internal AuthZPluginUserToken(DelegatedPrincipal delegatedPrincipal, ADRawEntry userEntry, Microsoft.Exchange.Configuration.Core.AuthenticationType authenticatedType, string defaultUserName) { this.DelegatedPrincipal = delegatedPrincipal; this.UserEntry = userEntry; this.AuthenticationType = authenticatedType; this.DefaultUserName = defaultUserName; }
private IIdentity GetExecutingUserIdentity() { if (this.executingUserIdentity == null) { switch (this.contextType) { case RBACContext.RBACContextType.Delegated: break; case (RBACContext.RBACContextType) 3: goto IL_69; case RBACContext.RBACContextType.Windows: using (MemoryStream memoryStream = new MemoryStream(Encoding.UTF8.GetBytes(this.serializedExecutingUser))) { this.executingUserIdentity = new SerializedIdentity(new SerializedAccessToken(memoryStream)); goto IL_69; } break; default: goto IL_69; } this.executingUserIdentity = DelegatedPrincipal.GetDelegatedIdentity(this.serializedExecutingUser); } IL_69: return(this.executingUserIdentity); }
// Token: 0x06000285 RID: 645 RVA: 0x000117FC File Offset: 0x0000F9FC private static bool CheckClaimSetsForPartnerUser(AuthorizationContext authorizationContext, OperationContext operationContext) { HttpContext.Current.Items["AuthType"] = "Partner"; PerformanceCounters.UpdateRequestsReceivedWithPartnerToken(); ReadOnlyCollection <ClaimSet> claimSets = authorizationContext.ClaimSets; claimSets.TraceClaimSets(); DelegatedPrincipal delegatedPrincipal = null; OrganizationId delegatedOrganizationId = null; string text = null; if (!PartnerToken.TryGetDelegatedPrincipalAndOrganizationId(claimSets, out delegatedPrincipal, out delegatedOrganizationId, out text)) { ExTraceGlobals.AuthenticationTracer.TraceError <string>(0L, "[AutodiscoverAuthorizationManager.CheckClaimSetsForPartnerUser] unable to create partner identity, error message: {0}", text); PerformanceCounters.UpdateUnauthorizedRequestsReceivedWithPartnerToken(); AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, text); return(false); } ExTraceGlobals.AuthenticationTracer.TraceDebug <DelegatedPrincipal>(0L, "[AutodiscoverAuthorizationManager.CheckClaimSetsForPartnerUser] ws-security header contains the partner identity: {0}", delegatedPrincipal); string text2 = delegatedPrincipal.ToString(); if (!string.IsNullOrEmpty(text2)) { AutodiscoverAuthorizationManager.PushUserAndOrgInfoToContext(text2, text2.Split(new char[] { '\\' })[0]); } HttpContext.Current.User = new WindowsPrincipal(PartnerIdentity.Create(delegatedPrincipal, delegatedOrganizationId)); return(true); }
// Token: 0x06001274 RID: 4724 RVA: 0x0003B65C File Offset: 0x0003985C internal static PswsAuthZUserToken GetAuthZPluginUserToken(UserToken userToken) { ExAssert.RetailAssert(userToken != null, "[PswsAuthorization.GetAuthZPluginUserToken] userToken can't be null."); Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType = userToken.AuthenticationType; SecurityIdentifier userSid = userToken.UserSid; DelegatedPrincipal delegatedPrincipal = userToken.DelegatedPrincipal; ExAssert.RetailAssert(userSid != null, "The user sid is invalid (null)."); PartitionId partitionId = userToken.PartitionId; string text = AuthenticatedUserCache.CreateKeyForPsws(userSid, userToken.AuthenticationType, partitionId); ExTraceGlobals.PublicPluginAPITracer.TraceDebug <string>(0L, "[PswsAuthZHelper.GetAuthZPluginUserToken] User cache key = \"{0}\".", text); AuthZPluginUserToken authZPluginUserToken; if (!AuthenticatedUserCache.Instance.TryGetValue(text, out authZPluginUserToken)) { ExTraceGlobals.PublicPluginAPITracer.TraceDebug(0L, "[PswsAuthZHelper.GetAuthZPluginUserToken] User not found in cache."); IIdentity identity = HttpContext.Current.Items["X-Psws-CurrentLogonUser"] as IIdentity; SerializedIdentity serializedIdentity = null; if (identity is WindowsTokenIdentity) { serializedIdentity = ((WindowsTokenIdentity)identity).ToSerializedIdentity(); } ADRawEntry adrawEntry = ExchangeAuthorizationPlugin.FindUserEntry(userSid, null, serializedIdentity, partitionId); ExAssert.RetailAssert(adrawEntry != null, "UnAuthorized. Unable to find the user."); bool condition = (adrawEntry is MiniRecipient || adrawEntry is ADUser) && (bool)adrawEntry[ADRecipientSchema.RemotePowerShellEnabled]; ExAssert.RetailAssert(condition, "UnAuthorized. PSWS not enabled user."); authZPluginUserToken = new AuthZPluginUserToken(delegatedPrincipal, adrawEntry, authenticationType, userSid.Value); AuthenticatedUserCache.Instance.AddUserToCache(text, authZPluginUserToken); } return(new PswsAuthZUserToken(authZPluginUserToken.DelegatedPrincipal, authZPluginUserToken.UserEntry, authenticationType, authZPluginUserToken.DefaultUserName, userToken.UserName)); }
// Token: 0x06000039 RID: 57 RVA: 0x00002E5C File Offset: 0x0000105C internal UserToken(AuthenticationType authenticationType, DelegatedPrincipal delegatedPrincipal, string windowsLiveId, string userName, SecurityIdentifier userSid, PartitionId partitionId, OrganizationId organization, string managedOrganization, bool appPasswordUsed, CommonAccessToken commonAccessToken) { ExTraceGlobals.UserTokenTracer.TraceDebug(0L, "Version:{0}; AuthenticationType:{1}; DelegatedPrincipal:{2} WindowsLiveId:{3}; UserName:{4}; UserSid:{5}; PartitionId:{6}; Organization:{7}; ManagedOrg:{8};AppPasswordUsed:{9}; CAT:{10}", new object[] { 0, authenticationType, delegatedPrincipal, windowsLiveId, userName, userSid, partitionId, organization, managedOrganization, appPasswordUsed, commonAccessToken }); this.Version = 0; this.AuthenticationType = authenticationType; this.DelegatedPrincipal = delegatedPrincipal; this.WindowsLiveId = windowsLiveId; this.UserName = userName; this.UserSid = userSid; this.PartitionId = partitionId; this.Organization = organization; this.ManagedOrganization = managedOrganization; this.AppPasswordUsed = appPasswordUsed; this.CommonAccessToken = commonAccessToken; }
// Token: 0x06000038 RID: 56 RVA: 0x00003F1D File Offset: 0x0000211D internal DelegatedPrincipalCacheData(DelegatedPrincipal principal, DateTime expirationUTC) { if (principal == null) { throw new ArgumentNullException("principal"); } this.principal = principal; this.expiration = expirationUTC; }
public RBACContext(DelegatedPrincipal executingUser, SerializedAccessToken impersonatedUser, IList <RoleType> roleTypeFilter, List <RoleEntry> sortedRoleEntryFilter, IList <RoleType> logonUserRequiredRoleTypes, bool callerCheckedAccess) : this(impersonatedUser, roleTypeFilter, sortedRoleEntryFilter, logonUserRequiredRoleTypes, callerCheckedAccess) { if (executingUser == null) { throw new ArgumentNullException("executingUser"); } this.AuthenticationType = DelegatedPrincipal.DelegatedAuthenticationType; this.ExecutingUserName = executingUser.DisplayName; this.serializedExecutingUser = executingUser.Identity.Name; this.contextType = RBACContext.RBACContextType.Delegated; }
private string GetUserUniqueKey() { DelegatedPrincipal delegatedPrincipal = this.OriginalUser as DelegatedPrincipal; if (delegatedPrincipal != null) { return(delegatedPrincipal.UserId); } if (DatacenterRegistry.IsForefrontForOffice()) { return(this.OriginalLogonUserIdentity.Name); } return(this.OriginalLogonUserIdentity.GetSecurityIdentifier().Value); }
public static string GetCanaryName(this HttpContext context) { DelegatedPrincipal delegatedPrincipal = null; if (context.User is RbacSession) { RbacSession rbacSession = (RbacSession)context.User; delegatedPrincipal = (rbacSession.Settings.OriginalUser as DelegatedPrincipal); } if (delegatedPrincipal == null) { return("msExchEcpCanary"); } return("msExchEcpCanary.UID"); }
private void ResolveAccessedUser() { if (string.IsNullOrEmpty(this.accessedUserSmtpAddress)) { this.accessedUserExchangePrincipal = ExchangePrincipal.FromUserSid(this.GetOrganizationIdFromIdentity(this.accessedUserIdentity).ToADSessionSettings(), this.accessedUserSid); this.logonUserPrincipal = new GenericPrincipal(this.LogonUserIdentity, null); } else { OrganizationId organizationId = OrganizationId.ForestWideOrgId; SidBasedIdentity sidBasedIdentity = this.LogonUserIdentity as SidBasedIdentity; if (sidBasedIdentity != null) { organizationId = sidBasedIdentity.UserOrganizationId; } else { DelegatedPrincipal delegatedPrincipal = this.logonUserPrincipal as DelegatedPrincipal; if (delegatedPrincipal != null) { SmtpDomain domain; if (SmtpDomain.TryParse(delegatedPrincipal.DelegatedOrganization, out domain)) { organizationId = DomainCache.Singleton.Get(new SmtpDomainWithSubdomains(domain, false)).OrganizationId; } } else { ExchangePrincipal exchangePrincipal = this.GetLogonUserExchangePrincipal(); if (exchangePrincipal != null) { organizationId = exchangePrincipal.MailboxInfo.OrganizationId; } } } ADSessionSettings adSettings = organizationId.ToADSessionSettings(); string partitionId = null; if (organizationId != null && organizationId != OrganizationId.ForestWideOrgId && organizationId.PartitionId != null) { partitionId = organizationId.PartitionId.ToString(); } this.accessedUserExchangePrincipal = ExchangePrincipal.FromProxyAddress(adSettings, this.accessedUserSmtpAddress, RemotingOptions.AllowCrossSite); this.accessedUserIdentity = new GenericSidIdentity(this.accessedUserExchangePrincipal.Sid.Value, this.LogonUserIdentity.AuthenticationType + "-ExplicitSignOn", this.accessedUserExchangePrincipal.Sid, partitionId); this.accessedUserSid = this.accessedUserIdentity.GetSecurityIdentifier(); } this.hasFullAccess = this.CanOpenAccessedUserMailbox(); this.identityResolved = true; }
// Token: 0x060000C3 RID: 195 RVA: 0x00005BA8 File Offset: 0x00003DA8 private string GetManagedOrganization(IIdentity identity) { SidOAuthIdentity sidOAuthIdentity = identity as SidOAuthIdentity; if (sidOAuthIdentity != null) { ExTraceGlobals.HttpModuleTracer.TraceDebug((long)this.GetHashCode(), "[BuildUserTokenModule::GetManagedOrganization] From SidOAuthIdentity."); return(sidOAuthIdentity.ManagedTenantName); } DelegatedPrincipal delegatedPrincipal = HttpContext.Current.User as DelegatedPrincipal; if (delegatedPrincipal != null) { ExTraceGlobals.HttpModuleTracer.TraceDebug((long)this.GetHashCode(), "[BuildUserTokenModule::GetManagedOrganization] From DelegatedPrincipal."); return(delegatedPrincipal.DelegatedOrganization); } ExTraceGlobals.HttpModuleTracer.TraceDebug((long)this.GetHashCode(), "[BuildUserTokenModule::GetManagedOrganization] ManagedOrg=Null."); return(null); }
internal static UserToken CreateDefaultUserTokenInERC(IIdentity identity, DelegatedPrincipal delegatedPrincipal, bool impersonated) { if (!impersonated && delegatedPrincipal != null) { CommonAccessToken commonAccessToken = new CommonAccessToken(AccessTokenType.RemotePowerShellDelegated); commonAccessToken.ExtensionData["DelegatedData"] = delegatedPrincipal.Identity.Name; return(new UserToken(AuthenticationType.RemotePowerShellDelegated, delegatedPrincipal, null, delegatedPrincipal.Identity.Name, null, null, null, delegatedPrincipal.DelegatedOrganization, false, commonAccessToken)); } SidOAuthIdentity sidOAuthIdentity = identity as SidOAuthIdentity; if (sidOAuthIdentity != null) { PartitionId partitionId; PartitionId.TryParse(sidOAuthIdentity.PartitionId, out partitionId); return(new UserToken(AuthenticationType.OAuth, null, null, sidOAuthIdentity.Name, sidOAuthIdentity.Sid, partitionId, sidOAuthIdentity.OAuthIdentity.OrganizationId, sidOAuthIdentity.ManagedTenantName, false, sidOAuthIdentity.OAuthIdentity.ToCommonAccessTokenVersion1())); } WindowsIdentity windowsIdentity = identity as WindowsIdentity; if (windowsIdentity != null) { return(new UserToken(AuthenticationType.Kerberos, null, null, windowsIdentity.Name, windowsIdentity.User, null, null, null, false, new CommonAccessToken(windowsIdentity))); } WindowsTokenIdentity windowsTokenIdentity = identity as WindowsTokenIdentity; if (windowsTokenIdentity != null && windowsTokenIdentity.AccessToken != null && windowsTokenIdentity.AccessToken.CommonAccessToken != null) { PartitionId partitionId2; PartitionId.TryParse(windowsTokenIdentity.PartitionId, out partitionId2); return(new UserToken(AuthenticationType.Kerberos, null, null, windowsTokenIdentity.Name, windowsTokenIdentity.Sid, partitionId2, null, null, false, windowsTokenIdentity.AccessToken.CommonAccessToken)); } CommonAccessToken commonAccessToken2 = new CommonAccessToken(AccessTokenType.CertificateSid); SecurityIdentifier securityIdentifier = identity.GetSecurityIdentifier(); commonAccessToken2.ExtensionData["UserSid"] = securityIdentifier.ToString(); GenericSidIdentity genericSidIdentity = identity as GenericSidIdentity; if (genericSidIdentity != null) { commonAccessToken2.ExtensionData["Partition"] = genericSidIdentity.PartitionId; } return(new UserToken(AuthenticationType.Certificate, null, null, identity.Name, securityIdentifier, null, null, null, false, commonAccessToken2)); }
// Token: 0x060000BF RID: 191 RVA: 0x000056A0 File Offset: 0x000038A0 private string GetUserName(CommonAccessToken commonAccessToken, IIdentity identity, AccessTokenType accessTokenType) { string windowsLiveId = this.GetWindowsLiveId(commonAccessToken, accessTokenType); if (!string.IsNullOrWhiteSpace(windowsLiveId)) { ExTraceGlobals.UserTokenTracer.TraceDebug <string>((long)this.GetHashCode(), "[BuildUserTokenModule::GetUserName] From windows Live Id {0}", windowsLiveId); return(windowsLiveId); } if (commonAccessToken != null && commonAccessToken.WindowsAccessToken != null) { ExTraceGlobals.UserTokenTracer.TraceDebug((long)this.GetHashCode(), "[BuildUserTokenModule::GetUserName] From windows access token"); return(commonAccessToken.WindowsAccessToken.LogonName ?? commonAccessToken.WindowsAccessToken.UserSid); } DelegatedPrincipal delegatedPrincipal = HttpContext.Current.User as DelegatedPrincipal; if (delegatedPrincipal != null) { ExTraceGlobals.UserTokenTracer.TraceDebug <string>((long)this.GetHashCode(), "[BuildUserTokenModule::GetUserName] From delegated principal {0}", delegatedPrincipal.ToString()); return(delegatedPrincipal.GetUserName()); } try { return(identity.GetSafeName(true)); } catch (Exception ex) { ExTraceGlobals.UserTokenTracer.TraceError <Exception>((long)this.GetHashCode(), "[BuildUserTokenModule::GetUserName] GetSafeName throws exception {0}", ex); HttpLogger.SafeAppendGenericError("BuildUserTokenModule.GetUserName", ex.ToString(), false); } SecurityIdentifier userSid = this.GetUserSid(commonAccessToken, identity); if (userSid != null) { ExTraceGlobals.UserTokenTracer.TraceDebug <string>((long)this.GetHashCode(), "[BuildUserTokenModule::GetUserName] From user sid {0}", userSid.ToString()); return(userSid.ToString()); } return(null); }
internal static bool TryFindOrganizationIdForDelegatedPrincipal(DelegatedPrincipal principal, out OrganizationId orgId) { orgId = null; ExchangeConfigurationUnit exchangeConfigurationUnit = null; Exception ex = null; try { exchangeConfigurationUnit = ExchangeAuthorizationPlugin.GetExchangeConfigurationUnitByNameOrAcceptedDomain(principal.DelegatedOrganization); } catch (CannotResolveTenantNameException ex2) { ex = ex2; } catch (DataSourceOperationException ex3) { ex = ex3; } catch (TransientException ex4) { ex = ex4; } catch (DataValidationException ex5) { ex = ex5; } if (ex != null) { AuthZLogger.SafeAppendGenericError("TryFindOrganizationIdForDelegatedPrincipal", ex, new Func <Exception, bool>(KnownException.IsUnhandledException)); TaskLogger.LogRbacEvent(TaskEventLogConstants.Tuple_FailedToResolveOrganizationIdForDelegatedPrincipal, null, new object[] { principal.DelegatedOrganization, ex }); return(false); } orgId = exchangeConfigurationUnit.OrganizationId; return(true); }
// Token: 0x060000EB RID: 235 RVA: 0x00005DD4 File Offset: 0x00003FD4 private static AnchorMailbox CreateFromLogonIdentity(IRequestContext requestContext) { HttpContext httpContext = requestContext.HttpContext; IPrincipal user = httpContext.User; IIdentity identity = httpContext.User.Identity; string text; HttpContextItemParser.TryGetLiveIdMemberName(httpContext.Items, ref text); OAuthIdentity oauthIdentity = identity as OAuthIdentity; if (oauthIdentity != null) { string externalDirectoryObjectId; if (RequestHeaderParser.TryGetExternalDirectoryObjectId(httpContext.Request.Headers, ref externalDirectoryObjectId)) { requestContext.Logger.SafeSet(3, "OAuthIdentity-ExternalDirectoryObjectId"); return(new ExternalDirectoryObjectIdAnchorMailbox(externalDirectoryObjectId, oauthIdentity.OrganizationId, requestContext)); } if (oauthIdentity.ActAsUser != null) { requestContext.Logger.SafeSet(3, "OAuthIdentity-ActAsUser"); return(new OAuthActAsUserAnchorMailbox(oauthIdentity.ActAsUser, requestContext)); } requestContext.Logger.SafeSet(3, "OAuthIdentity-AppOrganization"); return(new OrganizationAnchorMailbox(oauthIdentity.OrganizationId, requestContext)); } else { GenericSidIdentity genericSidIdentity = identity as GenericSidIdentity; if (genericSidIdentity != null) { requestContext.Logger.SafeSet(3, "GenericSidIdentity"); return(new SidAnchorMailbox(genericSidIdentity.Sid, requestContext) { PartitionId = genericSidIdentity.PartitionId, SmtpOrLiveId = text }); } DelegatedPrincipal delegatedPrincipal = user as DelegatedPrincipal; if (delegatedPrincipal != null && delegatedPrincipal.DelegatedOrganization != null && string.IsNullOrEmpty(text)) { requestContext.Logger.SafeSet(3, "DelegatedPrincipal-DelegatedOrganization"); return(new DomainAnchorMailbox(delegatedPrincipal.DelegatedOrganization, requestContext)); } WindowsIdentity windowsIdentity = identity as WindowsIdentity; if (windowsIdentity != null) { if (string.IsNullOrEmpty(text)) { requestContext.Logger.SafeSet(3, "WindowsIdentity"); } else { requestContext.Logger.SafeSet(3, "WindowsIdentity-LiveIdMemberName"); } return(new SidAnchorMailbox(windowsIdentity.User, requestContext) { SmtpOrLiveId = text }); } SecurityIdentifier securityIdentifier = null; if (IIdentityExtensions.TryGetSecurityIdentifier(identity, ref securityIdentifier) && !securityIdentifier.Equals(AuthCommon.MemberNameNullSid)) { if (string.IsNullOrEmpty(text)) { requestContext.Logger.SafeSet(3, "SID"); } else { requestContext.Logger.SafeSet(3, "SID-LiveIdMemberName"); } return(new SidAnchorMailbox(securityIdentifier, requestContext) { SmtpOrLiveId = text }); } if (!HttpProxySettings.IdentityIndependentAuthBehaviorEnabled.Value && requestContext.AuthBehavior.AuthState != AuthState.FrontEndFullAuth) { AnchorMailbox anchorMailbox = requestContext.AuthBehavior.CreateAuthModuleSpecificAnchorMailbox(requestContext); if (anchorMailbox != null) { return(anchorMailbox); } } if (!string.IsNullOrEmpty(text) && SmtpAddress.IsValidSmtpAddress(text)) { requestContext.Logger.SafeSet(3, "Smtp-LiveIdMemberName"); return(new SmtpAnchorMailbox(text, requestContext)); } throw new InvalidOperationException(string.Format("Unknown idenity {0} with type {1}.", IIdentityExtensions.GetSafeName(identity, true), identity.ToString())); } }
// Token: 0x060072B7 RID: 29367 RVA: 0x0017B9E0 File Offset: 0x00179BE0 public DelegatedPrincipalBudgetKey(DelegatedPrincipal principal, BudgetType budgetType) : base(budgetType, false) { this.cachedToString = string.Format("Delegated~{0}~{1}~{2}", principal.DelegatedOrganization, principal.UserId, budgetType); this.principal = principal; this.cachedHashCode = (base.BudgetType.GetHashCode() ^ this.principal.DelegatedOrganization.GetHashCode() ^ this.principal.UserId.GetHashCode()); }
public RBACContext(DelegatedPrincipal executingUser) : this(executingUser, null, null, null, null, false) { }
public static AnchorRunspaceProxy CreateRunspaceForDelegatedPartner(AnchorContext context, DelegatedPrincipal delegatedPartnerAdmin, string tenantOrganization) { AnchorUtil.ThrowOnNullArgument(delegatedPartnerAdmin, "delegatedTenantAdmin"); AnchorUtil.ThrowOnNullOrEmptyArgument(tenantOrganization, "tenantOrganization"); context.Logger.Log(MigrationEventType.Verbose, "AnchorRunspaceProxy. Creating delegated partner runspace proxy for user {0}", new object[] { delegatedPartnerAdmin }); ExchangeRunspaceConfigurationSettings configSettings = new ExchangeRunspaceConfigurationSettings(ExchangeRunspaceConfigurationSettings.ExchangeApplication.SimpleDataMigration, tenantOrganization, ExchangeRunspaceConfigurationSettings.GetDefaultInstance().CurrentSerializationLevel); return(new AnchorRunspaceProxy(context, AnchorRunspaceProxy.RunspaceFactoryWithDCAffinity.CreateRbacFactory(context, delegatedPartnerAdmin.ToString(), delegatedPartnerAdmin.Identity, configSettings))); }
private static AnchorMailbox CreateFromLogonIdentity(IRequestContext requestContext) { HttpContext httpContext = requestContext.HttpContext; IPrincipal user = httpContext.User; IIdentity identity = httpContext.User.Identity; string text = httpContext.Items[Constants.WLIDMemberName] as string; OAuthIdentity oauthIdentity = identity as OAuthIdentity; if (oauthIdentity != null) { string text2 = httpContext.Request.Headers[Constants.ExternalDirectoryObjectIdHeaderName]; if (!string.IsNullOrEmpty(text2)) { requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "OAuthIdentity-ExternalDirectoryObjectId"); return(new ExternalDirectoryObjectIdAnchorMailbox(text2, oauthIdentity.OrganizationId, requestContext)); } if (oauthIdentity.ActAsUser != null) { requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "OAuthIdentity-ActAsUser"); return(new OAuthActAsUserAnchorMailbox(oauthIdentity.ActAsUser, requestContext)); } requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "OAuthIdentity-AppOrganization"); return(new OrganizationAnchorMailbox(oauthIdentity.OrganizationId, requestContext)); } else { GenericSidIdentity genericSidIdentity = identity as GenericSidIdentity; if (genericSidIdentity != null) { requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "GenericSidIdentity"); return(new SidAnchorMailbox(genericSidIdentity.Sid, requestContext) { PartitionId = genericSidIdentity.PartitionId, SmtpOrLiveId = text }); } DelegatedPrincipal delegatedPrincipal = user as DelegatedPrincipal; if (delegatedPrincipal != null && delegatedPrincipal.DelegatedOrganization != null && string.IsNullOrEmpty(text)) { requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "DelegatedPrincipal-DelegatedOrganization"); return(new DomainAnchorMailbox(delegatedPrincipal.DelegatedOrganization, requestContext)); } WindowsIdentity windowsIdentity = identity as WindowsIdentity; if (windowsIdentity != null) { if (string.IsNullOrEmpty(text)) { requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "WindowsIdentity"); } else { requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "WindowsIdentity-LiveIdMemberName"); } return(new SidAnchorMailbox(windowsIdentity.User, requestContext) { SmtpOrLiveId = text }); } try { SecurityIdentifier securityIdentifier = identity.GetSecurityIdentifier(); if (!securityIdentifier.Equals(AuthCommon.MemberNameNullSid)) { if (string.IsNullOrEmpty(text)) { requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "SID"); } else { requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "SID-LiveIdMemberName"); } return(new SidAnchorMailbox(securityIdentifier, requestContext) { SmtpOrLiveId = text }); } } catch (Exception) { } if (requestContext.AuthBehavior.AuthState != AuthState.FrontEndFullAuth) { AnchorMailbox anchorMailbox = requestContext.AuthBehavior.CreateAuthModuleSpecificAnchorMailbox(requestContext); if (anchorMailbox != null) { return(anchorMailbox); } } if (!string.IsNullOrEmpty(text)) { requestContext.Logger.SafeSet(HttpProxyMetadata.RoutingHint, "Smtp-LiveIdMemberName"); return(new SmtpAnchorMailbox(text, requestContext)); } throw new InvalidOperationException(string.Format("Unknown idenity {0} with type {1}.", identity.GetSafeName(true), identity.ToString())); } }
public static AnchorRunspaceProxy CreateRunspaceForDelegatedTenantAdmin(AnchorContext context, DelegatedPrincipal delegatedTenantAdmin) { AnchorUtil.ThrowOnNullArgument(delegatedTenantAdmin, "delegatedTenantAdmin"); context.Logger.Log(MigrationEventType.Verbose, "AnchorRunspaceProxy. Creating delegated runspace proxy for user {0}", new object[] { delegatedTenantAdmin }); ExchangeRunspaceConfigurationSettings configSettings = new ExchangeRunspaceConfigurationSettings(ExchangeRunspaceConfigurationSettings.ExchangeApplication.SimpleDataMigration, null, ExchangeRunspaceConfigurationSettings.SerializationLevel.None); return(new AnchorRunspaceProxy(context, AnchorRunspaceProxy.RunspaceFactoryWithDCAffinity.CreateRbacFactory(context, delegatedTenantAdmin.ToString(), delegatedTenantAdmin.Identity, configSettings))); }
internal static ClientSecurityContext GetSecurityContextForUser(ISecurityAccessToken executingUser, DelegatedPrincipal delegatedPrincipal, ADUser trackedUser) { bool enabled = VariantConfiguration.InvariantNoFlightingSnapshot.Global.MultiTenancy.Enabled; ExTraceGlobals.TaskTracer.TraceDebug <string, string, bool>(0L, "executing-user={0}, tracked-user={1}, ismultitenancyenabled={2}", (executingUser != null) ? executingUser.UserSid.ToString() : delegatedPrincipal.ToString(), trackedUser.Sid.Value, enabled); if (!enabled || (executingUser != null && string.Equals(executingUser.UserSid, trackedUser.Sid.Value, StringComparison.OrdinalIgnoreCase))) { ExTraceGlobals.TaskTracer.TraceDebug(0L, "executing-user == tracked-user or we are not running in a Multi Tenant environment."); return(new ClientSecurityContext(executingUser, AuthzFlags.AuthzSkipTokenGroups)); } WindowsIdentity identity; try { ExTraceGlobals.TaskTracer.TraceDebug(0L, "executing-user != tracked-user"); if (string.IsNullOrEmpty(trackedUser.UserPrincipalName)) { ExTraceGlobals.TaskTracer.TraceError <ADObjectId>(0L, "Null/Empty UPN for user {0}", trackedUser.Id); Strings.TrackingErrorUserObjectCorrupt(trackedUser.Id.ToString(), "UserPrincipalName"); string data = string.Format("Missing UserPrincipalName attribute for user {0}", trackedUser.Id.ToString()); TrackingError trackingError = new TrackingError(ErrorCode.InvalidADData, string.Empty, data, string.Empty); throw new TrackingFatalException(trackingError, null, false); } identity = new WindowsIdentity(trackedUser.UserPrincipalName); } catch (UnauthorizedAccessException ex) { ExTraceGlobals.TaskTracer.TraceError <string, UnauthorizedAccessException>(0L, "Not authorized to get WindowsIdentity for {0}, Exception: {1}", trackedUser.UserPrincipalName, ex); TrackingError trackingError2 = new TrackingError(ErrorCode.UnexpectedErrorPermanent, string.Empty, string.Format("Cannot logon as {0}", trackedUser.Id.ToString()), ex.ToString()); throw new TrackingFatalException(trackingError2, ex, false); } catch (SecurityException arg) { ExTraceGlobals.TaskTracer.TraceError <string, SecurityException>(0L, "Not authorized to get WindowsIdentity for {0}, falling back to ExecutingUser, Exception: {1}", trackedUser.UserPrincipalName, arg); return(new ClientSecurityContext(executingUser, AuthzFlags.AuthzSkipTokenGroups)); } return(new ClientSecurityContext(identity)); }
// Token: 0x06000058 RID: 88 RVA: 0x00003368 File Offset: 0x00001568 private void Deserialize(Stream stream) { using (BinaryReader binaryReader = new BinaryReader(stream)) { this.ReadAndValidateFieldType(binaryReader, 'V', Strings.MissingVersion); this.Version = this.BinaryRead <ushort>(new Func <ushort>(binaryReader.ReadUInt16), Strings.MissingVersion); this.ReadAndValidateFieldType(binaryReader, 'A', Strings.MissingAuthenticationType); string value = this.BinaryRead <string>(new Func <string>(binaryReader.ReadString), Strings.MissingAuthenticationType); AuthenticationType authenticationType; if (!Enum.TryParse <AuthenticationType>(value, out authenticationType)) { ExTraceGlobals.UserTokenTracer.TraceError <AuthenticationType>(0L, "Invalid authentication type {0}", authenticationType); throw new UserTokenException(Strings.InvalidDelegatedPrincipal(value)); } this.AuthenticationType = authenticationType; this.ReadAndValidateFieldType(binaryReader, 'D', Strings.MissingDelegatedPrincipal); string text = this.ReadNullableString(binaryReader, Strings.MissingDelegatedPrincipal); DelegatedPrincipal delegatedPrincipal = null; if (text != null && !DelegatedPrincipal.TryParseDelegatedString(text, out delegatedPrincipal)) { ExTraceGlobals.UserTokenTracer.TraceError <string>(0L, "Invalid delegated principal {0}", text); throw new UserTokenException(Strings.InvalidDelegatedPrincipal(text)); } this.DelegatedPrincipal = delegatedPrincipal; this.ReadAndValidateFieldType(binaryReader, 'L', Strings.MissingWindowsLiveId); this.WindowsLiveId = this.ReadNullableString(binaryReader, Strings.MissingWindowsLiveId); this.ReadAndValidateFieldType(binaryReader, 'N', Strings.MissingUserName); this.UserName = this.ReadNullableString(binaryReader, Strings.MissingUserName); this.ReadAndValidateFieldType(binaryReader, 'U', Strings.MissingUserSid); string text2 = this.ReadNullableString(binaryReader, Strings.MissingUserSid); if (text2 != null) { try { this.UserSid = new SecurityIdentifier(text2); } catch (ArgumentException innerException) { ExTraceGlobals.UserTokenTracer.TraceError <string>(0L, "Invalid user sid {0}", text2); throw new UserTokenException(Strings.InvalidUserSid(text2), innerException); } } this.ReadAndValidateFieldType(binaryReader, 'P', Strings.MissingPartitionId); string text3 = this.ReadNullableString(binaryReader, Strings.MissingPartitionId); PartitionId partitionId = null; if (text3 != null && !PartitionId.TryParse(text3, out partitionId)) { ExTraceGlobals.UserTokenTracer.TraceError <string>(0L, "Invalid partition id {0}", text3); throw new UserTokenException(Strings.InvalidPartitionId(text3)); } this.PartitionId = partitionId; this.ReadAndValidateFieldType(binaryReader, 'O', Strings.MissingOrganization); string text4 = this.ReadNullableString(binaryReader, Strings.MissingOrganization); if (text4 != null) { byte[] bytes; try { bytes = Convert.FromBase64String(text4); } catch (FormatException innerException2) { ExTraceGlobals.UserTokenTracer.TraceError <string>(0L, "Invalid organization id {0}", text4); throw new UserTokenException(Strings.InvalidOrganization(text4), innerException2); } OrganizationId organization; if (!OrganizationId.TryCreateFromBytes(bytes, Encoding.UTF8, out organization)) { ExTraceGlobals.UserTokenTracer.TraceError <string>(0L, "Invalid organization id {0}", text4); throw new UserTokenException(Strings.InvalidOrganization(text4)); } this.Organization = organization; } this.ReadAndValidateFieldType(binaryReader, 'M', Strings.MissingManagedOrganization); this.ManagedOrganization = this.ReadNullableString(binaryReader, Strings.MissingManagedOrganization); this.ReadAndValidateFieldType(binaryReader, 'W', Strings.MissingAppPasswordUsed); this.AppPasswordUsed = this.BinaryRead <bool>(new Func <bool>(binaryReader.ReadBoolean), Strings.MissingAppPasswordUsed); int num = (int)(binaryReader.BaseStream.Length - binaryReader.BaseStream.Position); if (num > 0) { byte[] array = binaryReader.ReadBytes(num); array = this.Decompress(array); this.CommonAccessToken = CommonAccessToken.Deserialize(Encoding.UTF8.GetString(array)); } else { this.CommonAccessToken = null; } } }
// Token: 0x0600128C RID: 4748 RVA: 0x0003BF11 File Offset: 0x0003A111 internal PswsAuthZUserToken(DelegatedPrincipal delegatedPrincipal, ADRawEntry userEntry, Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType, string defaultUserName, string executingUserName) : base(delegatedPrincipal, userEntry, authenticationType, defaultUserName) { ExAssert.RetailAssert(!string.IsNullOrWhiteSpace(executingUserName), "The executingUserName should not be null or white space."); this.ExecutingUserName = executingUserName; }
private static IIdentity InternalGetExecutingUserIdentity(PSPrincipal psPrincipal, string connectionUrl, out UserToken userToken, out Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType, out string sessionId, out string firstRequestId) { authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Unknown; userToken = null; sessionId = null; firstRequestId = null; if (psPrincipal.Identity.AuthenticationType.StartsWith("Cafe-", StringComparison.OrdinalIgnoreCase)) { using (WinRMDataReceiver winRMDataReceiver = new WinRMDataReceiver(connectionUrl, psPrincipal.Identity.Name, psPrincipal.Identity.AuthenticationType, AuthZLogHelper.LantencyTracker)) { userToken = winRMDataReceiver.UserToken; sessionId = winRMDataReceiver.SessionId; firstRequestId = winRMDataReceiver.RequestId; string text = winRMDataReceiver.AuthenticationType.Substring("Cafe-".Length); if (text.Equals("GenericIdentity", StringComparison.OrdinalIgnoreCase)) { return(AuthZPluginHelper.ConstructGenericIdentityFromUserToken(userToken)); } if (userToken.CommonAccessToken != null) { return(new WindowsTokenIdentity(userToken.CommonAccessToken.WindowsAccessToken).ToSerializedIdentity()); } } } if (DelegatedPrincipal.DelegatedAuthenticationType.Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase)) { authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.RemotePowerShellDelegated; return(DelegatedPrincipal.GetDelegatedIdentity(psPrincipal.Identity.Name)); } if (psPrincipal.WindowsIdentity != null) { string authenticationType2 = psPrincipal.Identity.AuthenticationType; if (authenticationType2 != null && authenticationType2.StartsWith("Converted-", StringComparison.OrdinalIgnoreCase)) { if (authenticationType2.StartsWith("Converted-Kerberos", StringComparison.OrdinalIgnoreCase)) { authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Kerberos; } else { AuthZLogger.SafeAppendGenericError("InternalGetExecutingUserIdentity", "Unexpected AuthenticationType " + authenticationType2, true); } using (WinRMDataReceiver winRMDataReceiver2 = new WinRMDataReceiver(connectionUrl, psPrincipal.Identity.Name, psPrincipal.Identity.AuthenticationType, AuthZLogHelper.LantencyTracker)) { userToken = winRMDataReceiver2.UserToken; sessionId = winRMDataReceiver2.SessionId; firstRequestId = winRMDataReceiver2.RequestId; if (userToken.CommonAccessToken == null) { throw new AuthzException("DEV BUG, the CommonAccessToken should not be NULL when passing from Locally Kerberos logon."); } return(new WindowsTokenIdentity(userToken.CommonAccessToken.WindowsAccessToken).ToSerializedIdentity()); } } if ("CertificateLinkedUser".Equals(authenticationType2, StringComparison.OrdinalIgnoreCase)) { authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.CertificateLinkedUser; return(new GenericIdentity(psPrincipal.Identity.Name)); } try { authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Certificate; new SecurityIdentifier(psPrincipal.Identity.Name); return(new GenericIdentity(psPrincipal.Identity.Name)); } catch (ArgumentException) { authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Unknown; return(psPrincipal.WindowsIdentity); } } if ("RPS".Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase) || "Kerberos".Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase) || "Basic".Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase)) { authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Kerberos; SecurityIdentifier securityIdentifier = (SecurityIdentifier) new NTAccount(psPrincipal.Identity.Name).Translate(typeof(SecurityIdentifier)); return(new GenericIdentity(securityIdentifier.ToString())); } authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Unknown; return(new GenericIdentity(psPrincipal.Identity.Name)); }