Exemple #1
0
        // core Cred lookup code
        static async Task <(NetworkCredential, bool, TokenImpersonationLevel, bool)> GetSspiCredentialAsync(SspiSecurityTokenProvider tokenProvider, CancellationToken cancellationToken)
        {
            NetworkCredential credential               = null;
            bool extractGroupsForWindowsAccounts       = TransportDefaults.ExtractGroupsForWindowsAccounts;
            TokenImpersonationLevel impersonationLevel = TokenImpersonationLevel.Identification;
            bool allowNtlm = ConnectionOrientedTransportDefaults.AllowNtlm;

            if (tokenProvider != null)
            {
                SspiSecurityToken token = await TransportSecurityHelpers.GetTokenAsync <SspiSecurityToken>(tokenProvider, cancellationToken);

                if (token != null)
                {
                    extractGroupsForWindowsAccounts = token.ExtractGroupsForWindowsAccounts;
                    impersonationLevel = token.ImpersonationLevel;
                    allowNtlm          = token.AllowNtlm;
                    if (token.NetworkCredential != null)
                    {
                        credential = token.NetworkCredential;
                        SecurityUtils.FixNetworkCredential(ref credential);
                    }
                }
            }

            // Initialize to the default value if no token provided. A partial trust app should not have access to the
            // default network credentials but should be able to provide credentials. The DefaultNetworkCredentials
            // getter will throw under partial trust.
            if (credential == null)
            {
                credential = CredentialCache.DefaultNetworkCredentials;
            }

            return(credential, extractGroupsForWindowsAccounts, impersonationLevel, allowNtlm);
        }
Exemple #2
0
        // core Cred lookup code
        static async Task <NetworkCredential> GetSspiCredentialAsync(SspiSecurityTokenProvider tokenProvider,
                                                                     OutWrapper <TokenImpersonationLevel> impersonationLevelWrapper,
                                                                     OutWrapper <bool> allowNtlmWrapper, CancellationToken cancellationToken)
        {
            NetworkCredential credential = null;

            impersonationLevelWrapper.Value = TokenImpersonationLevel.Identification;
            allowNtlmWrapper.Value          = ConnectionOrientedTransportDefaults.AllowNtlm;

            if (tokenProvider != null)
            {
                SspiSecurityToken token = await TransportSecurityHelpers.GetTokenAsync <SspiSecurityToken>(tokenProvider, cancellationToken);

                if (token != null)
                {
                    impersonationLevelWrapper.Value = token.ImpersonationLevel;
                    allowNtlmWrapper.Value          = token.AllowNtlm;
                    if (token.NetworkCredential != null)
                    {
                        credential = token.NetworkCredential;
                        SecurityUtils.FixNetworkCredential(ref credential);
                    }
                }
            }

            // Initialize to the default value if no token provided. A partial trust app should not have access to the
            // default network credentials but should be able to provide credentials. The DefaultNetworkCredentials
            // getter will throw under partial trust.
            if (credential == null)
            {
                credential = CredentialCache.DefaultNetworkCredentials;
            }

            return(credential);
        }
Exemple #3
0
        private static NetworkCredential GetSspiCredential(SspiSecurityTokenProvider tokenProvider, TimeSpan timeout, out bool extractGroupsForWindowsAccounts, out TokenImpersonationLevel impersonationLevel, out bool allowNtlm)
        {
            NetworkCredential networkCredential = null;

            extractGroupsForWindowsAccounts = true;
            impersonationLevel = TokenImpersonationLevel.Identification;
            allowNtlm          = true;
            if (tokenProvider != null)
            {
                SspiSecurityToken token = GetToken <SspiSecurityToken>(tokenProvider, timeout);
                if (token != null)
                {
                    extractGroupsForWindowsAccounts = token.ExtractGroupsForWindowsAccounts;
                    impersonationLevel = token.ImpersonationLevel;
                    allowNtlm          = token.AllowNtlm;
                    if (token.NetworkCredential != null)
                    {
                        networkCredential = token.NetworkCredential;
                        System.ServiceModel.Security.SecurityUtils.FixNetworkCredential(ref networkCredential);
                    }
                }
            }
            if (networkCredential == null)
            {
                networkCredential = CredentialCache.DefaultNetworkCredentials;
            }
            return(networkCredential);
        }
Exemple #4
0
            private void CompleteGetToken(IAsyncResult result)
            {
                SspiSecurityToken token = (SspiSecurityToken)this.credentialProvider.EndGetToken(result);

                if (token != null)
                {
                    this.impersonationLevel = token.ImpersonationLevel;
                    this.allowNtlm          = token.AllowNtlm;
                    if (token.NetworkCredential != null)
                    {
                        this.credential = token.NetworkCredential;
                        System.ServiceModel.Security.SecurityUtils.FixNetworkCredential(ref this.credential);
                    }
                }
                this.EnsureCredentialInitialized();
            }
Exemple #5
0
        SecurityTokenProvider CreateSpnegoTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
        {
            EndpointAddress targetAddress = initiatorRequirement.TargetAddress;

            if (targetAddress == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenRequirementDoesNotSpecifyTargetAddress, initiatorRequirement));
            }
            SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement;

            if (securityBindingElement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenProviderRequiresSecurityBindingElement, initiatorRequirement));
            }
            SspiIssuanceChannelParameter sspiChannelParameter = GetSspiIssuanceChannelParameter(initiatorRequirement);
            bool negotiateTokenOnOpen = (sspiChannelParameter == null ? true : sspiChannelParameter.GetTokenOnOpen);
            LocalClientSecuritySettings localClientSettings = securityBindingElement.LocalClientSettings;
            BindingContext      issuerBindingContext        = initiatorRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
            SpnegoTokenProvider spnegoTokenProvider         = new SpnegoTokenProvider(sspiChannelParameter != null ? sspiChannelParameter.CredentialsHandle : null, securityBindingElement);
            SspiSecurityToken   clientSspiToken             = GetSpnegoClientCredential(initiatorRequirement);

            spnegoTokenProvider.ClientCredential          = clientSspiToken.NetworkCredential;
            spnegoTokenProvider.IssuerAddress             = initiatorRequirement.IssuerAddress;
            spnegoTokenProvider.AllowedImpersonationLevel = parent.Windows.AllowedImpersonationLevel;
            spnegoTokenProvider.AllowNtlm              = clientSspiToken.AllowNtlm;
            spnegoTokenProvider.IdentityVerifier       = localClientSettings.IdentityVerifier;
            spnegoTokenProvider.SecurityAlgorithmSuite = initiatorRequirement.SecurityAlgorithmSuite;
            // if this is not a supporting token, authenticate the server
            spnegoTokenProvider.AuthenticateServer         = !initiatorRequirement.Properties.ContainsKey(ServiceModelSecurityTokenRequirement.SupportingTokenAttachmentModeProperty);
            spnegoTokenProvider.NegotiateTokenOnOpen       = negotiateTokenOnOpen;
            spnegoTokenProvider.CacheServiceTokens         = negotiateTokenOnOpen || localClientSettings.CacheCookies;
            spnegoTokenProvider.IssuerBindingContext       = issuerBindingContext;
            spnegoTokenProvider.MaxServiceTokenCachingTime = localClientSettings.MaxCookieCachingTime;
            spnegoTokenProvider.ServiceTokenValidityThresholdPercentage = localClientSettings.CookieRenewalThresholdPercentage;
            spnegoTokenProvider.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(initiatorRequirement, this);
            spnegoTokenProvider.TargetAddress    = targetAddress;
            spnegoTokenProvider.Via = initiatorRequirement.GetPropertyOrDefault <Uri>(InitiatorServiceModelSecurityTokenRequirement.ViaProperty, null);
            spnegoTokenProvider.ApplicationProtectionRequirements = (issuerBindingContext != null) ? issuerBindingContext.BindingParameters.Find <ChannelProtectionRequirements>() : null;
            spnegoTokenProvider.InteractiveNegoExLogonEnabled     = this.ClientCredentials.SupportInteractive;

            return(spnegoTokenProvider);
        }
Exemple #6
0
        private SecurityTokenProvider CreateSpnegoTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
        {
            EndpointAddress targetAddress = initiatorRequirement.TargetAddress;

            if (targetAddress == null)
            {
                throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenRequirementDoesNotSpecifyTargetAddress", new object[] { initiatorRequirement }));
            }
            SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement;

            if (securityBindingElement == null)
            {
                throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenProviderRequiresSecurityBindingElement", new object[] { initiatorRequirement }));
            }
            SspiIssuanceChannelParameter sspiIssuanceChannelParameter = this.GetSspiIssuanceChannelParameter(initiatorRequirement);
            bool flag = (sspiIssuanceChannelParameter == null) || sspiIssuanceChannelParameter.GetTokenOnOpen;
            LocalClientSecuritySettings localClientSettings = securityBindingElement.LocalClientSettings;
            BindingContext      property = initiatorRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
            SpnegoTokenProvider provider = new SpnegoTokenProvider((sspiIssuanceChannelParameter != null) ? sspiIssuanceChannelParameter.CredentialsHandle : null, securityBindingElement);
            SspiSecurityToken   spnegoClientCredential = this.GetSpnegoClientCredential(initiatorRequirement);

            provider.ClientCredential          = spnegoClientCredential.NetworkCredential;
            provider.IssuerAddress             = initiatorRequirement.IssuerAddress;
            provider.AllowedImpersonationLevel = this.parent.Windows.AllowedImpersonationLevel;
            provider.AllowNtlm                  = spnegoClientCredential.AllowNtlm;
            provider.IdentityVerifier           = localClientSettings.IdentityVerifier;
            provider.SecurityAlgorithmSuite     = initiatorRequirement.SecurityAlgorithmSuite;
            provider.AuthenticateServer         = !initiatorRequirement.Properties.ContainsKey(ServiceModelSecurityTokenRequirement.SupportingTokenAttachmentModeProperty);
            provider.NegotiateTokenOnOpen       = flag;
            provider.CacheServiceTokens         = flag || localClientSettings.CacheCookies;
            provider.IssuerBindingContext       = property;
            provider.MaxServiceTokenCachingTime = localClientSettings.MaxCookieCachingTime;
            provider.ServiceTokenValidityThresholdPercentage = localClientSettings.CookieRenewalThresholdPercentage;
            provider.StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(initiatorRequirement, this);
            provider.TargetAddress    = targetAddress;
            provider.Via = initiatorRequirement.GetPropertyOrDefault <Uri>(ServiceModelSecurityTokenRequirement.ViaProperty, null);
            provider.ApplicationProtectionRequirements = (property != null) ? property.BindingParameters.Find <ChannelProtectionRequirements>() : null;
            provider.InteractiveNegoExLogonEnabled     = this.ClientCredentials.SupportInteractive;
            return(provider);
        }
Exemple #7
0
        // core Cred lookup code
        static NetworkCredential GetSspiCredential(SspiSecurityTokenProvider tokenProvider, TimeSpan timeout,
                                                   out bool extractGroupsForWindowsAccounts, out TokenImpersonationLevel impersonationLevel,
                                                   out bool allowNtlm)
        {
            NetworkCredential credential = null;

            extractGroupsForWindowsAccounts = TransportDefaults.ExtractGroupsForWindowsAccounts;
            impersonationLevel = TokenImpersonationLevel.Identification;
            allowNtlm          = ConnectionOrientedTransportDefaults.AllowNtlm;

            if (tokenProvider != null)
            {
                SspiSecurityToken token = TransportSecurityHelpers.GetToken <SspiSecurityToken>(tokenProvider, timeout);
                if (token != null)
                {
                    extractGroupsForWindowsAccounts = token.ExtractGroupsForWindowsAccounts;
                    impersonationLevel = token.ImpersonationLevel;
                    allowNtlm          = token.AllowNtlm;
                    if (token.NetworkCredential != null)
                    {
                        credential = token.NetworkCredential;
                        SecurityUtils.FixNetworkCredential(ref credential);
                    }
                }
            }

            // Initialize to the default value if no token provided. A partial trust app should not have access to the
            // default network credentials but should be able to provide credentials. The DefaultNetworkCredentials
            // getter will throw under partial trust.
            if (credential == null)
            {
                credential = CredentialCache.DefaultNetworkCredentials;
            }

            return(credential);
        }
Exemple #8
0
        private SspiSecurityToken GetSpnegoClientCredential(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
        {
            ChannelParameterCollection parameters;
            InitiatorServiceModelSecurityTokenRequirement tokenRequirement = new InitiatorServiceModelSecurityTokenRequirement {
                TargetAddress             = initiatorRequirement.TargetAddress,
                TokenType                 = ServiceModelSecurityTokenTypes.SspiCredential,
                Via                       = initiatorRequirement.Via,
                RequireCryptographicToken = false,
                SecurityBindingElement    = initiatorRequirement.SecurityBindingElement,
                MessageSecurityVersion    = initiatorRequirement.MessageSecurityVersion
            };

            if (initiatorRequirement.TryGetProperty <ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out parameters))
            {
                tokenRequirement.Properties[ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty] = parameters;
            }
            SecurityTokenProvider tokenProvider = this.CreateSecurityTokenProvider(tokenRequirement);

            System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(tokenProvider, TimeSpan.Zero);
            SspiSecurityToken token = (SspiSecurityToken)tokenProvider.GetToken(TimeSpan.Zero);

            System.ServiceModel.Security.SecurityUtils.AbortTokenProviderIfRequired(tokenProvider);
            return(token);
        }
Exemple #9
0
        SspiSecurityToken GetSpnegoClientCredential(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
        {
            InitiatorServiceModelSecurityTokenRequirement sspiCredentialRequirement = new InitiatorServiceModelSecurityTokenRequirement();

            sspiCredentialRequirement.TargetAddress             = initiatorRequirement.TargetAddress;
            sspiCredentialRequirement.TokenType                 = ServiceModelSecurityTokenTypes.SspiCredential;
            sspiCredentialRequirement.Via                       = initiatorRequirement.Via;
            sspiCredentialRequirement.RequireCryptographicToken = false;
            sspiCredentialRequirement.SecurityBindingElement    = initiatorRequirement.SecurityBindingElement;
            sspiCredentialRequirement.MessageSecurityVersion    = initiatorRequirement.MessageSecurityVersion;
            ChannelParameterCollection parameters;

            if (initiatorRequirement.TryGetProperty <ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out parameters))
            {
                sspiCredentialRequirement.Properties[ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty] = parameters;
            }
            SecurityTokenProvider sspiTokenProvider = this.CreateSecurityTokenProvider(sspiCredentialRequirement);

            SecurityUtils.OpenTokenProviderIfRequired(sspiTokenProvider, TimeSpan.Zero);
            SspiSecurityToken sspiToken = (SspiSecurityToken)sspiTokenProvider.GetToken(TimeSpan.Zero);

            SecurityUtils.AbortTokenProviderIfRequired(sspiTokenProvider);
            return(sspiToken);
        }
Exemple #10
0
 // service side ctor
 public SspiSecurityTokenProvider(NetworkCredential credential, bool extractGroupsForWindowsAccounts, bool allowUnauthenticatedCallers)
 {
     _token = new SspiSecurityToken(credential, extractGroupsForWindowsAccounts, allowUnauthenticatedCallers);
 }
Exemple #11
0
 // client side ctor
 public SspiSecurityTokenProvider(NetworkCredential credential, bool allowNtlm, TokenImpersonationLevel impersonationLevel)
 {
     _token = new SspiSecurityToken(impersonationLevel, allowNtlm, credential);
 }