// core Cred lookup code static async Task <(NetworkCredential, bool, TokenImpersonationLevel, bool)> GetSspiCredentialAsync(SspiSecurityTokenProvider tokenProvider, CancellationToken cancellationToken) { NetworkCredential credential = null; bool extractGroupsForWindowsAccounts = TransportDefaults.ExtractGroupsForWindowsAccounts; TokenImpersonationLevel impersonationLevel = TokenImpersonationLevel.Identification; bool allowNtlm = ConnectionOrientedTransportDefaults.AllowNtlm; if (tokenProvider != null) { SspiSecurityToken token = await TransportSecurityHelpers.GetTokenAsync <SspiSecurityToken>(tokenProvider, cancellationToken); if (token != null) { extractGroupsForWindowsAccounts = token.ExtractGroupsForWindowsAccounts; impersonationLevel = token.ImpersonationLevel; allowNtlm = token.AllowNtlm; if (token.NetworkCredential != null) { credential = token.NetworkCredential; SecurityUtils.FixNetworkCredential(ref credential); } } } // Initialize to the default value if no token provided. A partial trust app should not have access to the // default network credentials but should be able to provide credentials. The DefaultNetworkCredentials // getter will throw under partial trust. if (credential == null) { credential = CredentialCache.DefaultNetworkCredentials; } return(credential, extractGroupsForWindowsAccounts, impersonationLevel, allowNtlm); }
// core Cred lookup code static async Task <NetworkCredential> GetSspiCredentialAsync(SspiSecurityTokenProvider tokenProvider, OutWrapper <TokenImpersonationLevel> impersonationLevelWrapper, OutWrapper <bool> allowNtlmWrapper, CancellationToken cancellationToken) { NetworkCredential credential = null; impersonationLevelWrapper.Value = TokenImpersonationLevel.Identification; allowNtlmWrapper.Value = ConnectionOrientedTransportDefaults.AllowNtlm; if (tokenProvider != null) { SspiSecurityToken token = await TransportSecurityHelpers.GetTokenAsync <SspiSecurityToken>(tokenProvider, cancellationToken); if (token != null) { impersonationLevelWrapper.Value = token.ImpersonationLevel; allowNtlmWrapper.Value = token.AllowNtlm; if (token.NetworkCredential != null) { credential = token.NetworkCredential; SecurityUtils.FixNetworkCredential(ref credential); } } } // Initialize to the default value if no token provided. A partial trust app should not have access to the // default network credentials but should be able to provide credentials. The DefaultNetworkCredentials // getter will throw under partial trust. if (credential == null) { credential = CredentialCache.DefaultNetworkCredentials; } return(credential); }
private static NetworkCredential GetSspiCredential(SspiSecurityTokenProvider tokenProvider, TimeSpan timeout, out bool extractGroupsForWindowsAccounts, out TokenImpersonationLevel impersonationLevel, out bool allowNtlm) { NetworkCredential networkCredential = null; extractGroupsForWindowsAccounts = true; impersonationLevel = TokenImpersonationLevel.Identification; allowNtlm = true; if (tokenProvider != null) { SspiSecurityToken token = GetToken <SspiSecurityToken>(tokenProvider, timeout); if (token != null) { extractGroupsForWindowsAccounts = token.ExtractGroupsForWindowsAccounts; impersonationLevel = token.ImpersonationLevel; allowNtlm = token.AllowNtlm; if (token.NetworkCredential != null) { networkCredential = token.NetworkCredential; System.ServiceModel.Security.SecurityUtils.FixNetworkCredential(ref networkCredential); } } } if (networkCredential == null) { networkCredential = CredentialCache.DefaultNetworkCredentials; } return(networkCredential); }
private void CompleteGetToken(IAsyncResult result) { SspiSecurityToken token = (SspiSecurityToken)this.credentialProvider.EndGetToken(result); if (token != null) { this.impersonationLevel = token.ImpersonationLevel; this.allowNtlm = token.AllowNtlm; if (token.NetworkCredential != null) { this.credential = token.NetworkCredential; System.ServiceModel.Security.SecurityUtils.FixNetworkCredential(ref this.credential); } } this.EnsureCredentialInitialized(); }
SecurityTokenProvider CreateSpnegoTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement) { EndpointAddress targetAddress = initiatorRequirement.TargetAddress; if (targetAddress == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenRequirementDoesNotSpecifyTargetAddress, initiatorRequirement)); } SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenProviderRequiresSecurityBindingElement, initiatorRequirement)); } SspiIssuanceChannelParameter sspiChannelParameter = GetSspiIssuanceChannelParameter(initiatorRequirement); bool negotiateTokenOnOpen = (sspiChannelParameter == null ? true : sspiChannelParameter.GetTokenOnOpen); LocalClientSecuritySettings localClientSettings = securityBindingElement.LocalClientSettings; BindingContext issuerBindingContext = initiatorRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); SpnegoTokenProvider spnegoTokenProvider = new SpnegoTokenProvider(sspiChannelParameter != null ? sspiChannelParameter.CredentialsHandle : null, securityBindingElement); SspiSecurityToken clientSspiToken = GetSpnegoClientCredential(initiatorRequirement); spnegoTokenProvider.ClientCredential = clientSspiToken.NetworkCredential; spnegoTokenProvider.IssuerAddress = initiatorRequirement.IssuerAddress; spnegoTokenProvider.AllowedImpersonationLevel = parent.Windows.AllowedImpersonationLevel; spnegoTokenProvider.AllowNtlm = clientSspiToken.AllowNtlm; spnegoTokenProvider.IdentityVerifier = localClientSettings.IdentityVerifier; spnegoTokenProvider.SecurityAlgorithmSuite = initiatorRequirement.SecurityAlgorithmSuite; // if this is not a supporting token, authenticate the server spnegoTokenProvider.AuthenticateServer = !initiatorRequirement.Properties.ContainsKey(ServiceModelSecurityTokenRequirement.SupportingTokenAttachmentModeProperty); spnegoTokenProvider.NegotiateTokenOnOpen = negotiateTokenOnOpen; spnegoTokenProvider.CacheServiceTokens = negotiateTokenOnOpen || localClientSettings.CacheCookies; spnegoTokenProvider.IssuerBindingContext = issuerBindingContext; spnegoTokenProvider.MaxServiceTokenCachingTime = localClientSettings.MaxCookieCachingTime; spnegoTokenProvider.ServiceTokenValidityThresholdPercentage = localClientSettings.CookieRenewalThresholdPercentage; spnegoTokenProvider.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(initiatorRequirement, this); spnegoTokenProvider.TargetAddress = targetAddress; spnegoTokenProvider.Via = initiatorRequirement.GetPropertyOrDefault <Uri>(InitiatorServiceModelSecurityTokenRequirement.ViaProperty, null); spnegoTokenProvider.ApplicationProtectionRequirements = (issuerBindingContext != null) ? issuerBindingContext.BindingParameters.Find <ChannelProtectionRequirements>() : null; spnegoTokenProvider.InteractiveNegoExLogonEnabled = this.ClientCredentials.SupportInteractive; return(spnegoTokenProvider); }
private SecurityTokenProvider CreateSpnegoTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement) { EndpointAddress targetAddress = initiatorRequirement.TargetAddress; if (targetAddress == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenRequirementDoesNotSpecifyTargetAddress", new object[] { initiatorRequirement })); } SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenProviderRequiresSecurityBindingElement", new object[] { initiatorRequirement })); } SspiIssuanceChannelParameter sspiIssuanceChannelParameter = this.GetSspiIssuanceChannelParameter(initiatorRequirement); bool flag = (sspiIssuanceChannelParameter == null) || sspiIssuanceChannelParameter.GetTokenOnOpen; LocalClientSecuritySettings localClientSettings = securityBindingElement.LocalClientSettings; BindingContext property = initiatorRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); SpnegoTokenProvider provider = new SpnegoTokenProvider((sspiIssuanceChannelParameter != null) ? sspiIssuanceChannelParameter.CredentialsHandle : null, securityBindingElement); SspiSecurityToken spnegoClientCredential = this.GetSpnegoClientCredential(initiatorRequirement); provider.ClientCredential = spnegoClientCredential.NetworkCredential; provider.IssuerAddress = initiatorRequirement.IssuerAddress; provider.AllowedImpersonationLevel = this.parent.Windows.AllowedImpersonationLevel; provider.AllowNtlm = spnegoClientCredential.AllowNtlm; provider.IdentityVerifier = localClientSettings.IdentityVerifier; provider.SecurityAlgorithmSuite = initiatorRequirement.SecurityAlgorithmSuite; provider.AuthenticateServer = !initiatorRequirement.Properties.ContainsKey(ServiceModelSecurityTokenRequirement.SupportingTokenAttachmentModeProperty); provider.NegotiateTokenOnOpen = flag; provider.CacheServiceTokens = flag || localClientSettings.CacheCookies; provider.IssuerBindingContext = property; provider.MaxServiceTokenCachingTime = localClientSettings.MaxCookieCachingTime; provider.ServiceTokenValidityThresholdPercentage = localClientSettings.CookieRenewalThresholdPercentage; provider.StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(initiatorRequirement, this); provider.TargetAddress = targetAddress; provider.Via = initiatorRequirement.GetPropertyOrDefault <Uri>(ServiceModelSecurityTokenRequirement.ViaProperty, null); provider.ApplicationProtectionRequirements = (property != null) ? property.BindingParameters.Find <ChannelProtectionRequirements>() : null; provider.InteractiveNegoExLogonEnabled = this.ClientCredentials.SupportInteractive; return(provider); }
// core Cred lookup code static NetworkCredential GetSspiCredential(SspiSecurityTokenProvider tokenProvider, TimeSpan timeout, out bool extractGroupsForWindowsAccounts, out TokenImpersonationLevel impersonationLevel, out bool allowNtlm) { NetworkCredential credential = null; extractGroupsForWindowsAccounts = TransportDefaults.ExtractGroupsForWindowsAccounts; impersonationLevel = TokenImpersonationLevel.Identification; allowNtlm = ConnectionOrientedTransportDefaults.AllowNtlm; if (tokenProvider != null) { SspiSecurityToken token = TransportSecurityHelpers.GetToken <SspiSecurityToken>(tokenProvider, timeout); if (token != null) { extractGroupsForWindowsAccounts = token.ExtractGroupsForWindowsAccounts; impersonationLevel = token.ImpersonationLevel; allowNtlm = token.AllowNtlm; if (token.NetworkCredential != null) { credential = token.NetworkCredential; SecurityUtils.FixNetworkCredential(ref credential); } } } // Initialize to the default value if no token provided. A partial trust app should not have access to the // default network credentials but should be able to provide credentials. The DefaultNetworkCredentials // getter will throw under partial trust. if (credential == null) { credential = CredentialCache.DefaultNetworkCredentials; } return(credential); }
private SspiSecurityToken GetSpnegoClientCredential(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement) { ChannelParameterCollection parameters; InitiatorServiceModelSecurityTokenRequirement tokenRequirement = new InitiatorServiceModelSecurityTokenRequirement { TargetAddress = initiatorRequirement.TargetAddress, TokenType = ServiceModelSecurityTokenTypes.SspiCredential, Via = initiatorRequirement.Via, RequireCryptographicToken = false, SecurityBindingElement = initiatorRequirement.SecurityBindingElement, MessageSecurityVersion = initiatorRequirement.MessageSecurityVersion }; if (initiatorRequirement.TryGetProperty <ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out parameters)) { tokenRequirement.Properties[ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty] = parameters; } SecurityTokenProvider tokenProvider = this.CreateSecurityTokenProvider(tokenRequirement); System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(tokenProvider, TimeSpan.Zero); SspiSecurityToken token = (SspiSecurityToken)tokenProvider.GetToken(TimeSpan.Zero); System.ServiceModel.Security.SecurityUtils.AbortTokenProviderIfRequired(tokenProvider); return(token); }
SspiSecurityToken GetSpnegoClientCredential(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement) { InitiatorServiceModelSecurityTokenRequirement sspiCredentialRequirement = new InitiatorServiceModelSecurityTokenRequirement(); sspiCredentialRequirement.TargetAddress = initiatorRequirement.TargetAddress; sspiCredentialRequirement.TokenType = ServiceModelSecurityTokenTypes.SspiCredential; sspiCredentialRequirement.Via = initiatorRequirement.Via; sspiCredentialRequirement.RequireCryptographicToken = false; sspiCredentialRequirement.SecurityBindingElement = initiatorRequirement.SecurityBindingElement; sspiCredentialRequirement.MessageSecurityVersion = initiatorRequirement.MessageSecurityVersion; ChannelParameterCollection parameters; if (initiatorRequirement.TryGetProperty <ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out parameters)) { sspiCredentialRequirement.Properties[ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty] = parameters; } SecurityTokenProvider sspiTokenProvider = this.CreateSecurityTokenProvider(sspiCredentialRequirement); SecurityUtils.OpenTokenProviderIfRequired(sspiTokenProvider, TimeSpan.Zero); SspiSecurityToken sspiToken = (SspiSecurityToken)sspiTokenProvider.GetToken(TimeSpan.Zero); SecurityUtils.AbortTokenProviderIfRequired(sspiTokenProvider); return(sspiToken); }
// service side ctor public SspiSecurityTokenProvider(NetworkCredential credential, bool extractGroupsForWindowsAccounts, bool allowUnauthenticatedCallers) { _token = new SspiSecurityToken(credential, extractGroupsForWindowsAccounts, allowUnauthenticatedCallers); }
// client side ctor public SspiSecurityTokenProvider(NetworkCredential credential, bool allowNtlm, TokenImpersonationLevel impersonationLevel) { _token = new SspiSecurityToken(impersonationLevel, allowNtlm, credential); }