// Check to see whether the domain account is under the local admin group
/// comments: there is another way to call CheckTokenMembership() to check whether this domain account is in local admin grp
/// </summary>
private static bool CheckDomainAccountInAdminGrp()
{
string domainName = SetupInputs.Instance.FindItem(SetupInputTags.CmpServiceDomainTag);
string userName = SetupInputs.Instance.FindItem(SetupInputTags.CmpServiceUserNameTag);
return(UserAccountHelper.IsRoleFor(
new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null),
String.Format(SetupConstants.UserAccountTemplate, domainName.ToLower(), userName.ToLower())));
}
public static bool ValidateServiceAccount()
{
bool valid;
valid = UserAccountHelper.CheckDomainAccountValid();
if (valid)
{
valid = UserAccountHelper.CheckDomainAccountInAdminGrp();
}
return(valid);
}
public static SecurityIdentifier GetSecurityIdentifier(string accountName)
{
AppAssert.Assert(!string.IsNullOrEmpty(accountName));
// Check if the string is null or empty - these are not valid account names
if (string.IsNullOrEmpty(accountName))
{
throw new IdentityNotMappedException();
}
// verify that the entered string is a valid account name
return(UserAccountHelper.GetSecurityIdentifier(new NTAccount(accountName.Trim())));
}
/// <summary>
/// Check to see whether the domain account and its password are valid
/// </summary>
private static bool CheckDomainAccountValid()
{
string domainName = SetupInputs.Instance.FindItem(SetupInputTags.CmpServiceDomainTag);
string userName = SetupInputs.Instance.FindItem(SetupInputTags.CmpServiceUserNameTag);
SecureString password = SetupInputs.Instance.FindItem(SetupInputTags.CmpServiceUserPasswordTag);
if (UserAccountHelper.ValidateCredentials(userName, domainName, password))
{
return(true);
}
else
{
//throw SetupExceptionFactory.NewBackEndErrorException(ErrorCode.InvalidDomainAccount);
SetupLogger.LogError("CheckDomainAccountValid(): Invalid domain account");
return(false);
}
}
public static bool IsRoleFor(SecurityIdentifier adminGroupSID, string accountName)
{
SecurityIdentifier sid = null;
if (UserAccountHelper.IsADomainAccount(accountName))
{
NTAccount ntAccount = UserAccountHelper.GetNTAccountFromName(accountName);
sid = Translate <NTAccount, SecurityIdentifier>(ntAccount);
if (sid == null)
{
sid = new SecurityIdentifier(ntAccount.Value);
}
return(AuthzAccessCheck(adminGroupSID, sid));
}
// Ignore the check for non-domain accounts.
return(true);
}
private static bool AuthzAccessCheck(SecurityIdentifier roleSid, SecurityIdentifier userSid)
{
IntPtr resourceManager = IntPtr.Zero;
try
{
resourceManager = UserAccountHelper.CreateAuthzResourceManager();
IntPtr clientContext = IntPtr.Zero;
try
{
clientContext = UserAccountHelper.CreateAuthzClientContext(userSid, resourceManager);
UnsafeNativeMethods.AuthzAccessReply accessReply = new UnsafeNativeMethods.AuthzAccessReply();
try
{
UserAccountHelper.InitializeAuthzAccessReply(ref accessReply);
UnsafeNativeMethods.AuthzAccessRequest accessRequest = new UnsafeNativeMethods.AuthzAccessRequest(
UserAccountHelper.MaximumAllowed);
byte[] roleSecurityDescriptorData = UserAccountHelper.GetRoleSecurityDescriptorData(
roleSid,
UserAccountHelper.StandardAccess);
if (!UnsafeNativeMethods.AuthzAccessCheck(
0,
clientContext,
ref accessRequest,
IntPtr.Zero,
roleSecurityDescriptorData,
IntPtr.Zero,
0,
ref accessReply,
IntPtr.Zero))
{
throw new Exception("Failed to get authorization information");
}
return(UnsafeNativeMethods.AuthzAccessIsGranted(ref accessReply));
}
finally
{
UserAccountHelper.UninitializeAuthzAccessReply(ref accessReply);
}
}
finally
{
if (clientContext != IntPtr.Zero)
{
if (!UnsafeNativeMethods.AuthzFreeContext(clientContext))
{
throw new Exception("Failed to get authorization information");
}
}
}
}
finally
{
if (resourceManager != IntPtr.Zero)
{
if (!UnsafeNativeMethods.AuthzFreeResourceManager(resourceManager))
{
throw new Exception("Failed to get authorization information");
}
}
}
}
/// <summary>
/// Create the engine service and start it
/// </summary>
public static void ConfigureCMPWorkerService(ServiceConfigurationHandler serviceConfigurationHandler)
{
AppAssert.AssertNotNull(serviceConfigurationHandler, "serviceConfigurationHandler");
string installPath = SetupConstants.GetServerInstallPath();
//attempt to remove services first.
//this will ignore errors of service does not exist and service marked for deletion
//If service is marked for deletion, then exception will be thrown at create time as
//we will be unable to create the service.
//reason:
//1. Keeps the code path of Install and Repair same
//2. Handles corner case of service already existing in Install mode
//3. Repairs the configuration of the service if broken
IntPtr hSCManager = NativeMethods.NullIntPtr;
IntPtr password = NativeMethods.NullIntPtr;
try
{
hSCManager = ServiceConfigurationHandler.GetSCMHandle();
//TODO: Handle rollback if exception is thrown
ServiceConfigurationHandler.StopAndRemoveService(hSCManager, SetupConstants.EngineServiceName);
//construct paths to service binaries
string servicePathEngine = PathHelper.QuoteString(installPath + @"MSIT\CmpWorkerService\" + SetupConstants.EngineServiceBinary);
SetupLogger.LogInfo("BackEnd.Configure: Engine Service path is : {0}", servicePathEngine);
//Get account
string userAccountName = null;
bool runasLocalAccount = SetupInputs.Instance.FindItem(SetupInputTags.CmpServiceLocalAccountTag);
if (!runasLocalAccount)
{
userAccountName = UserAccountHelper.GetVmmServiceDomainAccount();
password = Marshal.SecureStringToGlobalAllocUnicode(SetupInputs.Instance.FindItem(SetupInputTags.CmpServiceUserPasswordTag));
}
//create engine service
ServiceConfigurationHandler.CreateService(
hSCManager,
SetupConstants.EngineServiceName,
Resources.EngineServiceDisplayName,
Resources.EngineServiceDescription,
servicePathEngine,
null, // dependent services
userAccountName,
password: password,
autoStart: true,
interactive: false);
//set failure actions for VMMService
NativeMethods.SERVICE_FAILURE_ACTIONS sfa = new NativeMethods.SERVICE_FAILURE_ACTIONS();
NativeMethods.SC_ACTION[] sca = new NativeMethods.SC_ACTION[SetupConstants.ServiceActionsCount + 1];
for (int i = 0; i < SetupConstants.ServiceActionsCount; i++)
{
sca[i].Delay = SetupConstants.ServiceRestartDelay;
sca[i].Type = NativeMethods.SC_ACTION_TYPE.SC_ACTION_RESTART;
}
sca[SetupConstants.ServiceActionsCount].Delay = 0;
sca[SetupConstants.ServiceActionsCount].Type = NativeMethods.SC_ACTION_TYPE.SC_ACTION_NONE;
IntPtr unmanagedStructArray = NativeMethods.NullIntPtr;
try
{
unmanagedStructArray = GetUnmanagedStructArray(sca);
sfa.sc_Action = unmanagedStructArray;
sfa.cActions = SetupConstants.ServiceActionsCount + 1;
sfa.dwResetPeriod = SetupConstants.ServiceResetPeriod;
sfa.lpCommand = null;
sfa.lpRebootMsg = null;
//set service failure actions for engine service
ServiceConfigurationHandler.SetFailureActions(SetupConstants.EngineServiceName, ref sfa);
//ConfigurationProgressEvent(this, new EventArgs());
}
finally
{
if (NativeMethods.NullIntPtr != unmanagedStructArray)
{
Marshal.FreeHGlobal(unmanagedStructArray);
}
}
}
finally
{
if (!NativeMethods.NullIntPtr.Equals(hSCManager))
{
NativeMethods.CloseServiceHandle(hSCManager);
}
if (!NativeMethods.NullIntPtr.Equals(password))
{
Marshal.ZeroFreeGlobalAllocUnicode(password);
}
}
}
