예제 #1
0
        private static ObjectSecurity GetServerAdminSecurity()
        {
            FileSecurity securityDescriptor = null;

            ADNotificationAdapter.TryRunADOperation(delegate()
            {
                ITopologyConfigurationSession topologyConfigurationSession = DirectorySessionFactory.Default.CreateTopologyConfigurationSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 578, "GetServerAdminSecurity", "f:\\15.00.1497\\sources\\dev\\data\\src\\ApplicationLogic\\ProcessAccessManager.cs");
                Server server = null;
                try
                {
                    server = topologyConfigurationSession.FindLocalServer();
                }
                catch (LocalServerNotFoundException)
                {
                    return;
                }
                RawSecurityDescriptor rawSecurityDescriptor = server.ReadSecurityDescriptor();
                if (rawSecurityDescriptor != null)
                {
                    securityDescriptor = new FileSecurity();
                    byte[] array       = new byte[rawSecurityDescriptor.BinaryLength];
                    rawSecurityDescriptor.GetBinaryForm(array, 0);
                    securityDescriptor.SetSecurityDescriptorBinaryForm(array);
                    IRootOrganizationRecipientSession rootOrganizationRecipientSession = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 605, "GetServerAdminSecurity", "f:\\15.00.1497\\sources\\dev\\data\\src\\ApplicationLogic\\ProcessAccessManager.cs");
                    SecurityIdentifier exchangeServersUsgSid  = rootOrganizationRecipientSession.GetExchangeServersUsgSid();
                    FileSystemAccessRule fileSystemAccessRule = new FileSystemAccessRule(exchangeServersUsgSid, FileSystemRights.ReadData, AccessControlType.Allow);
                    securityDescriptor.SetAccessRule(fileSystemAccessRule);
                    SecurityIdentifier identity = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
                    fileSystemAccessRule        = new FileSystemAccessRule(identity, FileSystemRights.ReadData, AccessControlType.Allow);
                    securityDescriptor.AddAccessRule(fileSystemAccessRule);
                    return;
                }
            }, 3);
            return(securityDescriptor);
        }
예제 #2
0
        private static IEnumerable <ADRawEntry> ReadDkmAdObjects(IRootOrganizationRecipientSession session, string dkmContainerName, string rootDomain, StringBuilder detailStatus)
        {
            string dkmContainerDN = TestDataCenterDKMAccess.CreateDkmContainerDN(dkmContainerName, rootDomain);

            ADRawEntry[]      dkmObjects        = null;
            ADOperationResult adoperationResult = ADNotificationAdapter.TryRunADOperation(delegate()
            {
                dkmObjects = session.Find(new ADObjectId(dkmContainerDN), QueryScope.SubTree, new CustomLdapFilter("(objectClass=contact)"), null, -1, new ADPropertyDefinition[]
                {
                    ADObjectSchema.Name
                });
            });

            if (!adoperationResult.Succeeded)
            {
                detailStatus.AppendFormat("Failed to read DKM objects under DN {0} with exception {1}", dkmContainerDN, (adoperationResult.Exception == null) ? "N/A" : adoperationResult.Exception.Message);
                return(null);
            }
            if (dkmObjects.Length == 0)
            {
                detailStatus.AppendFormat("Failed to find any DKM objects under DN {0}. Examine the ACL settings on DKM objects to ensure the Exchange Servers group is allowed.", dkmContainerDN);
                return(null);
            }
            return(dkmObjects);
        }
예제 #3
0
        protected override void InternalProcessRecord()
        {
            bool          flag          = true;
            StringBuilder stringBuilder = new StringBuilder();
            ADDomain      addomain      = ADForest.GetLocalForest().FindRootDomain(true);

            if (addomain == null)
            {
                flag = false;
                stringBuilder.AppendLine("Failed to read root domain");
            }
            else
            {
                IRootOrganizationRecipientSession session = TestDataCenterDKMAccess.CreateAdSession();
                foreach (Tuple <string, Dictionary <SecurityIdentifier, ActiveDirectoryRights> > tuple in this.ExpectedAccessRights)
                {
                    flag &= TestDataCenterDKMAccess.VerifyDkmObjectPermissions(session, tuple.Item1, addomain.Id.ToDNString(), tuple.Item2, stringBuilder);
                }
            }
            if (flag)
            {
                stringBuilder.Append("DKM has correct ACL settings");
            }
            this.ReportDkmAclStatus(flag, stringBuilder);
        }
        // Token: 0x06000026 RID: 38 RVA: 0x00002938 File Offset: 0x00000B38
        private static ObjectSecurity GetRpcSecurityDescriptor()
        {
            FileSecurity fileSecurity = new FileSecurity();
            IRootOrganizationRecipientSession rootOrganizationRecipientSession = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 348, "GetRpcSecurityDescriptor", "f:\\15.00.1497\\sources\\dev\\data\\src\\ThrottlingService\\Service\\ThrottlingRpcServerImpl.cs");

            ThrottlingService.StartStopBreadcrumbs.Drop("Calling GetExchangeServersUsgSid", new object[0]);
            SecurityIdentifier exchangeServersUsgSid = rootOrganizationRecipientSession.GetExchangeServersUsgSid();

            ThrottlingService.StartStopBreadcrumbs.Drop("GetExchangeServersUsgSid call completed", new object[0]);
            FileSystemAccessRule fileSystemAccessRule = new FileSystemAccessRule(exchangeServersUsgSid, FileSystemRights.ReadData, AccessControlType.Allow);

            fileSecurity.SetAccessRule(fileSystemAccessRule);
            if (ThrottlingAppConfig.AuthenticatedUsersRpcEnabled)
            {
                SecurityIdentifier identity = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null);
                fileSystemAccessRule = new FileSystemAccessRule(identity, FileSystemRights.ReadData, AccessControlType.Allow);
                fileSecurity.AddAccessRule(fileSystemAccessRule);
                ThrottlingService.Tracer.TraceDebug(0L, "RPC calls are allowed for all authenticated users.");
            }
            SecurityIdentifier securityIdentifier = new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null);

            fileSystemAccessRule = new FileSystemAccessRule(securityIdentifier, FileSystemRights.ReadData, AccessControlType.Allow);
            fileSecurity.AddAccessRule(fileSystemAccessRule);
            SecurityIdentifier identity2 = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);

            fileSystemAccessRule = new FileSystemAccessRule(identity2, FileSystemRights.ReadData, AccessControlType.Allow);
            fileSecurity.AddAccessRule(fileSystemAccessRule);
            fileSecurity.SetOwner(securityIdentifier);
            return(fileSecurity);
        }
예제 #5
0
        // Token: 0x0600018B RID: 395 RVA: 0x00007A68 File Offset: 0x00005C68
        public void Init()
        {
            ExTraceGlobals.DatabaseManagerTracer.TraceDebug <DatabaseManager>((long)this.GetHashCode(), "{0}: Really starting", this);
            AIBreadcrumbs.DatabaseStatusTrail.Drop("Init Starting. Waiting on lock.");
            bool flag = false;

            try
            {
                Monitor.Enter(this, ref flag);
                AIBreadcrumbs.DatabaseStatusTrail.Drop("Init startup progressing. Lock acquired.");
                SecurityIdentifier exchangeServersSid = null;
                ADOperationResult  adoperationResult  = ADNotificationAdapter.TryRunADOperation(delegate()
                {
                    IRootOrganizationRecipientSession rootOrganizationRecipientSession = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 514, "Init", "f:\\15.00.1497\\sources\\dev\\assistants\\src\\Assistants\\DatabaseManager.cs");
                    exchangeServersSid = rootOrganizationRecipientSession.GetExchangeServersUsgSid();
                });
                if (exchangeServersSid == null)
                {
                    AIBreadcrumbs.DatabaseStatusTrail.Drop("Database Manager unable to contact AD.");
                    TransientServerException ex = new TransientServerException(adoperationResult.Exception);
                    ExTraceGlobals.DatabaseManagerTracer.TraceDebug <DatabaseManager, ADOperationErrorCode, TransientServerException>((long)this.GetHashCode(), "{0}: Unable to contact AD. Will not continue to start at this time. Code: {1}, Exception: {2}", this, adoperationResult.ErrorCode, ex);
                    throw ex;
                }
                if (this.startState != DatabaseManager.StartState.Started)
                {
                    ExTraceGlobals.DatabaseManagerTracer.TraceDebug <DatabaseManager, DatabaseManager.StartState>((long)this.GetHashCode(), "{0}: Init when not started: {1}", this, this.startState);
                    return;
                }
                this.performanceCountersTotal = new PerformanceCountersPerDatabaseInstance(this.serviceName + "-Total", null);
                this.performanceCountersTotal.Reset();
                if (this.timeBasedDriverManager != null)
                {
                    this.timeBasedDriverManager.Start(exchangeServersSid);
                }
                this.databaseStatusTimer = new Timer(new TimerCallback(this.CheckDatabaseStatusTimerProc));
                this.databaseStatusTimer.Change(TimeSpan.Zero, DatabaseManager.DatabaseStatusPollingInterval);
                base.TracePfd("PFD AIS {0} {1}: Started", new object[]
                {
                    23383,
                    this
                });
                this.startState = DatabaseManager.StartState.Initialized;
            }
            finally
            {
                if (flag)
                {
                    Monitor.Exit(this);
                }
            }
            AIBreadcrumbs.DatabaseStatusTrail.Drop("Database manager startup completed.");
        }
        internal override AdminRoleDefinition[] ComputeAdminRoles(IRootOrganizationRecipientSession recipientSession, ITopologyConfigurationSession configSession)
        {
            string  containerDN = configSession.ConfigurationNamingContext.ToDNString();
            ADGroup adgroup     = recipientSession.ResolveWellKnownGuid <ADGroup>(WellKnownGuid.EmaWkGuid, containerDN);

            return(new AdminRoleDefinition[]
            {
                new AdminRoleDefinition(adgroup.Sid, "RecipientAdmins"),
                new AdminRoleDefinition(recipientSession.GetExchangeServersUsgSid(), "ExchangeServers"),
                new AdminRoleDefinition(new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), "LocalSystem"),
                new AdminRoleDefinition(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null), "BuiltinAdmins")
            });
        }
예제 #7
0
 // Token: 0x060006FA RID: 1786 RVA: 0x0001A1CC File Offset: 0x000183CC
 public static OrganizationId ResolveCurrentUserOrganization(out ADObjectId userId)
 {
     userId = null;
     try
     {
         using (WindowsIdentity current = WindowsIdentity.GetCurrent())
         {
             if (current == null)
             {
                 return(null);
             }
             IRootOrganizationRecipientSession rootOrganizationRecipientSession = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(true, ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 1263, "ResolveCurrentUserOrganization", "f:\\15.00.1497\\sources\\dev\\Configuration\\src\\ObjectModel\\BaseTasks\\TaskHelper.cs");
             ADRawEntry adrawEntry = rootOrganizationRecipientSession.FindADRawEntryBySid(current.User, new ADPropertyDefinition[]
             {
                 ADObjectSchema.RawName,
                 ADObjectSchema.Name,
                 ADObjectSchema.Id,
                 ADObjectSchema.ExchangeVersion,
                 ADObjectSchema.OrganizationalUnitRoot,
                 ADObjectSchema.ConfigurationUnit
             });
             if (adrawEntry == null)
             {
                 return(null);
             }
             userId = adrawEntry.Id;
             return((OrganizationId)adrawEntry[ADObjectSchema.OrganizationId]);
         }
     }
     catch (InvalidOperationException e)
     {
         TaskLogger.LogError(e);
     }
     catch (DataSourceOperationException e2)
     {
         TaskLogger.LogError(e2);
     }
     catch (TransientException e3)
     {
         TaskLogger.LogError(e3);
     }
     catch (DataValidationException e4)
     {
         TaskLogger.LogError(e4);
     }
     return(null);
 }
예제 #8
0
        internal override AdminRoleDefinition[] ComputeAdminRoles(IRootOrganizationRecipientSession recipientSession, ITopologyConfigurationSession configSession)
        {
            string  containerDN             = configSession.ConfigurationNamingContext.ToDNString();
            ADGroup adgroup                 = recipientSession.ResolveWellKnownGuid <ADGroup>(WellKnownGuid.EmaWkGuid, containerDN);
            List <AdminRoleDefinition> list = new List <AdminRoleDefinition>(4);

            list.Add(new AdminRoleDefinition(adgroup.Sid, "RecipientAdmins"));
            list.Add(new AdminRoleDefinition(recipientSession.GetExchangeServersUsgSid(), "ExchangeServers"));
            list.Add(new AdminRoleDefinition(new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), "LocalSystem"));
            list.Add(new AdminRoleDefinition(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null), "BuiltinAdmins"));
            SecurityIdentifier[] additionalSids = this.GetAdditionalSids();
            for (int i = 0; i < additionalSids.Length; i++)
            {
                string roleName = string.Format("AdditionalAdminRoleFromConfiguration {0}", i);
                list.Add(new AdminRoleDefinition(additionalSids[i], roleName));
            }
            return(list.ToArray());
        }
 private AdminRoleDefinition[] GetAdminRoles()
 {
     if (this.adminRoles == null)
     {
         lock (this.adminRolesLock)
         {
             if (this.adminRoles == null)
             {
                 CommonUtils.CatchKnownExceptions(delegate
                 {
                     IRootOrganizationRecipientSession recipientSession = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(true, ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromRootOrgScopeSet(), 241, "GetAdminRoles", "f:\\15.00.1497\\sources\\dev\\mrs\\src\\Common\\AuthorizationManagerBase.cs");
                     ITopologyConfigurationSession configSession        = DirectorySessionFactory.Default.CreateTopologyConfigurationSession(ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromRootOrgScopeSet(), 246, "GetAdminRoles", "f:\\15.00.1497\\sources\\dev\\mrs\\src\\Common\\AuthorizationManagerBase.cs");
                     this.adminRoles = this.ComputeAdminRoles(recipientSession, configSession);
                 }, null);
             }
         }
     }
     return(this.adminRoles);
 }
예제 #10
0
        private ADSystemMailbox FindSystemMailbox(ADSessionSettings settings)
        {
            IRootOrganizationRecipientSession session = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(true, ConsistencyMode.IgnoreInvalid, settings, 796, "FindSystemMailbox", "f:\\15.00.1497\\sources\\dev\\data\\src\\storage\\ResourceHealth\\MdbSystemMailboxPinger.cs");

            ADRecipient[]     adRecipients      = null;
            ADOperationResult adoperationResult = ADNotificationAdapter.TryRunADOperation(delegate()
            {
                adRecipients = session.Find(null, QueryScope.SubTree, new ComparisonFilter(ComparisonOperator.Equal, ADObjectSchema.Name, this.systemMailboxName), null, 1);
            });

            if (!adoperationResult.Succeeded)
            {
                throw adoperationResult.Exception;
            }
            if (adRecipients.Length != 1 || !(adRecipients[0] is ADSystemMailbox))
            {
                throw new ObjectNotFoundException(ServerStrings.AdUserNotFoundException(string.Format("SystemMailbox {0} was not found", this.systemMailboxName)));
            }
            return((ADSystemMailbox)adRecipients[0]);
        }
예제 #11
0
        private static ADUser[] InternalFindEnterprise(OrganizationCapability capability, ADObjectId databaseId)
        {
            ADSessionSettings sessionSettings         = ADSessionSettings.FromRootOrgScopeSet();
            IRootOrganizationRecipientSession session = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(null, null, LcidMapper.DefaultLcid, true, ConsistencyMode.IgnoreInvalid, null, sessionSettings, 558, "InternalFindEnterprise", "f:\\15.00.1497\\sources\\dev\\data\\src\\storage\\OrganizationMailbox\\OrganizationMailbox.cs");
            QueryFilter optionalFilter;

            if (databaseId != null)
            {
                optionalFilter = new ComparisonFilter(ComparisonOperator.Equal, ADMailboxRecipientSchema.Database, databaseId);
            }
            else
            {
                optionalFilter = OrganizationMailbox.GetOrganizationMailboxQueryFilterForLocalServer();
            }
            List <ADUser> organizationMailboxesByCapability = OrganizationMailbox.GetOrganizationMailboxesByCapability(session, capability, optionalFilter);
            List <ADUser> list = new List <ADUser>(1);

            if (organizationMailboxesByCapability.Count >= 1)
            {
                list.Add(organizationMailboxesByCapability[0]);
            }
            return(list.ToArray());
        }
        protected void PersistManagedAvailabilityServersUsgSid()
        {
            SecurityIdentifier securityIdentifier = null;

            try
            {
                IRootOrganizationRecipientSession rootOrganizationRecipientSession = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(true, ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 153, "PersistManagedAvailabilityServersUsgSid", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\Monitoring\\Service\\ManageHealthManagerService.cs");
                securityIdentifier = rootOrganizationRecipientSession.GetWellKnownExchangeGroupSid(WellKnownGuid.MaSWkGuid);
            }
            catch (Exception)
            {
            }
            if (securityIdentifier != null)
            {
                using (RegistryKey registryKey = Registry.LocalMachine.CreateSubKey(ManageHealthManagerService.RegistryPathBase))
                {
                    registryKey.SetValue("ManagedAvailabilityServersUsgSid", securityIdentifier.ToString());
                }
                string name = "SOFTWARE\\Microsoft\\ExchangeServer";
                using (RegistryKey registryKey2 = Registry.LocalMachine.OpenSubKey(name, true))
                {
                    if (registryKey2 != null)
                    {
                        RegistrySecurity accessControl = registryKey2.GetAccessControl();
                        accessControl.AddAccessRule(new RegistryAccessRule(securityIdentifier, RegistryRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
                        registryKey2.SetAccessControl(accessControl);
                        using (RegistryKey registryKey3 = Registry.LocalMachine.OpenSubKey("SYSTEM\\CurrentControlSet\\Control\\SecurePipeServers\\winreg", true))
                        {
                            RegistrySecurity accessControl2 = registryKey3.GetAccessControl();
                            accessControl2.AddAccessRule(new RegistryAccessRule(securityIdentifier, RegistryRights.ExecuteKey, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
                            registryKey3.SetAccessControl(accessControl2);
                        }
                    }
                }
            }
        }
 private ADRootOrganizationRecipientSessionWrapper(IRootOrganizationRecipientSession session)
 {
     ExAssert.RetailAssert(session != null, "'session' instance to wrap must not be null!");
     this.m_session = session;
 }
 public static ADRootOrganizationRecipientSessionWrapper CreateWrapper(IRootOrganizationRecipientSession session)
 {
     ExAssert.RetailAssert(session != null, "'session' instance to wrap must not be null!");
     return(new ADRootOrganizationRecipientSessionWrapper(session));
 }
        public IADRootOrganizationRecipientSession CreateIgnoreInvalidRootOrgRecipientSession()
        {
            IRootOrganizationRecipientSession session = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 226, "CreateIgnoreInvalidRootOrgRecipientSession", "f:\\15.00.1497\\sources\\dev\\data\\src\\HA\\DirectoryServices\\ADSessionFactory.cs");

            return(ADRootOrganizationRecipientSessionWrapper.CreateWrapper(session));
        }
예제 #16
0
        private static bool CheckPermissionsOnDkmObjects(IEnumerable <ADRawEntry> dkmObjects, IRootOrganizationRecipientSession session, Dictionary <SecurityIdentifier, ActiveDirectoryRights> expectedAccessRights, StringBuilder detailStatus)
        {
            bool result = true;

            foreach (ADRawEntry adrawEntry in dkmObjects)
            {
                RawSecurityDescriptor   rawSecurityDescriptor;
                ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor(adrawEntry, session, null, out rawSecurityDescriptor);
                if (activeDirectorySecurity == null)
                {
                    result = false;
                    detailStatus.AppendFormat("Failed to read security descriptor for DKM object {0}. Examine the ACL settings on DKM objects.\r\n", adrawEntry.Id.DistinguishedName);
                }
                else
                {
                    AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
                    StringBuilder stringBuilder             = new StringBuilder();
                    stringBuilder.AppendLine(string.Format("Object DN: {0}\r\n", adrawEntry.Id.DistinguishedName));
                    bool flag = false;
                    Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>();
                    foreach (object obj in accessRules)
                    {
                        ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj;
                        try
                        {
                            if (!expectedAccessRights.ContainsKey((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference))
                            {
                                int num = AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed);
                                if (num != 0)
                                {
                                    stringBuilder.AppendFormat("Unexpected ACE with Identity: {0}, Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), (ActiveDirectoryRights)num);
                                    result = false;
                                    flag   = true;
                                }
                            }
                            else
                            {
                                dictionary[(SecurityIdentifier)activeDirectoryAccessRule.IdentityReference] = (ActiveDirectoryRights)AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed);
                            }
                        }
                        catch (Win32Exception ex)
                        {
                            stringBuilder.AppendFormat("Failed to check ACL for Identity: {0} with Win32Exception {1} and ErrorCode {2}\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), ex.Message, ex.ErrorCode);
                            result = false;
                            flag   = true;
                        }
                    }
                    Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary2 = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>(expectedAccessRights);
                    foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair in dictionary)
                    {
                        if (dictionary2[keyValuePair.Key] != keyValuePair.Value)
                        {
                            stringBuilder.AppendFormat("Wrong rights in ACE for Identity {0}\r\nExpected Rights: {1}\r\nActual Rights: {2}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair.Key.ToString()), dictionary2[keyValuePair.Key], keyValuePair.Value);
                            result = false;
                            flag   = true;
                        }
                        dictionary2.Remove(keyValuePair.Key);
                    }
                    if (dictionary2.Count > 0)
                    {
                        foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair2 in dictionary2)
                        {
                            stringBuilder.AppendFormat("Missing expected ACE for Identity {0}\r\nExpected Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair2.Key.ToString()), keyValuePair2.Value);
                            result = false;
                            flag   = true;
                        }
                    }
                    if (flag)
                    {
                        detailStatus.AppendLine(stringBuilder.ToString());
                    }
                }
            }
            return(result);
        }
예제 #17
0
        private static bool VerifyDkmObjectPermissions(IRootOrganizationRecipientSession session, string dkmContainerName, string rootDomain, Dictionary <SecurityIdentifier, ActiveDirectoryRights> expectedRights, StringBuilder detailStatus)
        {
            IEnumerable <ADRawEntry> enumerable = TestDataCenterDKMAccess.ReadDkmAdObjects(session, dkmContainerName, rootDomain, detailStatus);

            return(enumerable != null && TestDataCenterDKMAccess.CheckPermissionsOnDkmObjects(enumerable, session, expectedRights, detailStatus));
        }
예제 #18
0
        private IAuthenticationInfo GetPrincipal(OperationContext operationContext)
        {
            MRSProxyAuthorizationManager.AuthenticationData authenticationData = this.GetAuthenticationData(operationContext);
            if (authenticationData.AuthenticationInfo != null)
            {
                return(authenticationData.AuthenticationInfo);
            }
            IAuthenticationInfo authenticationInfo = base.Authenticate(operationContext);

            if (authenticationInfo == null)
            {
                return(null);
            }
            if (operationContext.Channel.LocalAddress.Uri.Scheme == "net.tcp" || this.TestIntegration.UseHttpsForLocalMoves)
            {
                return(authenticationInfo);
            }
            WindowsPrincipal windowsPrincipal = authenticationInfo.WindowsPrincipal;
            WindowsIdentity  windowsIdentity  = windowsPrincipal.Identity as WindowsIdentity;

            using (ClientSecurityContext clientSecurityContext = new ClientSecurityContext(windowsIdentity))
            {
                if (!LocalServer.AllowsTokenSerializationBy(clientSecurityContext))
                {
                    MrsTracer.ProxyService.Debug("MRSProxyAuthorizationManager: User {0} does not have the permission to serialize security token.", new object[]
                    {
                        authenticationInfo.PrincipalName
                    });
                    return(null);
                }
            }
            object obj;

            if (!OperationContext.Current.IncomingMessageProperties.TryGetValue(HttpRequestMessageProperty.Name, out obj))
            {
                return(null);
            }
            HttpRequestMessageProperty httpRequestMessageProperty = obj as HttpRequestMessageProperty;

            if (httpRequestMessageProperty == null)
            {
                return(null);
            }
            string[] values = httpRequestMessageProperty.Headers.GetValues("X-CommonAccessToken");
            if (values == null || values.Length != 1)
            {
                return(null);
            }
            string text = values[0];

            if (string.IsNullOrEmpty(text))
            {
                return(null);
            }
            using (ClientSecurityContext clientSecurityContext2 = new ClientSecurityContext(windowsIdentity))
            {
                if (!LocalServer.AllowsTokenSerializationBy(clientSecurityContext2))
                {
                    MrsTracer.ProxyService.Debug("MRSProxyAuthorizationManager: User {0} does not have the permission to serialize security token.", new object[]
                    {
                        windowsIdentity
                    });
                    return(null);
                }
            }
            CommonAccessToken  commonAccessToken  = CommonAccessToken.Deserialize(text);
            SecurityIdentifier securityIdentifier = new SecurityIdentifier(commonAccessToken.WindowsAccessToken.UserSid);
            IRootOrganizationRecipientSession rootOrganizationRecipientSession = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(true, ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromRootOrgScopeSet(), 300, "GetPrincipal", "f:\\15.00.1497\\sources\\dev\\mrs\\src\\ProxyService\\MRSProxyAuthorizationManager.cs");
            ADRawEntry adrawEntry = rootOrganizationRecipientSession.FindADRawEntryBySid(securityIdentifier, MRSProxyAuthorizationManager.userPrincipalName);

            if (adrawEntry == null)
            {
                authenticationData.AuthenticationInfo = new AuthenticationInfo(securityIdentifier);
            }
            else
            {
                string sUserPrincipalName = (string)adrawEntry[ADUserSchema.UserPrincipalName];
                windowsIdentity = new WindowsIdentity(sUserPrincipalName);
                authenticationData.AuthenticationInfo = new AuthenticationInfo(windowsIdentity, windowsIdentity.Name);
            }
            return(authenticationData.AuthenticationInfo);
        }
 internal abstract AdminRoleDefinition[] ComputeAdminRoles(IRootOrganizationRecipientSession recipientSession, ITopologyConfigurationSession configSession);