private IUserIdentity GetKerberosToken()
{
// need to get the service principal name from the user token policy.
UserTokenPolicy policy = (UserTokenPolicy)KerberosTAB.Tag;
if (policy == null)
{
return null;
}
// The ServicePrincipalName (SPN) for the UA Server must be specified as the IssuerEndpointUrl
// The ServicePrincipalName (SPN) must be registered with the Kerberos Ticket Granting Server (e.g. Windows Domain Controller).
// The SPN identifies the host that UA server is running on and the name of the application.
// A domain admin must grant delegate permission to the domain account that the UA server runs under.
// That can be done with the setspn.exe utility:
// setspn -U -S <hostname>/<exename> <domain accountname>
// setspn -C -S <hostname>/<exename> <hostname>
// The latter form is used if the UA server runs a Windows Service using the builtin Windows Service account.
// NOTE: Using the KerberosSecurityTokenProvider without the NetworkCredential parameter will use the
// the credentials of the client process,
// create the token provider.
KerberosSecurityTokenProvider provider = new KerberosSecurityTokenProvider(
policy.IssuerEndpointUrl,
System.Security.Principal.TokenImpersonationLevel.Impersonation,
new System.Net.NetworkCredential(KerberosUserNameTB.Text, KerberosPasswordTB.Text, KerberosDomainTB.Text));
// create the token (1 minute timeout looking for the server).
KerberosRequestorSecurityToken token = (KerberosRequestorSecurityToken)provider.GetToken(new TimeSpan(0, 1, 0));
return new UserIdentity(token);
}
public KerberosSecurityTokenProviderWrapper(KerberosSecurityTokenProvider innerProvider)
{
this.innerProvider = innerProvider;
}
public KerberosSecurityTokenProviderWrapper(KerberosSecurityTokenProvider innerProvider, SafeFreeCredentials credentialsHandle)
{
this.innerProvider = innerProvider;
this.credentialsHandle = credentialsHandle;
}