internal AuthZPluginUserToken(DelegatedPrincipal delegatedPrincipal, ADRawEntry userEntry, Microsoft.Exchange.Configuration.Core.AuthenticationType authenticatedType, string defaultUserName)
{
this.DelegatedPrincipal = delegatedPrincipal;
this.UserEntry = userEntry;
this.AuthenticationType = authenticatedType;
this.DefaultUserName = defaultUserName;
}
private IIdentity GetExecutingUserIdentity()
{
if (this.executingUserIdentity == null)
{
switch (this.contextType)
{
case RBACContext.RBACContextType.Delegated:
break;
case (RBACContext.RBACContextType) 3:
goto IL_69;
case RBACContext.RBACContextType.Windows:
using (MemoryStream memoryStream = new MemoryStream(Encoding.UTF8.GetBytes(this.serializedExecutingUser)))
{
this.executingUserIdentity = new SerializedIdentity(new SerializedAccessToken(memoryStream));
goto IL_69;
}
break;
default:
goto IL_69;
}
this.executingUserIdentity = DelegatedPrincipal.GetDelegatedIdentity(this.serializedExecutingUser);
}
IL_69:
return(this.executingUserIdentity);
}
// Token: 0x06000285 RID: 645 RVA: 0x000117FC File Offset: 0x0000F9FC
private static bool CheckClaimSetsForPartnerUser(AuthorizationContext authorizationContext, OperationContext operationContext)
{
HttpContext.Current.Items["AuthType"] = "Partner";
PerformanceCounters.UpdateRequestsReceivedWithPartnerToken();
ReadOnlyCollection <ClaimSet> claimSets = authorizationContext.ClaimSets;
claimSets.TraceClaimSets();
DelegatedPrincipal delegatedPrincipal = null;
OrganizationId delegatedOrganizationId = null;
string text = null;
if (!PartnerToken.TryGetDelegatedPrincipalAndOrganizationId(claimSets, out delegatedPrincipal, out delegatedOrganizationId, out text))
{
ExTraceGlobals.AuthenticationTracer.TraceError <string>(0L, "[AutodiscoverAuthorizationManager.CheckClaimSetsForPartnerUser] unable to create partner identity, error message: {0}", text);
PerformanceCounters.UpdateUnauthorizedRequestsReceivedWithPartnerToken();
AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, text);
return(false);
}
ExTraceGlobals.AuthenticationTracer.TraceDebug <DelegatedPrincipal>(0L, "[AutodiscoverAuthorizationManager.CheckClaimSetsForPartnerUser] ws-security header contains the partner identity: {0}", delegatedPrincipal);
string text2 = delegatedPrincipal.ToString();
if (!string.IsNullOrEmpty(text2))
{
AutodiscoverAuthorizationManager.PushUserAndOrgInfoToContext(text2, text2.Split(new char[]
{
'\\'
})[0]);
}
HttpContext.Current.User = new WindowsPrincipal(PartnerIdentity.Create(delegatedPrincipal, delegatedOrganizationId));
return(true);
}
// Token: 0x06001274 RID: 4724 RVA: 0x0003B65C File Offset: 0x0003985C
internal static PswsAuthZUserToken GetAuthZPluginUserToken(UserToken userToken)
{
ExAssert.RetailAssert(userToken != null, "[PswsAuthorization.GetAuthZPluginUserToken] userToken can't be null.");
Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType = userToken.AuthenticationType;
SecurityIdentifier userSid = userToken.UserSid;
DelegatedPrincipal delegatedPrincipal = userToken.DelegatedPrincipal;
ExAssert.RetailAssert(userSid != null, "The user sid is invalid (null).");
PartitionId partitionId = userToken.PartitionId;
string text = AuthenticatedUserCache.CreateKeyForPsws(userSid, userToken.AuthenticationType, partitionId);
ExTraceGlobals.PublicPluginAPITracer.TraceDebug <string>(0L, "[PswsAuthZHelper.GetAuthZPluginUserToken] User cache key = \"{0}\".", text);
AuthZPluginUserToken authZPluginUserToken;
if (!AuthenticatedUserCache.Instance.TryGetValue(text, out authZPluginUserToken))
{
ExTraceGlobals.PublicPluginAPITracer.TraceDebug(0L, "[PswsAuthZHelper.GetAuthZPluginUserToken] User not found in cache.");
IIdentity identity = HttpContext.Current.Items["X-Psws-CurrentLogonUser"] as IIdentity;
SerializedIdentity serializedIdentity = null;
if (identity is WindowsTokenIdentity)
{
serializedIdentity = ((WindowsTokenIdentity)identity).ToSerializedIdentity();
}
ADRawEntry adrawEntry = ExchangeAuthorizationPlugin.FindUserEntry(userSid, null, serializedIdentity, partitionId);
ExAssert.RetailAssert(adrawEntry != null, "UnAuthorized. Unable to find the user.");
bool condition = (adrawEntry is MiniRecipient || adrawEntry is ADUser) && (bool)adrawEntry[ADRecipientSchema.RemotePowerShellEnabled];
ExAssert.RetailAssert(condition, "UnAuthorized. PSWS not enabled user.");
authZPluginUserToken = new AuthZPluginUserToken(delegatedPrincipal, adrawEntry, authenticationType, userSid.Value);
AuthenticatedUserCache.Instance.AddUserToCache(text, authZPluginUserToken);
}
return(new PswsAuthZUserToken(authZPluginUserToken.DelegatedPrincipal, authZPluginUserToken.UserEntry, authenticationType, authZPluginUserToken.DefaultUserName, userToken.UserName));
}
// Token: 0x06000039 RID: 57 RVA: 0x00002E5C File Offset: 0x0000105C
internal UserToken(AuthenticationType authenticationType, DelegatedPrincipal delegatedPrincipal, string windowsLiveId, string userName, SecurityIdentifier userSid, PartitionId partitionId, OrganizationId organization, string managedOrganization, bool appPasswordUsed, CommonAccessToken commonAccessToken)
{
ExTraceGlobals.UserTokenTracer.TraceDebug(0L, "Version:{0}; AuthenticationType:{1}; DelegatedPrincipal:{2} WindowsLiveId:{3}; UserName:{4}; UserSid:{5}; PartitionId:{6}; Organization:{7}; ManagedOrg:{8};AppPasswordUsed:{9}; CAT:{10}", new object[]
{
0,
authenticationType,
delegatedPrincipal,
windowsLiveId,
userName,
userSid,
partitionId,
organization,
managedOrganization,
appPasswordUsed,
commonAccessToken
});
this.Version = 0;
this.AuthenticationType = authenticationType;
this.DelegatedPrincipal = delegatedPrincipal;
this.WindowsLiveId = windowsLiveId;
this.UserName = userName;
this.UserSid = userSid;
this.PartitionId = partitionId;
this.Organization = organization;
this.ManagedOrganization = managedOrganization;
this.AppPasswordUsed = appPasswordUsed;
this.CommonAccessToken = commonAccessToken;
}
// Token: 0x06000038 RID: 56 RVA: 0x00003F1D File Offset: 0x0000211D
internal DelegatedPrincipalCacheData(DelegatedPrincipal principal, DateTime expirationUTC)
{
if (principal == null)
{
throw new ArgumentNullException("principal");
}
this.principal = principal;
this.expiration = expirationUTC;
}
public RBACContext(DelegatedPrincipal executingUser, SerializedAccessToken impersonatedUser, IList <RoleType> roleTypeFilter, List <RoleEntry> sortedRoleEntryFilter, IList <RoleType> logonUserRequiredRoleTypes, bool callerCheckedAccess) : this(impersonatedUser, roleTypeFilter, sortedRoleEntryFilter, logonUserRequiredRoleTypes, callerCheckedAccess)
{
if (executingUser == null)
{
throw new ArgumentNullException("executingUser");
}
this.AuthenticationType = DelegatedPrincipal.DelegatedAuthenticationType;
this.ExecutingUserName = executingUser.DisplayName;
this.serializedExecutingUser = executingUser.Identity.Name;
this.contextType = RBACContext.RBACContextType.Delegated;
}
private string GetUserUniqueKey()
{
DelegatedPrincipal delegatedPrincipal = this.OriginalUser as DelegatedPrincipal;
if (delegatedPrincipal != null)
{
return(delegatedPrincipal.UserId);
}
if (DatacenterRegistry.IsForefrontForOffice())
{
return(this.OriginalLogonUserIdentity.Name);
}
return(this.OriginalLogonUserIdentity.GetSecurityIdentifier().Value);
}
public static string GetCanaryName(this HttpContext context)
{
DelegatedPrincipal delegatedPrincipal = null;
if (context.User is RbacSession)
{
RbacSession rbacSession = (RbacSession)context.User;
delegatedPrincipal = (rbacSession.Settings.OriginalUser as DelegatedPrincipal);
}
if (delegatedPrincipal == null)
{
return("msExchEcpCanary");
}
return("msExchEcpCanary.UID");
}
private void ResolveAccessedUser()
{
if (string.IsNullOrEmpty(this.accessedUserSmtpAddress))
{
this.accessedUserExchangePrincipal = ExchangePrincipal.FromUserSid(this.GetOrganizationIdFromIdentity(this.accessedUserIdentity).ToADSessionSettings(), this.accessedUserSid);
this.logonUserPrincipal = new GenericPrincipal(this.LogonUserIdentity, null);
}
else
{
OrganizationId organizationId = OrganizationId.ForestWideOrgId;
SidBasedIdentity sidBasedIdentity = this.LogonUserIdentity as SidBasedIdentity;
if (sidBasedIdentity != null)
{
organizationId = sidBasedIdentity.UserOrganizationId;
}
else
{
DelegatedPrincipal delegatedPrincipal = this.logonUserPrincipal as DelegatedPrincipal;
if (delegatedPrincipal != null)
{
SmtpDomain domain;
if (SmtpDomain.TryParse(delegatedPrincipal.DelegatedOrganization, out domain))
{
organizationId = DomainCache.Singleton.Get(new SmtpDomainWithSubdomains(domain, false)).OrganizationId;
}
}
else
{
ExchangePrincipal exchangePrincipal = this.GetLogonUserExchangePrincipal();
if (exchangePrincipal != null)
{
organizationId = exchangePrincipal.MailboxInfo.OrganizationId;
}
}
}
ADSessionSettings adSettings = organizationId.ToADSessionSettings();
string partitionId = null;
if (organizationId != null && organizationId != OrganizationId.ForestWideOrgId && organizationId.PartitionId != null)
{
partitionId = organizationId.PartitionId.ToString();
}
this.accessedUserExchangePrincipal = ExchangePrincipal.FromProxyAddress(adSettings, this.accessedUserSmtpAddress, RemotingOptions.AllowCrossSite);
this.accessedUserIdentity = new GenericSidIdentity(this.accessedUserExchangePrincipal.Sid.Value, this.LogonUserIdentity.AuthenticationType + "-ExplicitSignOn", this.accessedUserExchangePrincipal.Sid, partitionId);
this.accessedUserSid = this.accessedUserIdentity.GetSecurityIdentifier();
}
this.hasFullAccess = this.CanOpenAccessedUserMailbox();
this.identityResolved = true;
}
// Token: 0x060000C3 RID: 195 RVA: 0x00005BA8 File Offset: 0x00003DA8
private string GetManagedOrganization(IIdentity identity)
{
SidOAuthIdentity sidOAuthIdentity = identity as SidOAuthIdentity;
if (sidOAuthIdentity != null)
{
ExTraceGlobals.HttpModuleTracer.TraceDebug((long)this.GetHashCode(), "[BuildUserTokenModule::GetManagedOrganization] From SidOAuthIdentity.");
return(sidOAuthIdentity.ManagedTenantName);
}
DelegatedPrincipal delegatedPrincipal = HttpContext.Current.User as DelegatedPrincipal;
if (delegatedPrincipal != null)
{
ExTraceGlobals.HttpModuleTracer.TraceDebug((long)this.GetHashCode(), "[BuildUserTokenModule::GetManagedOrganization] From DelegatedPrincipal.");
return(delegatedPrincipal.DelegatedOrganization);
}
ExTraceGlobals.HttpModuleTracer.TraceDebug((long)this.GetHashCode(), "[BuildUserTokenModule::GetManagedOrganization] ManagedOrg=Null.");
return(null);
}
internal static UserToken CreateDefaultUserTokenInERC(IIdentity identity, DelegatedPrincipal delegatedPrincipal, bool impersonated)
{
if (!impersonated && delegatedPrincipal != null)
{
CommonAccessToken commonAccessToken = new CommonAccessToken(AccessTokenType.RemotePowerShellDelegated);
commonAccessToken.ExtensionData["DelegatedData"] = delegatedPrincipal.Identity.Name;
return(new UserToken(AuthenticationType.RemotePowerShellDelegated, delegatedPrincipal, null, delegatedPrincipal.Identity.Name, null, null, null, delegatedPrincipal.DelegatedOrganization, false, commonAccessToken));
}
SidOAuthIdentity sidOAuthIdentity = identity as SidOAuthIdentity;
if (sidOAuthIdentity != null)
{
PartitionId partitionId;
PartitionId.TryParse(sidOAuthIdentity.PartitionId, out partitionId);
return(new UserToken(AuthenticationType.OAuth, null, null, sidOAuthIdentity.Name, sidOAuthIdentity.Sid, partitionId, sidOAuthIdentity.OAuthIdentity.OrganizationId, sidOAuthIdentity.ManagedTenantName, false, sidOAuthIdentity.OAuthIdentity.ToCommonAccessTokenVersion1()));
}
WindowsIdentity windowsIdentity = identity as WindowsIdentity;
if (windowsIdentity != null)
{
return(new UserToken(AuthenticationType.Kerberos, null, null, windowsIdentity.Name, windowsIdentity.User, null, null, null, false, new CommonAccessToken(windowsIdentity)));
}
WindowsTokenIdentity windowsTokenIdentity = identity as WindowsTokenIdentity;
if (windowsTokenIdentity != null && windowsTokenIdentity.AccessToken != null && windowsTokenIdentity.AccessToken.CommonAccessToken != null)
{
PartitionId partitionId2;
PartitionId.TryParse(windowsTokenIdentity.PartitionId, out partitionId2);
return(new UserToken(AuthenticationType.Kerberos, null, null, windowsTokenIdentity.Name, windowsTokenIdentity.Sid, partitionId2, null, null, false, windowsTokenIdentity.AccessToken.CommonAccessToken));
}
CommonAccessToken commonAccessToken2 = new CommonAccessToken(AccessTokenType.CertificateSid);
SecurityIdentifier securityIdentifier = identity.GetSecurityIdentifier();
commonAccessToken2.ExtensionData["UserSid"] = securityIdentifier.ToString();
GenericSidIdentity genericSidIdentity = identity as GenericSidIdentity;
if (genericSidIdentity != null)
{
commonAccessToken2.ExtensionData["Partition"] = genericSidIdentity.PartitionId;
}
return(new UserToken(AuthenticationType.Certificate, null, null, identity.Name, securityIdentifier, null, null, null, false, commonAccessToken2));
}
// Token: 0x060000BF RID: 191 RVA: 0x000056A0 File Offset: 0x000038A0
private string GetUserName(CommonAccessToken commonAccessToken, IIdentity identity, AccessTokenType accessTokenType)
{
string windowsLiveId = this.GetWindowsLiveId(commonAccessToken, accessTokenType);
if (!string.IsNullOrWhiteSpace(windowsLiveId))
{
ExTraceGlobals.UserTokenTracer.TraceDebug <string>((long)this.GetHashCode(), "[BuildUserTokenModule::GetUserName] From windows Live Id {0}", windowsLiveId);
return(windowsLiveId);
}
if (commonAccessToken != null && commonAccessToken.WindowsAccessToken != null)
{
ExTraceGlobals.UserTokenTracer.TraceDebug((long)this.GetHashCode(), "[BuildUserTokenModule::GetUserName] From windows access token");
return(commonAccessToken.WindowsAccessToken.LogonName ?? commonAccessToken.WindowsAccessToken.UserSid);
}
DelegatedPrincipal delegatedPrincipal = HttpContext.Current.User as DelegatedPrincipal;
if (delegatedPrincipal != null)
{
ExTraceGlobals.UserTokenTracer.TraceDebug <string>((long)this.GetHashCode(), "[BuildUserTokenModule::GetUserName] From delegated principal {0}", delegatedPrincipal.ToString());
return(delegatedPrincipal.GetUserName());
}
try
{
return(identity.GetSafeName(true));
}
catch (Exception ex)
{
ExTraceGlobals.UserTokenTracer.TraceError <Exception>((long)this.GetHashCode(), "[BuildUserTokenModule::GetUserName] GetSafeName throws exception {0}", ex);
HttpLogger.SafeAppendGenericError("BuildUserTokenModule.GetUserName", ex.ToString(), false);
}
SecurityIdentifier userSid = this.GetUserSid(commonAccessToken, identity);
if (userSid != null)
{
ExTraceGlobals.UserTokenTracer.TraceDebug <string>((long)this.GetHashCode(), "[BuildUserTokenModule::GetUserName] From user sid {0}", userSid.ToString());
return(userSid.ToString());
}
return(null);
}
internal static bool TryFindOrganizationIdForDelegatedPrincipal(DelegatedPrincipal principal, out OrganizationId orgId)
{
orgId = null;
ExchangeConfigurationUnit exchangeConfigurationUnit = null;
Exception ex = null;
try
{
exchangeConfigurationUnit = ExchangeAuthorizationPlugin.GetExchangeConfigurationUnitByNameOrAcceptedDomain(principal.DelegatedOrganization);
}
catch (CannotResolveTenantNameException ex2)
{
ex = ex2;
}
catch (DataSourceOperationException ex3)
{
ex = ex3;
}
catch (TransientException ex4)
{
ex = ex4;
}
catch (DataValidationException ex5)
{
ex = ex5;
}
if (ex != null)
{
AuthZLogger.SafeAppendGenericError("TryFindOrganizationIdForDelegatedPrincipal", ex, new Func <Exception, bool>(KnownException.IsUnhandledException));
TaskLogger.LogRbacEvent(TaskEventLogConstants.Tuple_FailedToResolveOrganizationIdForDelegatedPrincipal, null, new object[]
{
principal.DelegatedOrganization,
ex
});
return(false);
}
orgId = exchangeConfigurationUnit.OrganizationId;
return(true);
}
// Token: 0x060000EB RID: 235 RVA: 0x00005DD4 File Offset: 0x00003FD4
private static AnchorMailbox CreateFromLogonIdentity(IRequestContext requestContext)
{
HttpContext httpContext = requestContext.HttpContext;
IPrincipal user = httpContext.User;
IIdentity identity = httpContext.User.Identity;
string text;
HttpContextItemParser.TryGetLiveIdMemberName(httpContext.Items, ref text);
OAuthIdentity oauthIdentity = identity as OAuthIdentity;
if (oauthIdentity != null)
{
string externalDirectoryObjectId;
if (RequestHeaderParser.TryGetExternalDirectoryObjectId(httpContext.Request.Headers, ref externalDirectoryObjectId))
{
requestContext.Logger.SafeSet(3, "OAuthIdentity-ExternalDirectoryObjectId");
return(new ExternalDirectoryObjectIdAnchorMailbox(externalDirectoryObjectId, oauthIdentity.OrganizationId, requestContext));
}
if (oauthIdentity.ActAsUser != null)
{
requestContext.Logger.SafeSet(3, "OAuthIdentity-ActAsUser");
return(new OAuthActAsUserAnchorMailbox(oauthIdentity.ActAsUser, requestContext));
}
requestContext.Logger.SafeSet(3, "OAuthIdentity-AppOrganization");
return(new OrganizationAnchorMailbox(oauthIdentity.OrganizationId, requestContext));
}
else
{
GenericSidIdentity genericSidIdentity = identity as GenericSidIdentity;
if (genericSidIdentity != null)
{
requestContext.Logger.SafeSet(3, "GenericSidIdentity");
return(new SidAnchorMailbox(genericSidIdentity.Sid, requestContext)
{
PartitionId = genericSidIdentity.PartitionId,
SmtpOrLiveId = text
});
}
DelegatedPrincipal delegatedPrincipal = user as DelegatedPrincipal;
if (delegatedPrincipal != null && delegatedPrincipal.DelegatedOrganization != null && string.IsNullOrEmpty(text))
{
requestContext.Logger.SafeSet(3, "DelegatedPrincipal-DelegatedOrganization");
return(new DomainAnchorMailbox(delegatedPrincipal.DelegatedOrganization, requestContext));
}
WindowsIdentity windowsIdentity = identity as WindowsIdentity;
if (windowsIdentity != null)
{
if (string.IsNullOrEmpty(text))
{
requestContext.Logger.SafeSet(3, "WindowsIdentity");
}
else
{
requestContext.Logger.SafeSet(3, "WindowsIdentity-LiveIdMemberName");
}
return(new SidAnchorMailbox(windowsIdentity.User, requestContext)
{
SmtpOrLiveId = text
});
}
SecurityIdentifier securityIdentifier = null;
if (IIdentityExtensions.TryGetSecurityIdentifier(identity, ref securityIdentifier) && !securityIdentifier.Equals(AuthCommon.MemberNameNullSid))
{
if (string.IsNullOrEmpty(text))
{
requestContext.Logger.SafeSet(3, "SID");
}
else
{
requestContext.Logger.SafeSet(3, "SID-LiveIdMemberName");
}
return(new SidAnchorMailbox(securityIdentifier, requestContext)
{
SmtpOrLiveId = text
});
}
if (!HttpProxySettings.IdentityIndependentAuthBehaviorEnabled.Value && requestContext.AuthBehavior.AuthState != AuthState.FrontEndFullAuth)
{
AnchorMailbox anchorMailbox = requestContext.AuthBehavior.CreateAuthModuleSpecificAnchorMailbox(requestContext);
if (anchorMailbox != null)
{
return(anchorMailbox);
}
}
if (!string.IsNullOrEmpty(text) && SmtpAddress.IsValidSmtpAddress(text))
{
requestContext.Logger.SafeSet(3, "Smtp-LiveIdMemberName");
return(new SmtpAnchorMailbox(text, requestContext));
}
throw new InvalidOperationException(string.Format("Unknown idenity {0} with type {1}.", IIdentityExtensions.GetSafeName(identity, true), identity.ToString()));
}
}
// Token: 0x060072B7 RID: 29367 RVA: 0x0017B9E0 File Offset: 0x00179BE0
public DelegatedPrincipalBudgetKey(DelegatedPrincipal principal, BudgetType budgetType) : base(budgetType, false)
{
this.cachedToString = string.Format("Delegated~{0}~{1}~{2}", principal.DelegatedOrganization, principal.UserId, budgetType);
this.principal = principal;
this.cachedHashCode = (base.BudgetType.GetHashCode() ^ this.principal.DelegatedOrganization.GetHashCode() ^ this.principal.UserId.GetHashCode());
}
public RBACContext(DelegatedPrincipal executingUser) : this(executingUser, null, null, null, null, false)
{
}
public static AnchorRunspaceProxy CreateRunspaceForDelegatedPartner(AnchorContext context, DelegatedPrincipal delegatedPartnerAdmin, string tenantOrganization)
{
AnchorUtil.ThrowOnNullArgument(delegatedPartnerAdmin, "delegatedTenantAdmin");
AnchorUtil.ThrowOnNullOrEmptyArgument(tenantOrganization, "tenantOrganization");
context.Logger.Log(MigrationEventType.Verbose, "AnchorRunspaceProxy. Creating delegated partner runspace proxy for user {0}", new object[]
{
delegatedPartnerAdmin
});
ExchangeRunspaceConfigurationSettings configSettings = new ExchangeRunspaceConfigurationSettings(ExchangeRunspaceConfigurationSettings.ExchangeApplication.SimpleDataMigration, tenantOrganization, ExchangeRunspaceConfigurationSettings.GetDefaultInstance().CurrentSerializationLevel);
return(new AnchorRunspaceProxy(context, AnchorRunspaceProxy.RunspaceFactoryWithDCAffinity.CreateRbacFactory(context, delegatedPartnerAdmin.ToString(), delegatedPartnerAdmin.Identity, configSettings)));
}
private static AnchorMailbox CreateFromLogonIdentity(IRequestContext requestContext)
{
HttpContext httpContext = requestContext.HttpContext;
IPrincipal user = httpContext.User;
IIdentity identity = httpContext.User.Identity;
string text = httpContext.Items[Constants.WLIDMemberName] as string;
OAuthIdentity oauthIdentity = identity as OAuthIdentity;
if (oauthIdentity != null)
{
string text2 = httpContext.Request.Headers[Constants.ExternalDirectoryObjectIdHeaderName];
if (!string.IsNullOrEmpty(text2))
{
requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "OAuthIdentity-ExternalDirectoryObjectId");
return(new ExternalDirectoryObjectIdAnchorMailbox(text2, oauthIdentity.OrganizationId, requestContext));
}
if (oauthIdentity.ActAsUser != null)
{
requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "OAuthIdentity-ActAsUser");
return(new OAuthActAsUserAnchorMailbox(oauthIdentity.ActAsUser, requestContext));
}
requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "OAuthIdentity-AppOrganization");
return(new OrganizationAnchorMailbox(oauthIdentity.OrganizationId, requestContext));
}
else
{
GenericSidIdentity genericSidIdentity = identity as GenericSidIdentity;
if (genericSidIdentity != null)
{
requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "GenericSidIdentity");
return(new SidAnchorMailbox(genericSidIdentity.Sid, requestContext)
{
PartitionId = genericSidIdentity.PartitionId,
SmtpOrLiveId = text
});
}
DelegatedPrincipal delegatedPrincipal = user as DelegatedPrincipal;
if (delegatedPrincipal != null && delegatedPrincipal.DelegatedOrganization != null && string.IsNullOrEmpty(text))
{
requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "DelegatedPrincipal-DelegatedOrganization");
return(new DomainAnchorMailbox(delegatedPrincipal.DelegatedOrganization, requestContext));
}
WindowsIdentity windowsIdentity = identity as WindowsIdentity;
if (windowsIdentity != null)
{
if (string.IsNullOrEmpty(text))
{
requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "WindowsIdentity");
}
else
{
requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "WindowsIdentity-LiveIdMemberName");
}
return(new SidAnchorMailbox(windowsIdentity.User, requestContext)
{
SmtpOrLiveId = text
});
}
try
{
SecurityIdentifier securityIdentifier = identity.GetSecurityIdentifier();
if (!securityIdentifier.Equals(AuthCommon.MemberNameNullSid))
{
if (string.IsNullOrEmpty(text))
{
requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "SID");
}
else
{
requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "SID-LiveIdMemberName");
}
return(new SidAnchorMailbox(securityIdentifier, requestContext)
{
SmtpOrLiveId = text
});
}
}
catch (Exception)
{
}
if (requestContext.AuthBehavior.AuthState != AuthState.FrontEndFullAuth)
{
AnchorMailbox anchorMailbox = requestContext.AuthBehavior.CreateAuthModuleSpecificAnchorMailbox(requestContext);
if (anchorMailbox != null)
{
return(anchorMailbox);
}
}
if (!string.IsNullOrEmpty(text))
{
requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "Smtp-LiveIdMemberName");
return(new SmtpAnchorMailbox(text, requestContext));
}
throw new InvalidOperationException(string.Format("Unknown idenity {0} with type {1}.", identity.GetSafeName(true), identity.ToString()));
}
}
public static AnchorRunspaceProxy CreateRunspaceForDelegatedTenantAdmin(AnchorContext context, DelegatedPrincipal delegatedTenantAdmin)
{
AnchorUtil.ThrowOnNullArgument(delegatedTenantAdmin, "delegatedTenantAdmin");
context.Logger.Log(MigrationEventType.Verbose, "AnchorRunspaceProxy. Creating delegated runspace proxy for user {0}", new object[]
{
delegatedTenantAdmin
});
ExchangeRunspaceConfigurationSettings configSettings = new ExchangeRunspaceConfigurationSettings(ExchangeRunspaceConfigurationSettings.ExchangeApplication.SimpleDataMigration, null, ExchangeRunspaceConfigurationSettings.SerializationLevel.None);
return(new AnchorRunspaceProxy(context, AnchorRunspaceProxy.RunspaceFactoryWithDCAffinity.CreateRbacFactory(context, delegatedTenantAdmin.ToString(), delegatedTenantAdmin.Identity, configSettings)));
}
internal static ClientSecurityContext GetSecurityContextForUser(ISecurityAccessToken executingUser, DelegatedPrincipal delegatedPrincipal, ADUser trackedUser)
{
bool enabled = VariantConfiguration.InvariantNoFlightingSnapshot.Global.MultiTenancy.Enabled;
ExTraceGlobals.TaskTracer.TraceDebug <string, string, bool>(0L, "executing-user={0}, tracked-user={1}, ismultitenancyenabled={2}", (executingUser != null) ? executingUser.UserSid.ToString() : delegatedPrincipal.ToString(), trackedUser.Sid.Value, enabled);
if (!enabled || (executingUser != null && string.Equals(executingUser.UserSid, trackedUser.Sid.Value, StringComparison.OrdinalIgnoreCase)))
{
ExTraceGlobals.TaskTracer.TraceDebug(0L, "executing-user == tracked-user or we are not running in a Multi Tenant environment.");
return(new ClientSecurityContext(executingUser, AuthzFlags.AuthzSkipTokenGroups));
}
WindowsIdentity identity;
try
{
ExTraceGlobals.TaskTracer.TraceDebug(0L, "executing-user != tracked-user");
if (string.IsNullOrEmpty(trackedUser.UserPrincipalName))
{
ExTraceGlobals.TaskTracer.TraceError <ADObjectId>(0L, "Null/Empty UPN for user {0}", trackedUser.Id);
Strings.TrackingErrorUserObjectCorrupt(trackedUser.Id.ToString(), "UserPrincipalName");
string data = string.Format("Missing UserPrincipalName attribute for user {0}", trackedUser.Id.ToString());
TrackingError trackingError = new TrackingError(ErrorCode.InvalidADData, string.Empty, data, string.Empty);
throw new TrackingFatalException(trackingError, null, false);
}
identity = new WindowsIdentity(trackedUser.UserPrincipalName);
}
catch (UnauthorizedAccessException ex)
{
ExTraceGlobals.TaskTracer.TraceError <string, UnauthorizedAccessException>(0L, "Not authorized to get WindowsIdentity for {0}, Exception: {1}", trackedUser.UserPrincipalName, ex);
TrackingError trackingError2 = new TrackingError(ErrorCode.UnexpectedErrorPermanent, string.Empty, string.Format("Cannot logon as {0}", trackedUser.Id.ToString()), ex.ToString());
throw new TrackingFatalException(trackingError2, ex, false);
}
catch (SecurityException arg)
{
ExTraceGlobals.TaskTracer.TraceError <string, SecurityException>(0L, "Not authorized to get WindowsIdentity for {0}, falling back to ExecutingUser, Exception: {1}", trackedUser.UserPrincipalName, arg);
return(new ClientSecurityContext(executingUser, AuthzFlags.AuthzSkipTokenGroups));
}
return(new ClientSecurityContext(identity));
}
// Token: 0x06000058 RID: 88 RVA: 0x00003368 File Offset: 0x00001568
private void Deserialize(Stream stream)
{
using (BinaryReader binaryReader = new BinaryReader(stream))
{
this.ReadAndValidateFieldType(binaryReader, 'V', Strings.MissingVersion);
this.Version = this.BinaryRead <ushort>(new Func <ushort>(binaryReader.ReadUInt16), Strings.MissingVersion);
this.ReadAndValidateFieldType(binaryReader, 'A', Strings.MissingAuthenticationType);
string value = this.BinaryRead <string>(new Func <string>(binaryReader.ReadString), Strings.MissingAuthenticationType);
AuthenticationType authenticationType;
if (!Enum.TryParse <AuthenticationType>(value, out authenticationType))
{
ExTraceGlobals.UserTokenTracer.TraceError <AuthenticationType>(0L, "Invalid authentication type {0}", authenticationType);
throw new UserTokenException(Strings.InvalidDelegatedPrincipal(value));
}
this.AuthenticationType = authenticationType;
this.ReadAndValidateFieldType(binaryReader, 'D', Strings.MissingDelegatedPrincipal);
string text = this.ReadNullableString(binaryReader, Strings.MissingDelegatedPrincipal);
DelegatedPrincipal delegatedPrincipal = null;
if (text != null && !DelegatedPrincipal.TryParseDelegatedString(text, out delegatedPrincipal))
{
ExTraceGlobals.UserTokenTracer.TraceError <string>(0L, "Invalid delegated principal {0}", text);
throw new UserTokenException(Strings.InvalidDelegatedPrincipal(text));
}
this.DelegatedPrincipal = delegatedPrincipal;
this.ReadAndValidateFieldType(binaryReader, 'L', Strings.MissingWindowsLiveId);
this.WindowsLiveId = this.ReadNullableString(binaryReader, Strings.MissingWindowsLiveId);
this.ReadAndValidateFieldType(binaryReader, 'N', Strings.MissingUserName);
this.UserName = this.ReadNullableString(binaryReader, Strings.MissingUserName);
this.ReadAndValidateFieldType(binaryReader, 'U', Strings.MissingUserSid);
string text2 = this.ReadNullableString(binaryReader, Strings.MissingUserSid);
if (text2 != null)
{
try
{
this.UserSid = new SecurityIdentifier(text2);
}
catch (ArgumentException innerException)
{
ExTraceGlobals.UserTokenTracer.TraceError <string>(0L, "Invalid user sid {0}", text2);
throw new UserTokenException(Strings.InvalidUserSid(text2), innerException);
}
}
this.ReadAndValidateFieldType(binaryReader, 'P', Strings.MissingPartitionId);
string text3 = this.ReadNullableString(binaryReader, Strings.MissingPartitionId);
PartitionId partitionId = null;
if (text3 != null && !PartitionId.TryParse(text3, out partitionId))
{
ExTraceGlobals.UserTokenTracer.TraceError <string>(0L, "Invalid partition id {0}", text3);
throw new UserTokenException(Strings.InvalidPartitionId(text3));
}
this.PartitionId = partitionId;
this.ReadAndValidateFieldType(binaryReader, 'O', Strings.MissingOrganization);
string text4 = this.ReadNullableString(binaryReader, Strings.MissingOrganization);
if (text4 != null)
{
byte[] bytes;
try
{
bytes = Convert.FromBase64String(text4);
}
catch (FormatException innerException2)
{
ExTraceGlobals.UserTokenTracer.TraceError <string>(0L, "Invalid organization id {0}", text4);
throw new UserTokenException(Strings.InvalidOrganization(text4), innerException2);
}
OrganizationId organization;
if (!OrganizationId.TryCreateFromBytes(bytes, Encoding.UTF8, out organization))
{
ExTraceGlobals.UserTokenTracer.TraceError <string>(0L, "Invalid organization id {0}", text4);
throw new UserTokenException(Strings.InvalidOrganization(text4));
}
this.Organization = organization;
}
this.ReadAndValidateFieldType(binaryReader, 'M', Strings.MissingManagedOrganization);
this.ManagedOrganization = this.ReadNullableString(binaryReader, Strings.MissingManagedOrganization);
this.ReadAndValidateFieldType(binaryReader, 'W', Strings.MissingAppPasswordUsed);
this.AppPasswordUsed = this.BinaryRead <bool>(new Func <bool>(binaryReader.ReadBoolean), Strings.MissingAppPasswordUsed);
int num = (int)(binaryReader.BaseStream.Length - binaryReader.BaseStream.Position);
if (num > 0)
{
byte[] array = binaryReader.ReadBytes(num);
array = this.Decompress(array);
this.CommonAccessToken = CommonAccessToken.Deserialize(Encoding.UTF8.GetString(array));
}
else
{
this.CommonAccessToken = null;
}
}
}
// Token: 0x0600128C RID: 4748 RVA: 0x0003BF11 File Offset: 0x0003A111
internal PswsAuthZUserToken(DelegatedPrincipal delegatedPrincipal, ADRawEntry userEntry, Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType, string defaultUserName, string executingUserName) : base(delegatedPrincipal, userEntry, authenticationType, defaultUserName)
{
ExAssert.RetailAssert(!string.IsNullOrWhiteSpace(executingUserName), "The executingUserName should not be null or white space.");
this.ExecutingUserName = executingUserName;
}
private static IIdentity InternalGetExecutingUserIdentity(PSPrincipal psPrincipal, string connectionUrl, out UserToken userToken, out Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType, out string sessionId, out string firstRequestId)
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Unknown;
userToken = null;
sessionId = null;
firstRequestId = null;
if (psPrincipal.Identity.AuthenticationType.StartsWith("Cafe-", StringComparison.OrdinalIgnoreCase))
{
using (WinRMDataReceiver winRMDataReceiver = new WinRMDataReceiver(connectionUrl, psPrincipal.Identity.Name, psPrincipal.Identity.AuthenticationType, AuthZLogHelper.LantencyTracker))
{
userToken = winRMDataReceiver.UserToken;
sessionId = winRMDataReceiver.SessionId;
firstRequestId = winRMDataReceiver.RequestId;
string text = winRMDataReceiver.AuthenticationType.Substring("Cafe-".Length);
if (text.Equals("GenericIdentity", StringComparison.OrdinalIgnoreCase))
{
return(AuthZPluginHelper.ConstructGenericIdentityFromUserToken(userToken));
}
if (userToken.CommonAccessToken != null)
{
return(new WindowsTokenIdentity(userToken.CommonAccessToken.WindowsAccessToken).ToSerializedIdentity());
}
}
}
if (DelegatedPrincipal.DelegatedAuthenticationType.Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase))
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.RemotePowerShellDelegated;
return(DelegatedPrincipal.GetDelegatedIdentity(psPrincipal.Identity.Name));
}
if (psPrincipal.WindowsIdentity != null)
{
string authenticationType2 = psPrincipal.Identity.AuthenticationType;
if (authenticationType2 != null && authenticationType2.StartsWith("Converted-", StringComparison.OrdinalIgnoreCase))
{
if (authenticationType2.StartsWith("Converted-Kerberos", StringComparison.OrdinalIgnoreCase))
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Kerberos;
}
else
{
AuthZLogger.SafeAppendGenericError("InternalGetExecutingUserIdentity", "Unexpected AuthenticationType " + authenticationType2, true);
}
using (WinRMDataReceiver winRMDataReceiver2 = new WinRMDataReceiver(connectionUrl, psPrincipal.Identity.Name, psPrincipal.Identity.AuthenticationType, AuthZLogHelper.LantencyTracker))
{
userToken = winRMDataReceiver2.UserToken;
sessionId = winRMDataReceiver2.SessionId;
firstRequestId = winRMDataReceiver2.RequestId;
if (userToken.CommonAccessToken == null)
{
throw new AuthzException("DEV BUG, the CommonAccessToken should not be NULL when passing from Locally Kerberos logon.");
}
return(new WindowsTokenIdentity(userToken.CommonAccessToken.WindowsAccessToken).ToSerializedIdentity());
}
}
if ("CertificateLinkedUser".Equals(authenticationType2, StringComparison.OrdinalIgnoreCase))
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.CertificateLinkedUser;
return(new GenericIdentity(psPrincipal.Identity.Name));
}
try
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Certificate;
new SecurityIdentifier(psPrincipal.Identity.Name);
return(new GenericIdentity(psPrincipal.Identity.Name));
}
catch (ArgumentException)
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Unknown;
return(psPrincipal.WindowsIdentity);
}
}
if ("RPS".Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase) || "Kerberos".Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase) || "Basic".Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase))
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Kerberos;
SecurityIdentifier securityIdentifier = (SecurityIdentifier) new NTAccount(psPrincipal.Identity.Name).Translate(typeof(SecurityIdentifier));
return(new GenericIdentity(securityIdentifier.ToString()));
}
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Unknown;
return(new GenericIdentity(psPrincipal.Identity.Name));
}
