public static IntPtr GetAccessToken(SecHandle serverContext)
{
IntPtr accessToken;
uint result = QueryContextAttributes(ref serverContext, SECPKG_ATTR_ACCESS_TOKEN, out accessToken);
if (result == SEC_E_OK)
{
return(accessToken);
}
else
{
return(IntPtr.Zero);
}
}
public static string GetUserName(SecHandle context)
{
string userName;
uint result = QueryContextAttributes(ref context, SECPKG_ATTR_NAME, out userName);
if (result == SEC_E_OK)
{
return(userName);
}
else
{
return(null);
}
}
/// <summary>
/// Windows Vista or newer is required for SECPKG_ATTR_SESSION_KEY to work.
/// Windows XP / Server 2003 will return SEC_E_INVALID_TOKEN.
/// </summary>
public static byte[] GetSessionKey(SecHandle context)
{
SecPkgContext_SessionKey sessionKey;
uint result = QueryContextAttributes(ref context, SECPKG_ATTR_SESSION_KEY, out sessionKey);
if (result == SEC_E_OK)
{
int length = (int)sessionKey.SessionKeyLength;
byte[] sessionKeyBytes = new byte[length];
Marshal.Copy(sessionKey.SessionKey, sessionKeyBytes, 0, length);
return(sessionKeyBytes);
}
else
{
return(null);
}
}
public override bool DeleteSecurityContext(ref object context)
{
AuthContext authContext = context as AuthContext;
if (authContext == null)
{
return(false);
}
SecHandle handle = ((AuthContext)context).ServerContext;
uint result = SSPIHelper.DeleteSecurityContext(ref handle);
bool success = (result == 0); // SEC_E_OK
if (success)
{
context = null;
}
return(success);
}
public static byte[] GetType2Message(byte[] type1MessageBytes, out SecHandle serverContext)
{
SecHandle credentialsHandle = AcquireNTLMCredentialsHandle();
SecBuffer inputBuffer = new SecBuffer(type1MessageBytes);
SecBufferDesc input = new SecBufferDesc(inputBuffer);
serverContext = new SecHandle();
SecBuffer outputBuffer = new SecBuffer(MAX_TOKEN_SIZE);
SecBufferDesc output = new SecBufferDesc(outputBuffer);
uint contextAttributes;
SECURITY_INTEGER timestamp;
uint result = AcceptSecurityContext(ref credentialsHandle, IntPtr.Zero, ref input, ASC_REQ_INTEGRITY | ASC_REQ_CONFIDENTIALITY, SECURITY_NATIVE_DREP, ref serverContext, ref output, out contextAttributes, out timestamp);
if (result != SEC_E_OK && result != SEC_I_CONTINUE_NEEDED)
{
if (result == SEC_E_INVALID_HANDLE)
{
throw new Exception("AcceptSecurityContext failed, invalid handle");
}
else if (result == SEC_E_INVALID_TOKEN)
{
throw new Exception("InitializeSecurityContext failed, Invalid token");
}
else if (result == SEC_E_BUFFER_TOO_SMALL)
{
throw new Exception("AcceptSecurityContext failed, buffer too small");
}
else
{
throw new Exception("AcceptSecurityContext failed, error code 0x" + result.ToString("X"));
}
}
FreeCredentialsHandle(ref credentialsHandle);
byte[] messageBytes = output.GetBufferBytes(0);
inputBuffer.Dispose();
input.Dispose();
outputBuffer.Dispose();
output.Dispose();
return(messageBytes);
}
/// <summary>
/// AcceptSecurityContext will return SEC_E_LOGON_DENIED when the password is correct in these cases:
/// 1. The account is listed under the "Deny access to this computer from the network" list.
/// 2. 'limitblankpassworduse' is set to 1, non-guest is attempting to login with an empty password,
/// and the Guest account is disabled, has non-empty pasword set or listed under the "Deny access to this computer from the network" list.
///
/// Note: "If the Guest account is enabled, SSPI logon may succeed as Guest for user credentials that are not valid".
/// </summary>
/// <remarks>
/// 1. 'limitblankpassworduse' will not affect the Guest account.
/// 2. Listing the user in the "Deny access to this computer from the network" or the "Deny logon locally" lists will not affect AcceptSecurityContext if all of these conditions are met.
/// - 'limitblankpassworduse' is set to 1.
/// - The user has an empty password set.
/// - Guest is NOT listed in the "Deny access to this computer from the network" list.
/// - Guest is enabled and has empty pasword set.
/// </remarks>
public static bool AuthenticateType3Message(SecHandle serverContext, byte[] type3MessageBytes)
{
SecHandle newContext = new SecHandle();
SecBuffer inputBuffer = new SecBuffer(type3MessageBytes);
SecBufferDesc input = new SecBufferDesc(inputBuffer);
SecBuffer outputBuffer = new SecBuffer(MAX_TOKEN_SIZE);
SecBufferDesc output = new SecBufferDesc(outputBuffer);
uint contextAttributes;
SECURITY_INTEGER timestamp;
uint result = AcceptSecurityContext(IntPtr.Zero, ref serverContext, ref input, ASC_REQ_INTEGRITY | ASC_REQ_CONFIDENTIALITY, SECURITY_NATIVE_DREP, ref newContext, ref output, out contextAttributes, out timestamp);
inputBuffer.Dispose();
input.Dispose();
outputBuffer.Dispose();
output.Dispose();
if (result == SEC_E_OK)
{
return(true);
}
else if ((uint)result == SEC_E_LOGON_DENIED)
{
return(false);
}
else
{
if (result == SEC_E_INVALID_HANDLE)
{
throw new Exception("AcceptSecurityContext failed, invalid handle");
}
else if (result == SEC_E_INVALID_TOKEN)
{
throw new Exception("AcceptSecurityContext failed, invalid security token");
}
else
{
throw new Exception("AcceptSecurityContext failed, error code 0x" + result.ToString("X"));
}
}
}
public static byte[] GetType3Message(SecHandle clientContext, byte[] type2Message)
{
SecHandle newContext = new SecHandle();
SecBuffer inputBuffer = new SecBuffer(type2Message);
SecBufferDesc input = new SecBufferDesc(inputBuffer);
SecBuffer outputBuffer = new SecBuffer(MAX_TOKEN_SIZE);
SecBufferDesc output = new SecBufferDesc(outputBuffer);
uint contextAttributes;
SECURITY_INTEGER expiry;
uint result = InitializeSecurityContext(IntPtr.Zero, ref clientContext, null, ISC_REQ_CONFIDENTIALITY | ISC_REQ_INTEGRITY, 0, SECURITY_NATIVE_DREP, ref input, 0, ref newContext, ref output, out contextAttributes, out expiry);
if (result != SEC_E_OK)
{
if (result == SEC_E_INVALID_HANDLE)
{
throw new Exception("InitializeSecurityContext failed, invalid handle");
}
else if (result == SEC_E_INVALID_TOKEN)
{
throw new Exception("InitializeSecurityContext failed, Invalid token");
}
else if (result == SEC_E_BUFFER_TOO_SMALL)
{
throw new Exception("InitializeSecurityContext failed, buffer too small");
}
else
{
throw new Exception("InitializeSecurityContext failed, error code 0x" + result.ToString("X"));
}
}
byte[] messageBytes = output.GetBufferBytes(0);
inputBuffer.Dispose();
input.Dispose();
outputBuffer.Dispose();
output.Dispose();
return(messageBytes);
}
public AuthContext(SecHandle serverContext)
{
ServerContext = serverContext;
}
public static byte[] GetType1Message(string domainName, string userName, string password, out SecHandle clientContext)
{
SecHandle credentialsHandle = AcquireNTLMCredentialsHandle(domainName, userName, password);
clientContext = new SecHandle();
SecBuffer outputBuffer = new SecBuffer(MAX_TOKEN_SIZE);
SecBufferDesc output = new SecBufferDesc(outputBuffer);
uint contextAttributes;
SECURITY_INTEGER expiry;
uint result = InitializeSecurityContext(ref credentialsHandle, IntPtr.Zero, null, ISC_REQ_CONFIDENTIALITY | ISC_REQ_INTEGRITY, 0, SECURITY_NATIVE_DREP, IntPtr.Zero, 0, ref clientContext, ref output, out contextAttributes, out expiry);
if (result != SEC_E_OK && result != SEC_I_CONTINUE_NEEDED)
{
if (result == SEC_E_INVALID_HANDLE)
{
throw new Exception("InitializeSecurityContext failed, Invalid handle");
}
else if (result == SEC_E_BUFFER_TOO_SMALL)
{
throw new Exception("InitializeSecurityContext failed, Buffer too small");
}
else
{
throw new Exception("InitializeSecurityContext failed, Error code 0x" + result.ToString("X"));
}
}
FreeCredentialsHandle(ref credentialsHandle);
byte[] messageBytes = output.GetBufferBytes(0);
outputBuffer.Dispose();
output.Dispose();
return(messageBytes);
}
public static byte[] GetType1Message(string userName, string password, out SecHandle clientContext)
{
return(GetType1Message(String.Empty, userName, password, out clientContext));
}
public extern static uint DeleteSecurityContext(
ref SecHandle phContext
);
private extern static uint FreeCredentialsHandle(
ref SecHandle phCredential
);
private static extern uint QueryContextAttributes(
ref SecHandle phContext,
uint ulAttribute,
out SecPkgContext_SessionKey value);
private static extern uint QueryContextAttributes(
ref SecHandle phContext,
uint ulAttribute,
out IntPtr value);
