private IDisposable StartImpersonation2(ref MessageRpc rpc, ServiceSecurityContext securityContext, bool isSecurityContextImpersonationOn) { IDisposable disposable = null; try { if (isSecurityContextImpersonationOn) { if (securityContext == null) { throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SFxSecurityContextPropertyMissingFromRequestMessage")), rpc.Request); } WindowsIdentity windowsIdentity = securityContext.WindowsIdentity; if (windowsIdentity.User == null) { if (securityContext.PrimaryIdentity is WindowsSidIdentity) { WindowsSidIdentity primaryIdentity = (WindowsSidIdentity)securityContext.PrimaryIdentity; if (primaryIdentity.SecurityIdentifier.IsWellKnown(WellKnownSidType.AnonymousSid)) { disposable = new WindowsAnonymousIdentity().Impersonate(); goto Label_0103; } using (WindowsIdentity identity3 = new WindowsIdentity(this.GetUpnFromDownlevelName(primaryIdentity.Name), "Kerberos")) { disposable = identity3.Impersonate(); goto Label_0103; } } throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecurityContextDoesNotAllowImpersonation", new object[] { rpc.Operation.Action })), rpc.Request); } disposable = windowsIdentity.Impersonate(); } else if (AspNetEnvironment.Current.RequiresImpersonation && (rpc.HostingProperty != null)) { disposable = rpc.HostingProperty.Impersonate(); } Label_0103: SecurityTraceRecordHelper.TraceImpersonationSucceeded(rpc.Operation); if (AuditLevel.Success == (this.auditLevel & AuditLevel.Success)) { SecurityAuditHelper.WriteImpersonationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Operation.Name, System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext)); } } catch (Exception exception) { if (Fx.IsFatal(exception)) { throw; } SecurityTraceRecordHelper.TraceImpersonationFailed(rpc.Operation, exception); if (AuditLevel.Failure == (this.auditLevel & AuditLevel.Failure)) { try { string identityNamesFromContext; if (securityContext != null) { identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext); } else { identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name; } SecurityAuditHelper.WriteImpersonationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Operation.Name, identityNamesFromContext, exception); } catch (Exception exception2) { if (Fx.IsFatal(exception2)) { throw; } System.ServiceModel.DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error); } } throw; } return(disposable); }
IDisposable StartImpersonation2(ref MessageRpc rpc, ServiceSecurityContext securityContext, bool isSecurityContextImpersonationOn) { IDisposable impersonationContext = null; try { if (isSecurityContextImpersonationOn) { if (securityContext == null) { throw TraceUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SFxSecurityContextPropertyMissingFromRequestMessage)), rpc.Request); } WindowsIdentity impersonationToken = securityContext.WindowsIdentity; if (impersonationToken.User != null) { impersonationContext = impersonationToken.Impersonate(); } else if (securityContext.PrimaryIdentity is WindowsSidIdentity) { WindowsSidIdentity sidIdentity = (WindowsSidIdentity)securityContext.PrimaryIdentity; if (sidIdentity.SecurityIdentifier.IsWellKnown(WellKnownSidType.AnonymousSid)) { impersonationContext = new WindowsAnonymousIdentity().Impersonate(); } else { string fullyQualifiedDomainName = GetUpnFromDownlevelName(sidIdentity.Name); using (WindowsIdentity windowsIdentity = new WindowsIdentity(fullyQualifiedDomainName, SecurityUtils.AuthTypeKerberos)) { impersonationContext = windowsIdentity.Impersonate(); } } } else { throw TraceUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecurityContextDoesNotAllowImpersonation, rpc.Operation.Action)), rpc.Request); } } else if (AspNetEnvironment.Current.RequiresImpersonation) { if (rpc.HostingProperty != null) { impersonationContext = rpc.HostingProperty.Impersonate(); } } SecurityTraceRecordHelper.TraceImpersonationSucceeded(rpc.EventTraceActivity, rpc.Operation); // update the impersonation succeed audit if (AuditLevel.Success == (this.auditLevel & AuditLevel.Success)) { SecurityAuditHelper.WriteImpersonationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Operation.Name, SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext)); } } catch (Exception ex) { if (Fx.IsFatal(ex)) { throw; } SecurityTraceRecordHelper.TraceImpersonationFailed(rpc.EventTraceActivity, rpc.Operation, ex); // // Update the impersonation failure audit // Copy SecurityAuthorizationBehavior.Audit level to here!!! // if (AuditLevel.Failure == (this.auditLevel & AuditLevel.Failure)) { try { string primaryIdentity; if (securityContext != null) { primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext); } else { primaryIdentity = SecurityUtils.AnonymousIdentity.Name; } SecurityAuditHelper.WriteImpersonationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Operation.Name, primaryIdentity, ex); } #pragma warning suppress 56500 catch (Exception auditException) { if (Fx.IsFatal(auditException)) { throw; } DiagnosticUtility.TraceHandledException(auditException, TraceEventType.Error); } } throw; } return(impersonationContext); }