public static bool IsADomainAccount(NTAccount userAccount) { if (userAccount == null) { return(false); } SecurityIdentifier sid; try { sid = UserAccountHelper.GetSecurityIdentifier(userAccount); } catch (Exception e) { return(false); } if (UserAccountHelper.IsLocalAccount(sid) || (UserAccountHelper.IsBuiltInGroup(sid))) { return(false); } return(true); }
public static String GetBinarySidString(String accountName) { NTAccount ntAccount = new NTAccount(accountName); SecurityIdentifier id = (SecurityIdentifier)ntAccount.Translate(typeof(SecurityIdentifier)); byte[] binarySid = UserAccountHelper.GetBinarySid(id); return("0x" + BitConverter.ToString(binarySid).Replace("-", string.Empty)); }
public static bool IsADomainAccount(string userAccount) { if (String.IsNullOrEmpty(userAccount)) { return(false); } return(IsADomainAccount(UserAccountHelper.GetNTAccountFromName(userAccount))); }
/// <summary> /// Check to see whether the domain account is under the local admin group /// comments: there is another way to call CheckTokenMembership() to check whether this domain account is in local admin grp /// </summary> private static bool CheckDomainAccountInAdminGrp() { string domainName = SetupInputs.Instance.FindItem(SetupInputTags.CmpServiceDomainTag); string userName = SetupInputs.Instance.FindItem(SetupInputTags.CmpServiceUserNameTag); return(UserAccountHelper.IsRoleFor( new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null), String.Format(SetupConstants.UserAccountTemplate, domainName.ToLower(), userName.ToLower()))); }
public static bool ValidateServiceAccount() { bool valid; valid = UserAccountHelper.CheckDomainAccountValid(); if (valid) { valid = UserAccountHelper.CheckDomainAccountInAdminGrp(); } return(valid); }
public static SecurityIdentifier GetSecurityIdentifier(string accountName) { AppAssert.Assert(!string.IsNullOrEmpty(accountName)); // Check if the string is null or empty - these are not valid account names if (string.IsNullOrEmpty(accountName)) { throw new IdentityNotMappedException(); } // verify that the entered string is a valid account name return(UserAccountHelper.GetSecurityIdentifier(new NTAccount(accountName.Trim()))); }
/// <summary> /// Check to see whether the domain account and its password are valid /// </summary> private static bool CheckDomainAccountValid() { string domainName = SetupInputs.Instance.FindItem(SetupInputTags.CmpServiceDomainTag); string userName = SetupInputs.Instance.FindItem(SetupInputTags.CmpServiceUserNameTag); SecureString password = SetupInputs.Instance.FindItem(SetupInputTags.CmpServiceUserPasswordTag); if (UserAccountHelper.ValidateCredentials(userName, domainName, password)) { return(true); } else { //throw SetupExceptionFactory.NewBackEndErrorException(ErrorCode.InvalidDomainAccount); SetupLogger.LogError("CheckDomainAccountValid(): Invalid domain account"); return(false); } }
public static bool IsRoleFor(SecurityIdentifier adminGroupSID, string accountName) { SecurityIdentifier sid = null; if (UserAccountHelper.IsADomainAccount(accountName)) { NTAccount ntAccount = UserAccountHelper.GetNTAccountFromName(accountName); sid = Translate <NTAccount, SecurityIdentifier>(ntAccount); if (sid == null) { sid = new SecurityIdentifier(ntAccount.Value); } return(AuthzAccessCheck(adminGroupSID, sid)); } // Ignore the check for non-domain accounts. return(true); }
private static bool AuthzAccessCheck(SecurityIdentifier roleSid, SecurityIdentifier userSid) { IntPtr resourceManager = IntPtr.Zero; try { resourceManager = UserAccountHelper.CreateAuthzResourceManager(); IntPtr clientContext = IntPtr.Zero; try { clientContext = UserAccountHelper.CreateAuthzClientContext(userSid, resourceManager); UnsafeNativeMethods.AuthzAccessReply accessReply = new UnsafeNativeMethods.AuthzAccessReply(); try { UserAccountHelper.InitializeAuthzAccessReply(ref accessReply); UnsafeNativeMethods.AuthzAccessRequest accessRequest = new UnsafeNativeMethods.AuthzAccessRequest( UserAccountHelper.MaximumAllowed); byte[] roleSecurityDescriptorData = UserAccountHelper.GetRoleSecurityDescriptorData( roleSid, UserAccountHelper.StandardAccess); if (!UnsafeNativeMethods.AuthzAccessCheck( 0, clientContext, ref accessRequest, IntPtr.Zero, roleSecurityDescriptorData, IntPtr.Zero, 0, ref accessReply, IntPtr.Zero)) { throw new Exception("Failed to get authorization information"); } return(UnsafeNativeMethods.AuthzAccessIsGranted(ref accessReply)); } finally { UserAccountHelper.UninitializeAuthzAccessReply(ref accessReply); } } finally { if (clientContext != IntPtr.Zero) { if (!UnsafeNativeMethods.AuthzFreeContext(clientContext)) { throw new Exception("Failed to get authorization information"); } } } } finally { if (resourceManager != IntPtr.Zero) { if (!UnsafeNativeMethods.AuthzFreeResourceManager(resourceManager)) { throw new Exception("Failed to get authorization information"); } } } }
/// <summary> /// Create the engine service and start it /// </summary> public static void ConfigureCMPWorkerService(ServiceConfigurationHandler serviceConfigurationHandler) { AppAssert.AssertNotNull(serviceConfigurationHandler, "serviceConfigurationHandler"); string installPath = SetupConstants.GetServerInstallPath(); //attempt to remove services first. //this will ignore errors of service does not exist and service marked for deletion //If service is marked for deletion, then exception will be thrown at create time as //we will be unable to create the service. //reason: //1. Keeps the code path of Install and Repair same //2. Handles corner case of service already existing in Install mode //3. Repairs the configuration of the service if broken IntPtr hSCManager = NativeMethods.NullIntPtr; IntPtr password = NativeMethods.NullIntPtr; try { hSCManager = ServiceConfigurationHandler.GetSCMHandle(); //TODO: Handle rollback if exception is thrown ServiceConfigurationHandler.StopAndRemoveService(hSCManager, SetupConstants.EngineServiceName); //construct paths to service binaries string servicePathEngine = PathHelper.QuoteString(installPath + @"MSIT\CmpWorkerService\" + SetupConstants.EngineServiceBinary); SetupLogger.LogInfo("BackEnd.Configure: Engine Service path is : {0}", servicePathEngine); //Get account string userAccountName = null; bool runasLocalAccount = SetupInputs.Instance.FindItem(SetupInputTags.CmpServiceLocalAccountTag); if (!runasLocalAccount) { userAccountName = UserAccountHelper.GetVmmServiceDomainAccount(); password = Marshal.SecureStringToGlobalAllocUnicode(SetupInputs.Instance.FindItem(SetupInputTags.CmpServiceUserPasswordTag)); } //create engine service ServiceConfigurationHandler.CreateService( hSCManager, SetupConstants.EngineServiceName, Resources.EngineServiceDisplayName, Resources.EngineServiceDescription, servicePathEngine, null, // dependent services userAccountName, password: password, autoStart: true, interactive: false); //set failure actions for VMMService NativeMethods.SERVICE_FAILURE_ACTIONS sfa = new NativeMethods.SERVICE_FAILURE_ACTIONS(); NativeMethods.SC_ACTION[] sca = new NativeMethods.SC_ACTION[SetupConstants.ServiceActionsCount + 1]; for (int i = 0; i < SetupConstants.ServiceActionsCount; i++) { sca[i].Delay = SetupConstants.ServiceRestartDelay; sca[i].Type = NativeMethods.SC_ACTION_TYPE.SC_ACTION_RESTART; } sca[SetupConstants.ServiceActionsCount].Delay = 0; sca[SetupConstants.ServiceActionsCount].Type = NativeMethods.SC_ACTION_TYPE.SC_ACTION_NONE; IntPtr unmanagedStructArray = NativeMethods.NullIntPtr; try { unmanagedStructArray = GetUnmanagedStructArray(sca); sfa.sc_Action = unmanagedStructArray; sfa.cActions = SetupConstants.ServiceActionsCount + 1; sfa.dwResetPeriod = SetupConstants.ServiceResetPeriod; sfa.lpCommand = null; sfa.lpRebootMsg = null; //set service failure actions for engine service ServiceConfigurationHandler.SetFailureActions(SetupConstants.EngineServiceName, ref sfa); //ConfigurationProgressEvent(this, new EventArgs()); } finally { if (NativeMethods.NullIntPtr != unmanagedStructArray) { Marshal.FreeHGlobal(unmanagedStructArray); } } } finally { if (!NativeMethods.NullIntPtr.Equals(hSCManager)) { NativeMethods.CloseServiceHandle(hSCManager); } if (!NativeMethods.NullIntPtr.Equals(password)) { Marshal.ZeroFreeGlobalAllocUnicode(password); } } }