internal void ValidateCreateContext( string package, bool isServer, NetworkCredential credential, string servicePrincipalName, ChannelBinding channelBinding, ProtectionLevel protectionLevel, TokenImpersonationLevel impersonationLevel) { if (_exception != null && !_canRetryAuthentication) { throw _exception; } if (_context != null && _context.IsValidContext) { throw new InvalidOperationException(SR.net_auth_reauth); } if (credential == null) { throw new ArgumentNullException("credential"); } if (servicePrincipalName == null) { throw new ArgumentNullException("servicePrincipalName"); } if (impersonationLevel != TokenImpersonationLevel.Identification && impersonationLevel != TokenImpersonationLevel.Impersonation && impersonationLevel != TokenImpersonationLevel.Delegation) { throw new ArgumentOutOfRangeException("impersonationLevel", impersonationLevel.ToString(), SR.net_auth_supported_impl_levels); } if (_context != null && IsServer != isServer) { throw new InvalidOperationException(SR.net_auth_client_server); } _exception = null; _remoteOk = false; _framer = new StreamFramer(_innerStream); _framer.WriteHeader.MessageId = FrameHeader.HandshakeId; _expectedProtectionLevel = protectionLevel; _expectedImpersonationLevel = isServer ? impersonationLevel : TokenImpersonationLevel.None; _writeSequenceNumber = 0; _readSequenceNumber = 0; Interop.SspiCli.ContextFlags flags = Interop.SspiCli.ContextFlags.Connection; // A workaround for the client when talking to Win9x on the server side. if (protectionLevel == ProtectionLevel.None && !isServer) { package = NegotiationInfoClass.NTLM; } else if (protectionLevel == ProtectionLevel.EncryptAndSign) { flags |= Interop.SspiCli.ContextFlags.Confidentiality; } else if (protectionLevel == ProtectionLevel.Sign) { // Assuming user expects NT4 SP4 and above. flags |= Interop.SspiCli.ContextFlags.ReplayDetect | Interop.SspiCli.ContextFlags.SequenceDetect | Interop.SspiCli.ContextFlags.InitIntegrity; } if (isServer) { if (_extendedProtectionPolicy.PolicyEnforcement == PolicyEnforcement.WhenSupported) { flags |= Interop.SspiCli.ContextFlags.AllowMissingBindings; } if (_extendedProtectionPolicy.PolicyEnforcement != PolicyEnforcement.Never && _extendedProtectionPolicy.ProtectionScenario == ProtectionScenario.TrustedProxy) { flags |= Interop.SspiCli.ContextFlags.ProxyBindings; } } else { // Server side should not request any of these flags. if (protectionLevel != ProtectionLevel.None) { flags |= Interop.SspiCli.ContextFlags.MutualAuth; } if (impersonationLevel == TokenImpersonationLevel.Identification) { flags |= Interop.SspiCli.ContextFlags.InitIdentify; } if (impersonationLevel == TokenImpersonationLevel.Delegation) { flags |= Interop.SspiCli.ContextFlags.Delegate; } } _canRetryAuthentication = false; try { _context = new NTAuthentication(isServer, package, credential, servicePrincipalName, flags, channelBinding); } catch (Win32Exception e) { throw new AuthenticationException(SR.net_auth_SSPI, e); } }
internal void ValidateCreateContext(string package, bool isServer, NetworkCredential credential, string servicePrincipalName, ChannelBinding channelBinding, ProtectionLevel protectionLevel, TokenImpersonationLevel impersonationLevel) { if ((this._Exception != null) && !this._CanRetryAuthentication) { throw this._Exception; } if ((this._Context != null) && this._Context.IsValidContext) { throw new InvalidOperationException(SR.GetString("net_auth_reauth")); } if (credential == null) { throw new ArgumentNullException("credential"); } if (servicePrincipalName == null) { throw new ArgumentNullException("servicePrincipalName"); } if (ComNetOS.IsWin9x && (protectionLevel != ProtectionLevel.None)) { throw new NotSupportedException(SR.GetString("net_auth_no_protection_on_win9x")); } if (((impersonationLevel != TokenImpersonationLevel.Identification) && (impersonationLevel != TokenImpersonationLevel.Impersonation)) && (impersonationLevel != TokenImpersonationLevel.Delegation)) { throw new ArgumentOutOfRangeException("impersonationLevel", impersonationLevel.ToString(), SR.GetString("net_auth_supported_impl_levels")); } if ((this._Context != null) && (this.IsServer != isServer)) { throw new InvalidOperationException(SR.GetString("net_auth_client_server")); } this._Exception = null; this._RemoteOk = false; this._Framer = new StreamFramer(this._InnerStream); this._Framer.WriteHeader.MessageId = 0x16; this._ExpectedProtectionLevel = protectionLevel; this._ExpectedImpersonationLevel = isServer ? impersonationLevel : TokenImpersonationLevel.None; this._WriteSequenceNumber = 0; this._ReadSequenceNumber = 0; ContextFlags connection = ContextFlags.Connection; if ((protectionLevel == ProtectionLevel.None) && !isServer) { package = "NTLM"; } else if (protectionLevel == ProtectionLevel.EncryptAndSign) { connection |= ContextFlags.Confidentiality; } else if (protectionLevel == ProtectionLevel.Sign) { connection |= ContextFlags.AcceptStream | ContextFlags.SequenceDetect | ContextFlags.ReplayDetect; } if (isServer) { if (this._ExtendedProtectionPolicy.PolicyEnforcement == PolicyEnforcement.WhenSupported) { connection |= ContextFlags.AllowMissingBindings; } if ((this._ExtendedProtectionPolicy.PolicyEnforcement != PolicyEnforcement.Never) && (this._ExtendedProtectionPolicy.ProtectionScenario == ProtectionScenario.TrustedProxy)) { connection |= ContextFlags.ProxyBindings; } } else { if (protectionLevel != ProtectionLevel.None) { connection |= ContextFlags.MutualAuth; } if (impersonationLevel == TokenImpersonationLevel.Identification) { connection |= ContextFlags.AcceptIntegrity; } if (impersonationLevel == TokenImpersonationLevel.Delegation) { connection |= ContextFlags.Delegate; } } this._CanRetryAuthentication = false; if (!(credential is SystemNetworkCredential)) { ExceptionHelper.ControlPrincipalPermission.Demand(); } try { this._Context = new NTAuthentication(isServer, package, credential, servicePrincipalName, connection, channelBinding); } catch (Win32Exception exception) { throw new AuthenticationException(SR.GetString("net_auth_SSPI"), exception); } }
internal void ValidateCreateContext( string package, bool isServer, NetworkCredential credential, string servicePrincipalName, ChannelBinding channelBinding, ProtectionLevel protectionLevel, TokenImpersonationLevel impersonationLevel) { if (_exception != null && !_canRetryAuthentication) { throw _exception; } if (_context != null && _context.IsValidContext) { throw new InvalidOperationException(SR.net_auth_reauth); } if (credential == null) { throw new ArgumentNullException(nameof(credential)); } if (servicePrincipalName == null) { throw new ArgumentNullException(nameof(servicePrincipalName)); } if (impersonationLevel != TokenImpersonationLevel.Identification && impersonationLevel != TokenImpersonationLevel.Impersonation && impersonationLevel != TokenImpersonationLevel.Delegation) { throw new ArgumentOutOfRangeException(nameof(impersonationLevel), impersonationLevel.ToString(), SR.net_auth_supported_impl_levels); } if (_context != null && IsServer != isServer) { throw new InvalidOperationException(SR.net_auth_client_server); } _exception = null; _remoteOk = false; _framer = new StreamFramer(_innerStream); _framer.WriteHeader.MessageId = FrameHeader.HandshakeId; _expectedProtectionLevel = protectionLevel; _expectedImpersonationLevel = isServer ? impersonationLevel : TokenImpersonationLevel.None; _writeSequenceNumber = 0; _readSequenceNumber = 0; Interop.SspiCli.ContextFlags flags = Interop.SspiCli.ContextFlags.Connection; // A workaround for the client when talking to Win9x on the server side. if (protectionLevel == ProtectionLevel.None && !isServer) { package = NegotiationInfoClass.NTLM; } else if (protectionLevel == ProtectionLevel.EncryptAndSign) { flags |= Interop.SspiCli.ContextFlags.Confidentiality; } else if (protectionLevel == ProtectionLevel.Sign) { // Assuming user expects NT4 SP4 and above. flags |= Interop.SspiCli.ContextFlags.ReplayDetect | Interop.SspiCli.ContextFlags.SequenceDetect | Interop.SspiCli.ContextFlags.InitIntegrity; } if (isServer) { if (_extendedProtectionPolicy.PolicyEnforcement == PolicyEnforcement.WhenSupported) { flags |= Interop.SspiCli.ContextFlags.AllowMissingBindings; } if (_extendedProtectionPolicy.PolicyEnforcement != PolicyEnforcement.Never && _extendedProtectionPolicy.ProtectionScenario == ProtectionScenario.TrustedProxy) { flags |= Interop.SspiCli.ContextFlags.ProxyBindings; } } else { // Server side should not request any of these flags. if (protectionLevel != ProtectionLevel.None) { flags |= Interop.SspiCli.ContextFlags.MutualAuth; } if (impersonationLevel == TokenImpersonationLevel.Identification) { flags |= Interop.SspiCli.ContextFlags.InitIdentify; } if (impersonationLevel == TokenImpersonationLevel.Delegation) { flags |= Interop.SspiCli.ContextFlags.Delegate; } } _canRetryAuthentication = false; try { _context = new NTAuthentication(isServer, package, credential, servicePrincipalName, flags, channelBinding); } catch (Win32Exception e) { throw new AuthenticationException(SR.net_auth_SSPI, e); } }
// internal void ValidateCreateContext( string package, bool isServer, NetworkCredential credential, string servicePrincipalName, ChannelBinding channelBinding, ProtectionLevel protectionLevel, TokenImpersonationLevel impersonationLevel ) { if (_Exception != null && !_CanRetryAuthentication) { throw _Exception; } if (_Context != null && _Context.IsValidContext) { throw new InvalidOperationException(SR.GetString(SR.net_auth_reauth)); } if (credential == null) { throw new ArgumentNullException("credential"); } if (servicePrincipalName == null) { throw new ArgumentNullException("servicePrincipalName"); } if (impersonationLevel != TokenImpersonationLevel.Identification && impersonationLevel != TokenImpersonationLevel.Impersonation && impersonationLevel != TokenImpersonationLevel.Delegation) { throw new ArgumentOutOfRangeException("impersonationLevel", impersonationLevel.ToString(), SR.GetString(SR.net_auth_supported_impl_levels)); } if (_Context != null && IsServer != isServer) { throw new InvalidOperationException(SR.GetString(SR.net_auth_client_server)); } _Exception = null; _RemoteOk = false; _Framer = new StreamFramer(_InnerStream); _Framer.WriteHeader.MessageId = FrameHeader.HandshakeId; _ExpectedProtectionLevel = protectionLevel; _ExpectedImpersonationLevel = isServer? impersonationLevel: TokenImpersonationLevel.None; _WriteSequenceNumber = 0; _ReadSequenceNumber = 0; ContextFlags flags = ContextFlags.Connection; // A workaround for the client when talking to Win9x on the server side if (protectionLevel == ProtectionLevel.None && !isServer) { package = NegotiationInfoClass.NTLM; } else if (protectionLevel == ProtectionLevel.EncryptAndSign) { flags |= ContextFlags.Confidentiality; } else if (protectionLevel == ProtectionLevel.Sign) { // Assuming user expects NT4 SP4 and above flags |= ContextFlags.ReplayDetect | ContextFlags.SequenceDetect | ContextFlags.InitIntegrity; } if (isServer) { if (_ExtendedProtectionPolicy.PolicyEnforcement == PolicyEnforcement.WhenSupported) { flags |= ContextFlags.AllowMissingBindings; } if (_ExtendedProtectionPolicy.PolicyEnforcement != PolicyEnforcement.Never && _ExtendedProtectionPolicy.ProtectionScenario == ProtectionScenario.TrustedProxy) { flags |= ContextFlags.ProxyBindings; } } else { // According to lzhu server side should not request any of these flags if (protectionLevel != ProtectionLevel.None) { flags |= ContextFlags.MutualAuth; } if (impersonationLevel == TokenImpersonationLevel.Identification) { flags |= ContextFlags.InitIdentify; } if (impersonationLevel == TokenImpersonationLevel.Delegation) { flags |= ContextFlags.Delegate; } } _CanRetryAuthentication = false; // // Security: We used to rely on NetworkCredential class to demand permission // Switched over to explicit ControlPrincipalPermission demand (except for DefaultCredential case) // The mitigated attack is brute-force pasword guessing through SSPI. if (!(credential is SystemNetworkCredential)) { ExceptionHelper.ControlPrincipalPermission.Demand(); } try { // _Context = new NTAuthentication(isServer, package, credential, servicePrincipalName, flags, channelBinding); } catch (Win32Exception e) { throw new AuthenticationException(SR.GetString(SR.net_auth_SSPI), e); } }