/// <summary>
/// Initialize an instance of NrpcClientSecurityContext class.
/// By calling this constructor, the class will setup a new secure
/// channel between client and server.
/// </summary>
/// <param name="domainName">
/// The NRPC domain name.
/// </param>
/// <param name="serverName">
/// The NRPC server name.
/// </param>
/// <param name="credential">
/// The credential to setup the secure channel.
/// </param>
/// <param name="requestConfidentiality">
/// A Boolean setting that indicates that the caller is requiring
/// encryption of messages so that they cannot be read while in transit.
/// Requesting this service results in Netlogon encrypting the message.
/// </param>
/// <param name="clientCapabilities">
/// The client capability.
/// </param>
/// <exception cref="ArgumentNullException">
/// Thrown when domainName, serverName or credential is null.
/// </exception>
public NrpcClientSecurityContext(
string domainName,
string serverName,
MachineAccountCredential credential,
bool requestConfidentiality,
NrpcNegotiateFlags clientCapabilities)
{
if (string.IsNullOrWhiteSpace(domainName))
{
throw new ArgumentNullException("domainName cannot be null or empty");
}
if (string.IsNullOrWhiteSpace(serverName))
{
throw new ArgumentNullException("serverName cannot be null or empty");
}
if (credential == null)
{
throw new ArgumentNullException("credential cannot be null");
}
this.nrpc = NrpcClient.CreateNrpcClient(domainName);
this.nrpc.Context.PrimaryName = serverName;
this.nrpc.Context.SealSecureChannel = requestConfidentiality;
this.nrpc.Context.NegotiateFlags = clientCapabilities;
this.credential = credential;
this.secureChannelType = _NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel;
}
/// <summary>
/// Call to this method establishes a secure channel between protocol client and
/// protocol server and generates a session key, ehich is used for encryption of
/// request packets and decryption of response packets.
/// </summary>
private void EstablishSecureChannel()
{
nrpcClient = NrpcClient.CreateNrpcClient(sutDomainName);
ushort[] endPointList = NrpcUtility.QueryNrpcTcpEndpoint(serverName);
ushort endPoint = endPointList[0];
MachineAccountCredential machineCredential = new MachineAccountCredential(
sutDomainName,
clientComputerName,
clientComputerPassword);
nrpcClient.Context.NegotiateFlags = NrpcNegotiateFlags.SupportsAESAndSHA2
| NrpcNegotiateFlags.SupportsConcurrentRpcCalls
| NrpcNegotiateFlags.SupportsCrossForestTrusts
| NrpcNegotiateFlags.SupportsGenericPassThroughAuthentication
| NrpcNegotiateFlags.SupportsNetrLogonGetDomainInfo
| NrpcNegotiateFlags.SupportsNetrLogonSendToSam
| NrpcNegotiateFlags.SupportsNetrServerPasswordSet2
| NrpcNegotiateFlags.SupportsRC4
| NrpcNegotiateFlags.SupportsRefusePasswordChange
| NrpcNegotiateFlags.SupportsRodcPassThroughToDifferentDomains
| NrpcNegotiateFlags.SupportsSecureRpc
| NrpcNegotiateFlags.SupportsStrongKeys
| NrpcNegotiateFlags.SupportsTransitiveTrusts;
NrpcClientSecurityContext securityContext = new NrpcClientSecurityContext(
sutDomainName,
sutComputerName,
machineCredential,
true,
nrpcClient.Context.NegotiateFlags);
nrpcClient.BindOverTcp(serverName, endPoint, securityContext, timeout);
}
/// <summary>
/// This method is used to reset the adapter.
/// </summary>
public override void Reset()
{
base.Reset();
if (this.nrpcClient != null)
{
this.nrpcClient.Dispose();
this.nrpcClient = null;
}
}
/// <summary>
/// Cleans up the test suite.
/// </summary>
protected override void TestCleanup()
{
base.TestCleanup();
if (null != this.nrpcClient)
{
this.nrpcClient.Dispose();
}
NrpcClient.CleanAll();
}
/// <summary>
/// This method is used to implement clean-up codes.
/// </summary>
/// <param name="disposing">Set TRUE to dispose resource, otherwise set FALSE</param>
protected override void Dispose(bool disposing)
{
if (disposing)
{
if (this.nrpcClient != null)
{
this.nrpcClient.Dispose();
this.nrpcClient = null;
}
}
}
/// <summary>
/// Dispose method.
/// </summary>
/// <param name="disposing">
/// True to release both managed and unmanaged resources.<para/>
/// False to release unmanaged resources only.
/// </param>
protected virtual void Dispose(bool disposing)
{
if (disposing)
{
// Release managed resources.
if (nrpc != null)
{
nrpc.Dispose();
nrpc = null;
}
}
// Release unmanaged resources.
}
public void NRPC_Traditional05_VerifyOutOfSequenceMessage()
{
PlatformType platform;
HRESULT result = HRESULT.ERROR_SUCCESS;
Site.Log.Add(LogEntryKind.Comment, "Call GetPlatform");
nrpcServerAdapter.GetPlatform(out platform);
Site.Log.Add(LogEntryKind.Comment, "Return GetPlatform(out {0})", platform);
Site.Log.Add(LogEntryKind.Comment, "Call ConfigServer");
nrpcServerSutControlAdapter.ConfigServer(true, false);
Site.Log.Add(LogEntryKind.Comment, "Return ConfigServer");
NrpcServerAdapter adapter = new NrpcServerAdapter();
adapter.Initialize(Site);
using (this.nrpcClient = NrpcClient.CreateNrpcClient(adapter.PrimaryDomainDnsName))
{
this.nrpcClient.Context.NegotiateFlags = (NrpcNegotiateFlags)NrpcServerAdapter.NegotiateFlags;
MachineAccountCredential machineCredential = new MachineAccountCredential(
adapter.PrimaryDomainDnsName,
adapter.ENDPOINTNetbiosName,
adapter.ENDPOINTPassword);
NrpcClientSecurityContext secuContext = new NrpcClientSecurityContext(
adapter.PrimaryDomainDnsName,
adapter.PDCNetbiosName,
machineCredential,
true,
this.nrpcClient.Context.NegotiateFlags);
AccountCredential accountCredential = new AccountCredential(
adapter.PrimaryDomainDnsName,
adapter.DomainAdministratorName,
adapter.DomainUserPassword);
try
{
this.nrpcClient.BindOverNamedPipe(
adapter.PDCNetbiosName,
accountCredential,
secuContext,
adapter.timeOut);
}
catch (Exception e)
{
Site.Log.Add(LogEntryKind.Debug, "Failed to bind NamedPipe to " + adapter.PDCNetbiosName + "due to reason: " + e.Message);
Site.Assert.Fail("Failed on init NRPC client on transport NamedPipe");
}
this.nrpcClient.Context.SequenceNumber++;
_NETLOGON_LOGON_INFO_CLASS logonLevelInfoClass = _NETLOGON_LOGON_INFO_CLASS.NetlogonInteractiveInformation;
_NETLOGON_LEVEL logonLevel = this.nrpcClient.CreateNetlogonLevel(
logonLevelInfoClass,
NrpcParameterControlFlags.AllowLogonWithComputerAccount,
adapter.PrimaryDomainDnsName,
adapter.DomainAdministratorName,
adapter.DomainUserPassword);
// Client calls EncryptNetlogonLevel
_NETLOGON_LEVEL?encryptedLogonLevel = this.nrpcClient.EncryptNetlogonLevel(
logonLevelInfoClass,
logonLevel);
_NETLOGON_AUTHENTICATOR?serverAuthenticator = this.nrpcClient.CreateEmptyNetlogonAuthenticator();
_NETLOGON_AUTHENTICATOR?clientAuthenticator = this.nrpcClient.ComputeNetlogonAuthenticator();
_NETLOGON_VALIDATION? validationInfomation = null;
byte?authoritative = null;
try
{
result = (HRESULT)this.nrpcClient.NetrLogonSamLogon(
adapter.PDCNetbiosName,
adapter.ENDPOINTNetbiosName,
clientAuthenticator,
ref serverAuthenticator,
logonLevelInfoClass,
encryptedLogonLevel,
_NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo2,
out validationInfomation,
out authoritative);
}
catch (InvalidOperationException e)
{
result = (HRESULT)int.Parse(e.Message, CultureInfo.InvariantCulture);
}
// If the sequence number in security context is out of sequence, the server will return an error message.
Site.CaptureRequirementIfAreNotEqual <HRESULT>(
HRESULT.ERROR_SUCCESS,
result,
853,
@"[In Receiving an Initial Netlogon Signature Token, The following steps are
performed to verify the data and to decrypt with AES if negotiated, otherwise
RC4 if required: in step 7: ] If these two [SequenceNumber and CopySeqNumber ]
do not match, an error is returned indicating that out-of-sequence data was received.");
}
}
