private static void AddUserToCache(X509Identifier certificateId, ADUser user) { if (!CertificateHeaderAuthModule.IsUserCacheEnabled()) { return; } CertificateHeaderAuthModule.certCache.AddUser(certificateId, user); }
private static ADUser GetUserFromCache(X509Identifier certificateId) { if (!CertificateHeaderAuthModule.IsUserCacheEnabled()) { return(null); } return(CertificateHeaderAuthModule.certCache.GetUser(certificateId)); }
private static void OnAuthenticateRequest(object source, EventArgs args) { HttpApplication httpApplication = (HttpApplication)source; HttpContext context = httpApplication.Context; if (context.Request.IsAuthenticated) { return; } HttpRequest request = context.Request; if (!CertificateHeaderAuthModule.IsValidCertificateHeaderRequest(request)) { return; } Logger.LogVerbose("Request of Authentication for certificate {0}.", new object[] { request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"] }); int i = 0; while (i < CertificateHeaderAuthModule.maxRetryForADTransient) { try { X509Identifier x509Identifier = CertificateHeaderAuthModule.CreateCertificateIdentity(request); ADUser aduser = CertificateHeaderAuthModule.GetUserFromCache(x509Identifier); if (aduser == null) { aduser = CertificateAuthenticationModule.ResolveCertificate(x509Identifier, null); if (aduser != null) { CertificateHeaderAuthModule.AddUserToCache(x509Identifier, aduser); } } if (aduser == null) { Logger.LogEvent(CertificateHeaderAuthModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_UserNotFound, request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"], new object[] { request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"], "CertificateHeader" }); Logger.LogVerbose("Certificate authentication succeeded but certificate {0} cannot be mapped to an AD account.", new object[] { request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"] }); break; } IIdentity identity; if (aduser.RecipientTypeDetails == RecipientTypeDetails.LinkedUser) { identity = new GenericIdentity(aduser.Sid.ToString(), "CertificateLinkedUser"); } else { identity = new WindowsIdentity(aduser.UserPrincipalName); } if (!OrganizationId.ForestWideOrgId.Equals(aduser.OrganizationId)) { HttpContext.Current.Items[CertificateAuthenticationModule.TenantCertificateOrganizaitonItemName] = aduser.OrganizationId.OrganizationalUnit.Name; } context.User = new GenericPrincipal(identity, new string[0]); Logger.LogVerbose("User correctly authenticated and linked to Certificate {0}.", new object[] { request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"] }); if (i > 0) { Logger.LogEvent(CertificateHeaderAuthModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_TransientRecovery, null, new object[] { request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"], i, "CertificateHeader" }); } break; } catch (ADTransientException ex) { i++; if (i == 1) { Logger.LogEvent(CertificateHeaderAuthModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_TransientError, null, new object[] { ex, request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"], "CertificateHeader" }); } Logger.LogError(string.Format("AD Transient Error when processing certificate authentication {0}.", request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"]), ex); if (i > CertificateHeaderAuthModule.maxRetryForADTransient) { throw; } } catch (Exception ex2) { Logger.LogEvent(CertificateHeaderAuthModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_ServerError, null, new object[] { ex2, request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"], "CertificateHeader" }); Logger.LogError(string.Format("AD Transient Error when processing certificate authentication {0}.", request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"]), ex2); throw; } } }
private static X509Identifier CreateCertificateIdentity(HttpRequest request) { return(new X509Identifier(CertificateHeaderAuthModule.FixCertificateDN(request.Headers["X-Exchange-PowerShell-Client-Cert-Issuer"]), CertificateHeaderAuthModule.FixCertificateDN(request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"]))); }