internal static ADUser ResolveCertificate(X509Identifier certificate, string orgName)
{
Logger.EnterFunction(ExTraceGlobals.CertAuthTracer, "ResolveCertificate");
ADSessionSettings sessionSettings = null;
if (string.IsNullOrEmpty(orgName))
{
sessionSettings = ADSessionSettings.FromRootOrgScopeSet();
}
else
{
try
{
sessionSettings = ADSessionSettings.FromTenantAcceptedDomain(orgName);
}
catch (CannotResolveTenantNameException ex)
{
Logger.LogError(string.Format("Can not resolve the organization based on org name {0} provided in requesting url.", orgName), ex);
Logger.LogEvent(CertificateAuthenticationModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_OrganizationNotFound, null, new object[]
{
ex,
orgName
});
Logger.ExitFunction(ExTraceGlobals.CertAuthTracer, "ResolveCertificate");
HttpLogger.SafeAppendGenericError("ResolveCertificate", ex.ToString(), false);
return(null);
}
}
IRecipientSession tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, sessionSettings, 193, "ResolveCertificate", "f:\\15.00.1497\\sources\\dev\\Configuration\\src\\CertificateAuthentication\\CertificateAuthenticationModule.cs");
ADUser result = (ADUser)tenantOrRootOrgRecipientSession.FindByCertificate(certificate);
Logger.ExitFunction(ExTraceGlobals.CertAuthTracer, "ResolveCertificate");
return(result);
}
private static void AddUserToCache(X509Identifier certificateId, ADUser user)
{
if (!CertificateAuthenticationModule.IsUserCacheEnabled())
{
return;
}
CertificateAuthenticationModule.certCache.AddUser(certificateId, user);
}
private static ADUser GetUserFromCache(X509Identifier certificateId)
{
if (!CertificateAuthenticationModule.IsUserCacheEnabled())
{
return(null);
}
return(CertificateAuthenticationModule.certCache.GetUser(certificateId));
}
// Token: 0x06000004 RID: 4 RVA: 0x00002164 File Offset: 0x00000364
internal void AddUser(X509Identifier certificateId, ADUser user)
{
lock (this.syncObj)
{
this.Cleanup();
if (this.userMapping.Count <= this.maximumSize)
{
this.userMapping[certificateId] = user;
}
}
}
// Token: 0x06000003 RID: 3 RVA: 0x00002108 File Offset: 0x00000308
internal ADUser GetUser(X509Identifier certificateId)
{
ADUser result;
lock (this.syncObj)
{
ADUser aduser;
if (!this.Cleanup() && this.userMapping.TryGetValue(certificateId, out aduser))
{
result = aduser;
}
else
{
result = null;
}
}
return(result);
}
private static ADUser ResolveCertificateFromCacheOrAD(HttpClientCertificate certificate, string orgName)
{
Logger.EnterFunction(ExTraceGlobals.CertAuthTracer, "ResolveCertificateFromCacheOrAD");
X509Identifier x509Identifier = CertificateAuthenticationModule.CreateCertificateIdentity(certificate);
ADUser aduser = CertificateAuthenticationModule.GetUserFromCache(x509Identifier);
if (aduser == null)
{
aduser = CertificateAuthenticationModule.ResolveCertificate(x509Identifier, orgName);
if (aduser != null)
{
CertificateAuthenticationModule.AddUserToCache(x509Identifier, aduser);
}
}
else
{
HttpLogger.SafeAppendGenericInfo("ResolveCertificateFromCacheOrAD", "Cache");
}
if (aduser == null)
{
Logger.LogEvent(CertificateAuthenticationModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_UserNotFound, certificate.Subject, new object[]
{
certificate.Subject
});
Logger.LogVerbose("Found no user by certificate {0}", new object[]
{
certificate.Subject
});
}
else
{
Logger.LogVerbose("Found user {0} by certificate {1}", new object[]
{
aduser.Name,
certificate.Subject
});
}
Logger.ExitFunction(ExTraceGlobals.CertAuthTracer, "ResolveCertificateFromCacheOrAD");
return(aduser);
}
// Token: 0x06001373 RID: 4979 RVA: 0x0005DF58 File Offset: 0x0005C158
ADRawEntry[] IRecipientSession.FindByCertificate(X509Identifier identifier, params PropertyDefinition[] properties)
{
return(base.InvokeWithAPILogging <ADRawEntry[]>(() => this.GetCompositeRecipientSession().FindByCertificate(identifier, properties), "FindByCertificate"));
}
// Token: 0x06001372 RID: 4978 RVA: 0x0005DEF8 File Offset: 0x0005C0F8
ADRecipient IRecipientSession.FindByCertificate(X509Identifier identifier)
{
return(base.InvokeGetObjectWithAPILogging <ADRecipient>(() => this.GetCompositeRecipientSession().FindByCertificate(identifier), "FindByCertificate"));
}
private static void SetAuthenticatedInfo(HttpContext context, ADUser authenticatedUser, X509Identifier certId)
{
Logger.EnterFunction(ExTraceGlobals.CertAuthTracer, "SetAuthenticatedInfo");
IIdentity identity;
if (CertificateAuthenticationModule.cafeProxy)
{
CertificateSidTokenAccessor certificateSidTokenAccessor = CertificateSidTokenAccessor.Create(authenticatedUser, certId);
context.Items["Item-CommonAccessToken"] = certificateSidTokenAccessor.GetToken();
identity = new GenericSidIdentity(authenticatedUser.Sid.ToString(), "Certificate", authenticatedUser.Sid, certificateSidTokenAccessor.PartitionId);
}
else
{
context.Items["AuthType"] = AccessTokenType.CertificateSid;
if (authenticatedUser.RecipientTypeDetails == RecipientTypeDetails.LinkedUser)
{
identity = new GenericIdentity(authenticatedUser.Sid.ToString());
}
else
{
string sUserPrincipalName = string.Format("{0}@{1}", authenticatedUser.SamAccountName, authenticatedUser.Id.GetPartitionId().ForestFQDN);
identity = new WindowsIdentity(sUserPrincipalName);
}
}
string name = authenticatedUser.Name;
if (!string.IsNullOrEmpty(name))
{
context.Items["AuthenticatedUser"] = name;
}
AuthCommon.SetHttpContextADRawEntry(context, authenticatedUser);
if (!OrganizationId.ForestWideOrgId.Equals(authenticatedUser.OrganizationId))
{
context.Items[CertificateAuthenticationModule.TenantCertificateOrganizaitonItemName] = authenticatedUser.OrganizationId.OrganizationalUnit.Name;
}
context.User = new GenericPrincipal(identity, new string[0]);
Logger.ExitFunction(ExTraceGlobals.CertAuthTracer, "SetAuthenticatedInfo");
}
private static void InternalOnAuthenticate(HttpContext context)
{
Logger.EnterFunction(ExTraceGlobals.CertAuthTracer, "InternalOnAuthenticate");
HttpRequest request = context.Request;
Logger.LogVerbose("Request of Authentication for certificate {0}.", new object[]
{
request.ClientCertificate.Subject
});
int i = 0;
ADUser aduser = null;
NameValueCollection urlProperties = RedirectionHelper.GetUrlProperties(request.Url);
string orgName = urlProperties[CertificateAuthenticationModule.OrganizationDomain];
while (i < CertificateAuthenticationModule.maxRetryForADTransient)
{
try
{
aduser = CertificateAuthenticationModule.ResolveCertificateFromCacheOrAD(request.ClientCertificate, orgName);
if (aduser != null && !string.IsNullOrEmpty(aduser.UserPrincipalName))
{
CertificateAuthenticationFaultInjection.FaultInjectionTracer.TraceTest <string>(3745918269U, aduser.UserPrincipalName);
}
break;
}
catch (ADTransientException ex)
{
if (i == 0)
{
Logger.LogEvent(CertificateAuthenticationModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_TransientError, null, new object[]
{
ex,
request.ClientCertificate.Subject
});
HttpLogger.SafeAppendGenericInfo("ResolveCertificateFromCacheOrAD-TransientException", ex.Message);
}
if (i == CertificateAuthenticationModule.maxRetryForADTransient - 1)
{
HttpLogger.SafeAppendGenericError("ResolveCertificateFromCacheOrAD", ex, new Func <Exception, bool>(KnownException.IsUnhandledException));
}
Logger.LogError(string.Format("AD Transient Error when processing certificate authentication {0}.", request.ClientCertificate.Subject), ex);
}
catch (Exception ex2)
{
HttpLogger.SafeAppendGenericError("CertAuthNModule.InternalOnAuthenticate", ex2, new Func <Exception, bool>(KnownException.IsUnhandledException));
Logger.LogEvent(CertificateAuthenticationModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_ServerError, null, new object[]
{
ex2,
request.ClientCertificate.Subject
});
Logger.LogError(string.Format("Unknown error when processing certificate authentication {0}.", request.ClientCertificate.Subject), ex2);
if (GrayException.IsGrayException(ex2))
{
ExWatson.SendReport(ex2, ReportOptions.DoNotCollectDumps, null);
}
CertificateAuthenticationModule.ReportCustomError(context.Response, HttpStatusCode.InternalServerError, 200, Strings.UnknownInternalError(request.ClientCertificate.Subject));
}
i++;
}
if (i > 0)
{
HttpLogger.SafeAppendGenericInfo("ResolveCertificateFromCacheOrAD-Retry", i.ToString());
}
if (i >= CertificateAuthenticationModule.maxRetryForADTransient)
{
CertificateAuthenticationModule.ReportCustomError(context.Response, HttpStatusCode.InternalServerError, 201, Strings.ADTransientError(request.ClientCertificate.Subject));
}
else if (aduser == null)
{
HttpLogger.SafeAppendGenericError("ResolveCertificateFromCacheOrAD-ResolvedUser", "null", false);
if (request.Headers["Authorization"] == "http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/https/mutual")
{
CertificateAuthenticationModule.ReportCustomError(context.Response, HttpStatusCode.BadRequest, 102, Strings.UserNotFound(request.ClientCertificate.Subject));
}
}
else
{
Logger.LogVerbose("User correctly authenticated and linked to Certificate {0}.", new object[]
{
request.ClientCertificate.Subject
});
if (i > 0)
{
Logger.LogEvent(CertificateAuthenticationModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_TransientRecovery, null, new object[]
{
request.ClientCertificate.Subject,
i
});
}
X509Identifier certId = CertificateAuthenticationModule.CreateCertificateIdentity(request.ClientCertificate);
CertificateAuthenticationModule.SetAuthenticatedInfo(context, aduser, certId);
}
Logger.ExitFunction(ExTraceGlobals.CertAuthTracer, "InternalOnAuthenticate");
}
private static void OnAuthenticateRequest(object source, EventArgs args)
{
HttpApplication httpApplication = (HttpApplication)source;
HttpContext context = httpApplication.Context;
if (context.Request.IsAuthenticated)
{
return;
}
HttpRequest request = context.Request;
if (!CertificateHeaderAuthModule.IsValidCertificateHeaderRequest(request))
{
return;
}
Logger.LogVerbose("Request of Authentication for certificate {0}.", new object[]
{
request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"]
});
int i = 0;
while (i < CertificateHeaderAuthModule.maxRetryForADTransient)
{
try
{
X509Identifier x509Identifier = CertificateHeaderAuthModule.CreateCertificateIdentity(request);
ADUser aduser = CertificateHeaderAuthModule.GetUserFromCache(x509Identifier);
if (aduser == null)
{
aduser = CertificateAuthenticationModule.ResolveCertificate(x509Identifier, null);
if (aduser != null)
{
CertificateHeaderAuthModule.AddUserToCache(x509Identifier, aduser);
}
}
if (aduser == null)
{
Logger.LogEvent(CertificateHeaderAuthModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_UserNotFound, request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"], new object[]
{
request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"],
"CertificateHeader"
});
Logger.LogVerbose("Certificate authentication succeeded but certificate {0} cannot be mapped to an AD account.", new object[]
{
request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"]
});
break;
}
IIdentity identity;
if (aduser.RecipientTypeDetails == RecipientTypeDetails.LinkedUser)
{
identity = new GenericIdentity(aduser.Sid.ToString(), "CertificateLinkedUser");
}
else
{
identity = new WindowsIdentity(aduser.UserPrincipalName);
}
if (!OrganizationId.ForestWideOrgId.Equals(aduser.OrganizationId))
{
HttpContext.Current.Items[CertificateAuthenticationModule.TenantCertificateOrganizaitonItemName] = aduser.OrganizationId.OrganizationalUnit.Name;
}
context.User = new GenericPrincipal(identity, new string[0]);
Logger.LogVerbose("User correctly authenticated and linked to Certificate {0}.", new object[]
{
request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"]
});
if (i > 0)
{
Logger.LogEvent(CertificateHeaderAuthModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_TransientRecovery, null, new object[]
{
request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"],
i,
"CertificateHeader"
});
}
break;
}
catch (ADTransientException ex)
{
i++;
if (i == 1)
{
Logger.LogEvent(CertificateHeaderAuthModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_TransientError, null, new object[]
{
ex,
request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"],
"CertificateHeader"
});
}
Logger.LogError(string.Format("AD Transient Error when processing certificate authentication {0}.", request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"]), ex);
if (i > CertificateHeaderAuthModule.maxRetryForADTransient)
{
throw;
}
}
catch (Exception ex2)
{
Logger.LogEvent(CertificateHeaderAuthModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_ServerError, null, new object[]
{
ex2,
request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"],
"CertificateHeader"
});
Logger.LogError(string.Format("AD Transient Error when processing certificate authentication {0}.", request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"]), ex2);
throw;
}
}
}
ADRawEntry[] IRecipientSession.FindByCertificate(X509Identifier identifier, params PropertyDefinition[] properties)
{
FfoDirectorySession.LogNotSupportedInFFO(null);
return(new ADRawEntry[0]);
}
ADRecipient IRecipientSession.FindByCertificate(X509Identifier identifier)
{
FfoDirectorySession.LogNotSupportedInFFO(null);
return(null);
}
