/// <summary> /// Note: The 'limitblankpassworduse' (Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa) /// will cause AcceptSecurityContext to return SEC_E_LOGON_DENIED when the correct password is blank. /// </summary> public User Authenticate(string accountNameToAuth, byte[] lmResponse, byte[] ntlmResponse) { if (accountNameToAuth == String.Empty || (String.Equals(accountNameToAuth, "Guest", StringComparison.InvariantCultureIgnoreCase) && IsPasswordEmpty(lmResponse, ntlmResponse) && this.EnableGuestLogin)) { int guestIndex = IndexOf("Guest"); if (guestIndex >= 0) { return(this[guestIndex]); } return(null); } int index = IndexOf(accountNameToAuth); if (index >= 0) { // We should not spam the security event log, and should call the Windows LogonUser API // just to verify the user has a blank password. if (!AreEmptyPasswordsAllowed() && IsPasswordEmpty(lmResponse, ntlmResponse) && LoginAPI.HasEmptyPassword(accountNameToAuth)) { throw new EmptyPasswordNotAllowedException(); } AuthenticateMessage authenticateMessage = new AuthenticateMessage(); authenticateMessage.NegotiateFlags = NegotiateFlags.NegotiateUnicode | NegotiateFlags.NegotiateOEM | NegotiateFlags.RequestTarget | NegotiateFlags.NegotiateSign | NegotiateFlags.NegotiateSeal | NegotiateFlags.NegotiateLanManagerKey | NegotiateFlags.NegotiateNTLMKey | NegotiateFlags.NegotiateAlwaysSign | NegotiateFlags.NegotiateVersion | NegotiateFlags.Negotiate128 | NegotiateFlags.Negotiate56; authenticateMessage.UserName = accountNameToAuth; authenticateMessage.LmChallengeResponse = lmResponse; authenticateMessage.NtChallengeResponse = ntlmResponse; authenticateMessage.Version = Authentication.Version.Server2003; byte[] authenticateMessageBytes = authenticateMessage.GetBytes(); bool success = SSPIHelper.AuthenticateType3Message(m_serverContext, authenticateMessageBytes); if (success) { return(this[index]); } } return(null); }
/// <summary> /// Note: The 'limitblankpassworduse' (Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa) /// will cause AcceptSecurityContext to return SEC_E_LOGON_DENIED when the correct password is blank. /// </summary> public User Authenticate(byte[] authenticateMessageBytes) { AuthenticateMessage message = new AuthenticateMessage(authenticateMessageBytes); if ((message.NegotiateFlags & NegotiateFlags.NegotiateAnonymous) > 0 || (String.Equals(message.UserName, "Guest", StringComparison.InvariantCultureIgnoreCase) && IsPasswordEmpty(message) && this.EnableGuestLogin)) { int guestIndex = IndexOf("Guest"); if (guestIndex >= 0) { return(this[guestIndex]); } return(null); } int index = IndexOf(message.UserName); if (index >= 0) { // We should not spam the security event log, and should call the Windows LogonUser API // just to verify the user has a blank password. if (!AreEmptyPasswordsAllowed() && IsPasswordEmpty(message) && LoginAPI.HasEmptyPassword(message.UserName)) { throw new EmptyPasswordNotAllowedException(); } bool success = SSPIHelper.AuthenticateType3Message(m_serverContext, authenticateMessageBytes); if (success) { return(this[index]); } } return(null); }