internal static ADUser ResolveCertificate(X509Identifier certificate, string orgName) { Logger.EnterFunction(ExTraceGlobals.CertAuthTracer, "ResolveCertificate"); ADSessionSettings sessionSettings = null; if (string.IsNullOrEmpty(orgName)) { sessionSettings = ADSessionSettings.FromRootOrgScopeSet(); } else { try { sessionSettings = ADSessionSettings.FromTenantAcceptedDomain(orgName); } catch (CannotResolveTenantNameException ex) { Logger.LogError(string.Format("Can not resolve the organization based on org name {0} provided in requesting url.", orgName), ex); Logger.LogEvent(CertificateAuthenticationModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_OrganizationNotFound, null, new object[] { ex, orgName }); Logger.ExitFunction(ExTraceGlobals.CertAuthTracer, "ResolveCertificate"); HttpLogger.SafeAppendGenericError("ResolveCertificate", ex.ToString(), false); return(null); } } IRecipientSession tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, sessionSettings, 193, "ResolveCertificate", "f:\\15.00.1497\\sources\\dev\\Configuration\\src\\CertificateAuthentication\\CertificateAuthenticationModule.cs"); ADUser result = (ADUser)tenantOrRootOrgRecipientSession.FindByCertificate(certificate); Logger.ExitFunction(ExTraceGlobals.CertAuthTracer, "ResolveCertificate"); return(result); }
private static void AddUserToCache(X509Identifier certificateId, ADUser user) { if (!CertificateAuthenticationModule.IsUserCacheEnabled()) { return; } CertificateAuthenticationModule.certCache.AddUser(certificateId, user); }
private static ADUser GetUserFromCache(X509Identifier certificateId) { if (!CertificateAuthenticationModule.IsUserCacheEnabled()) { return(null); } return(CertificateAuthenticationModule.certCache.GetUser(certificateId)); }
// Token: 0x06000004 RID: 4 RVA: 0x00002164 File Offset: 0x00000364 internal void AddUser(X509Identifier certificateId, ADUser user) { lock (this.syncObj) { this.Cleanup(); if (this.userMapping.Count <= this.maximumSize) { this.userMapping[certificateId] = user; } } }
// Token: 0x06000003 RID: 3 RVA: 0x00002108 File Offset: 0x00000308 internal ADUser GetUser(X509Identifier certificateId) { ADUser result; lock (this.syncObj) { ADUser aduser; if (!this.Cleanup() && this.userMapping.TryGetValue(certificateId, out aduser)) { result = aduser; } else { result = null; } } return(result); }
private static ADUser ResolveCertificateFromCacheOrAD(HttpClientCertificate certificate, string orgName) { Logger.EnterFunction(ExTraceGlobals.CertAuthTracer, "ResolveCertificateFromCacheOrAD"); X509Identifier x509Identifier = CertificateAuthenticationModule.CreateCertificateIdentity(certificate); ADUser aduser = CertificateAuthenticationModule.GetUserFromCache(x509Identifier); if (aduser == null) { aduser = CertificateAuthenticationModule.ResolveCertificate(x509Identifier, orgName); if (aduser != null) { CertificateAuthenticationModule.AddUserToCache(x509Identifier, aduser); } } else { HttpLogger.SafeAppendGenericInfo("ResolveCertificateFromCacheOrAD", "Cache"); } if (aduser == null) { Logger.LogEvent(CertificateAuthenticationModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_UserNotFound, certificate.Subject, new object[] { certificate.Subject }); Logger.LogVerbose("Found no user by certificate {0}", new object[] { certificate.Subject }); } else { Logger.LogVerbose("Found user {0} by certificate {1}", new object[] { aduser.Name, certificate.Subject }); } Logger.ExitFunction(ExTraceGlobals.CertAuthTracer, "ResolveCertificateFromCacheOrAD"); return(aduser); }
// Token: 0x06001373 RID: 4979 RVA: 0x0005DF58 File Offset: 0x0005C158 ADRawEntry[] IRecipientSession.FindByCertificate(X509Identifier identifier, params PropertyDefinition[] properties) { return(base.InvokeWithAPILogging <ADRawEntry[]>(() => this.GetCompositeRecipientSession().FindByCertificate(identifier, properties), "FindByCertificate")); }
// Token: 0x06001372 RID: 4978 RVA: 0x0005DEF8 File Offset: 0x0005C0F8 ADRecipient IRecipientSession.FindByCertificate(X509Identifier identifier) { return(base.InvokeGetObjectWithAPILogging <ADRecipient>(() => this.GetCompositeRecipientSession().FindByCertificate(identifier), "FindByCertificate")); }
private static void SetAuthenticatedInfo(HttpContext context, ADUser authenticatedUser, X509Identifier certId) { Logger.EnterFunction(ExTraceGlobals.CertAuthTracer, "SetAuthenticatedInfo"); IIdentity identity; if (CertificateAuthenticationModule.cafeProxy) { CertificateSidTokenAccessor certificateSidTokenAccessor = CertificateSidTokenAccessor.Create(authenticatedUser, certId); context.Items["Item-CommonAccessToken"] = certificateSidTokenAccessor.GetToken(); identity = new GenericSidIdentity(authenticatedUser.Sid.ToString(), "Certificate", authenticatedUser.Sid, certificateSidTokenAccessor.PartitionId); } else { context.Items["AuthType"] = AccessTokenType.CertificateSid; if (authenticatedUser.RecipientTypeDetails == RecipientTypeDetails.LinkedUser) { identity = new GenericIdentity(authenticatedUser.Sid.ToString()); } else { string sUserPrincipalName = string.Format("{0}@{1}", authenticatedUser.SamAccountName, authenticatedUser.Id.GetPartitionId().ForestFQDN); identity = new WindowsIdentity(sUserPrincipalName); } } string name = authenticatedUser.Name; if (!string.IsNullOrEmpty(name)) { context.Items["AuthenticatedUser"] = name; } AuthCommon.SetHttpContextADRawEntry(context, authenticatedUser); if (!OrganizationId.ForestWideOrgId.Equals(authenticatedUser.OrganizationId)) { context.Items[CertificateAuthenticationModule.TenantCertificateOrganizaitonItemName] = authenticatedUser.OrganizationId.OrganizationalUnit.Name; } context.User = new GenericPrincipal(identity, new string[0]); Logger.ExitFunction(ExTraceGlobals.CertAuthTracer, "SetAuthenticatedInfo"); }
private static void InternalOnAuthenticate(HttpContext context) { Logger.EnterFunction(ExTraceGlobals.CertAuthTracer, "InternalOnAuthenticate"); HttpRequest request = context.Request; Logger.LogVerbose("Request of Authentication for certificate {0}.", new object[] { request.ClientCertificate.Subject }); int i = 0; ADUser aduser = null; NameValueCollection urlProperties = RedirectionHelper.GetUrlProperties(request.Url); string orgName = urlProperties[CertificateAuthenticationModule.OrganizationDomain]; while (i < CertificateAuthenticationModule.maxRetryForADTransient) { try { aduser = CertificateAuthenticationModule.ResolveCertificateFromCacheOrAD(request.ClientCertificate, orgName); if (aduser != null && !string.IsNullOrEmpty(aduser.UserPrincipalName)) { CertificateAuthenticationFaultInjection.FaultInjectionTracer.TraceTest <string>(3745918269U, aduser.UserPrincipalName); } break; } catch (ADTransientException ex) { if (i == 0) { Logger.LogEvent(CertificateAuthenticationModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_TransientError, null, new object[] { ex, request.ClientCertificate.Subject }); HttpLogger.SafeAppendGenericInfo("ResolveCertificateFromCacheOrAD-TransientException", ex.Message); } if (i == CertificateAuthenticationModule.maxRetryForADTransient - 1) { HttpLogger.SafeAppendGenericError("ResolveCertificateFromCacheOrAD", ex, new Func <Exception, bool>(KnownException.IsUnhandledException)); } Logger.LogError(string.Format("AD Transient Error when processing certificate authentication {0}.", request.ClientCertificate.Subject), ex); } catch (Exception ex2) { HttpLogger.SafeAppendGenericError("CertAuthNModule.InternalOnAuthenticate", ex2, new Func <Exception, bool>(KnownException.IsUnhandledException)); Logger.LogEvent(CertificateAuthenticationModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_ServerError, null, new object[] { ex2, request.ClientCertificate.Subject }); Logger.LogError(string.Format("Unknown error when processing certificate authentication {0}.", request.ClientCertificate.Subject), ex2); if (GrayException.IsGrayException(ex2)) { ExWatson.SendReport(ex2, ReportOptions.DoNotCollectDumps, null); } CertificateAuthenticationModule.ReportCustomError(context.Response, HttpStatusCode.InternalServerError, 200, Strings.UnknownInternalError(request.ClientCertificate.Subject)); } i++; } if (i > 0) { HttpLogger.SafeAppendGenericInfo("ResolveCertificateFromCacheOrAD-Retry", i.ToString()); } if (i >= CertificateAuthenticationModule.maxRetryForADTransient) { CertificateAuthenticationModule.ReportCustomError(context.Response, HttpStatusCode.InternalServerError, 201, Strings.ADTransientError(request.ClientCertificate.Subject)); } else if (aduser == null) { HttpLogger.SafeAppendGenericError("ResolveCertificateFromCacheOrAD-ResolvedUser", "null", false); if (request.Headers["Authorization"] == "http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/https/mutual") { CertificateAuthenticationModule.ReportCustomError(context.Response, HttpStatusCode.BadRequest, 102, Strings.UserNotFound(request.ClientCertificate.Subject)); } } else { Logger.LogVerbose("User correctly authenticated and linked to Certificate {0}.", new object[] { request.ClientCertificate.Subject }); if (i > 0) { Logger.LogEvent(CertificateAuthenticationModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_TransientRecovery, null, new object[] { request.ClientCertificate.Subject, i }); } X509Identifier certId = CertificateAuthenticationModule.CreateCertificateIdentity(request.ClientCertificate); CertificateAuthenticationModule.SetAuthenticatedInfo(context, aduser, certId); } Logger.ExitFunction(ExTraceGlobals.CertAuthTracer, "InternalOnAuthenticate"); }
private static void OnAuthenticateRequest(object source, EventArgs args) { HttpApplication httpApplication = (HttpApplication)source; HttpContext context = httpApplication.Context; if (context.Request.IsAuthenticated) { return; } HttpRequest request = context.Request; if (!CertificateHeaderAuthModule.IsValidCertificateHeaderRequest(request)) { return; } Logger.LogVerbose("Request of Authentication for certificate {0}.", new object[] { request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"] }); int i = 0; while (i < CertificateHeaderAuthModule.maxRetryForADTransient) { try { X509Identifier x509Identifier = CertificateHeaderAuthModule.CreateCertificateIdentity(request); ADUser aduser = CertificateHeaderAuthModule.GetUserFromCache(x509Identifier); if (aduser == null) { aduser = CertificateAuthenticationModule.ResolveCertificate(x509Identifier, null); if (aduser != null) { CertificateHeaderAuthModule.AddUserToCache(x509Identifier, aduser); } } if (aduser == null) { Logger.LogEvent(CertificateHeaderAuthModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_UserNotFound, request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"], new object[] { request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"], "CertificateHeader" }); Logger.LogVerbose("Certificate authentication succeeded but certificate {0} cannot be mapped to an AD account.", new object[] { request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"] }); break; } IIdentity identity; if (aduser.RecipientTypeDetails == RecipientTypeDetails.LinkedUser) { identity = new GenericIdentity(aduser.Sid.ToString(), "CertificateLinkedUser"); } else { identity = new WindowsIdentity(aduser.UserPrincipalName); } if (!OrganizationId.ForestWideOrgId.Equals(aduser.OrganizationId)) { HttpContext.Current.Items[CertificateAuthenticationModule.TenantCertificateOrganizaitonItemName] = aduser.OrganizationId.OrganizationalUnit.Name; } context.User = new GenericPrincipal(identity, new string[0]); Logger.LogVerbose("User correctly authenticated and linked to Certificate {0}.", new object[] { request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"] }); if (i > 0) { Logger.LogEvent(CertificateHeaderAuthModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_TransientRecovery, null, new object[] { request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"], i, "CertificateHeader" }); } break; } catch (ADTransientException ex) { i++; if (i == 1) { Logger.LogEvent(CertificateHeaderAuthModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_TransientError, null, new object[] { ex, request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"], "CertificateHeader" }); } Logger.LogError(string.Format("AD Transient Error when processing certificate authentication {0}.", request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"]), ex); if (i > CertificateHeaderAuthModule.maxRetryForADTransient) { throw; } } catch (Exception ex2) { Logger.LogEvent(CertificateHeaderAuthModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_ServerError, null, new object[] { ex2, request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"], "CertificateHeader" }); Logger.LogError(string.Format("AD Transient Error when processing certificate authentication {0}.", request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"]), ex2); throw; } } }
ADRawEntry[] IRecipientSession.FindByCertificate(X509Identifier identifier, params PropertyDefinition[] properties) { FfoDirectorySession.LogNotSupportedInFFO(null); return(new ADRawEntry[0]); }
ADRecipient IRecipientSession.FindByCertificate(X509Identifier identifier) { FfoDirectorySession.LogNotSupportedInFFO(null); return(null); }