public NTStatus AcceptSecurityContext(ref object context, byte[] inputToken, out byte[] outputToken)
{
outputToken = null;
if (!AuthenticationMessageUtils.IsSignatureValid(inputToken))
{
return(NTStatus.SEC_E_INVALID_TOKEN);
}
MessageTypeName messageType = AuthenticationMessageUtils.GetMessageType(inputToken);
if (messageType == MessageTypeName.Negotiate)
{
NegotiateMessage negotiateMessage;
try
{
negotiateMessage = new NegotiateMessage(inputToken);
}
catch
{
return(NTStatus.SEC_E_INVALID_TOKEN);
}
ChallengeMessage challengeMessage;
NTStatus status = GetChallengeMessage(out context, negotiateMessage, out challengeMessage);
outputToken = challengeMessage.GetBytes();
return(status);
}
else if (messageType == MessageTypeName.Authenticate)
{
AuthenticateMessage authenticateMessage;
try
{
authenticateMessage = new AuthenticateMessage(inputToken);
}
catch
{
return(NTStatus.SEC_E_INVALID_TOKEN);
}
return(Authenticate(context, authenticateMessage));
}
else
{
return(NTStatus.SEC_E_INVALID_TOKEN);
}
}
public override NTStatus GetChallengeMessage(out object context, NegotiateMessage negotiateMessage, out ChallengeMessage challengeMessage)
{
byte[] serverChallenge = GenerateServerChallenge();
context = new AuthContext(serverChallenge);
challengeMessage = new ChallengeMessage();
// https://msdn.microsoft.com/en-us/library/cc236691.aspx
challengeMessage.NegotiateFlags = NegotiateFlags.TargetTypeServer |
NegotiateFlags.TargetInfo |
NegotiateFlags.TargetNameSupplied |
NegotiateFlags.Version;
// [MS-NLMP] NTLMSSP_NEGOTIATE_NTLM MUST be set in the [..] CHALLENGE_MESSAGE to the client.
challengeMessage.NegotiateFlags |= NegotiateFlags.NTLMSessionSecurity;
if ((negotiateMessage.NegotiateFlags & NegotiateFlags.UnicodeEncoding) > 0)
{
challengeMessage.NegotiateFlags |= NegotiateFlags.UnicodeEncoding;
}
else if ((negotiateMessage.NegotiateFlags & NegotiateFlags.OEMEncoding) > 0)
{
challengeMessage.NegotiateFlags |= NegotiateFlags.OEMEncoding;
}
if ((negotiateMessage.NegotiateFlags & NegotiateFlags.ExtendedSessionSecurity) > 0)
{
challengeMessage.NegotiateFlags |= NegotiateFlags.ExtendedSessionSecurity;
}
else if ((negotiateMessage.NegotiateFlags & NegotiateFlags.LanManagerSessionKey) > 0)
{
challengeMessage.NegotiateFlags |= NegotiateFlags.LanManagerSessionKey;
}
if ((negotiateMessage.NegotiateFlags & NegotiateFlags.Sign) > 0)
{
// [MS-NLMP] If the client sends NTLMSSP_NEGOTIATE_SIGN to the server in the NEGOTIATE_MESSAGE,
// the server MUST return NTLMSSP_NEGOTIATE_SIGN to the client in the CHALLENGE_MESSAGE.
challengeMessage.NegotiateFlags |= NegotiateFlags.Sign;
}
if ((negotiateMessage.NegotiateFlags & NegotiateFlags.Seal) > 0)
{
// [MS-NLMP] If the client sends NTLMSSP_NEGOTIATE_SEAL to the server in the NEGOTIATE_MESSAGE,
// the server MUST return NTLMSSP_NEGOTIATE_SEAL to the client in the CHALLENGE_MESSAGE.
challengeMessage.NegotiateFlags |= NegotiateFlags.Seal;
}
if ((negotiateMessage.NegotiateFlags & NegotiateFlags.Sign) > 0 ||
(negotiateMessage.NegotiateFlags & NegotiateFlags.Seal) > 0)
{
if ((negotiateMessage.NegotiateFlags & NegotiateFlags.Use56BitEncryption) > 0)
{
// [MS-NLMP] If the client sends NTLMSSP_NEGOTIATE_SEAL or NTLMSSP_NEGOTIATE_SIGN with
// NTLMSSP_NEGOTIATE_56 to the server in the NEGOTIATE_MESSAGE, the server MUST return
// NTLMSSP_NEGOTIATE_56 to the client in the CHALLENGE_MESSAGE.
challengeMessage.NegotiateFlags |= NegotiateFlags.Use56BitEncryption;
}
if ((negotiateMessage.NegotiateFlags & NegotiateFlags.Use128BitEncryption) > 0)
{
// [MS-NLMP] If the client sends NTLMSSP_NEGOTIATE_128 to the server in the NEGOTIATE_MESSAGE,
// the server MUST return NTLMSSP_NEGOTIATE_128 to the client in the CHALLENGE_MESSAGE only if
// the client sets NTLMSSP_NEGOTIATE_SEAL or NTLMSSP_NEGOTIATE_SIGN.
challengeMessage.NegotiateFlags |= NegotiateFlags.Use128BitEncryption;
}
}
if ((negotiateMessage.NegotiateFlags & NegotiateFlags.KeyExchange) > 0)
{
challengeMessage.NegotiateFlags |= NegotiateFlags.KeyExchange;
}
challengeMessage.TargetName = Environment.MachineName;
challengeMessage.ServerChallenge = serverChallenge;
challengeMessage.TargetInfo = AVPairUtils.GetAVPairSequence(Environment.MachineName, Environment.MachineName);
challengeMessage.Version = NTLMVersion.Server2003;
return(NTStatus.SEC_I_CONTINUE_NEEDED);
}
public abstract NTStatus GetChallengeMessage(out object context, NegotiateMessage negotiateMessage, out ChallengeMessage challengeMessage);