예제 #1
0
        public bool TryFindUserPriciple(string domainName, string userName, out UserPrincipal userPriciple)
        {
            if (string.IsNullOrEmpty(domainName))
            {
                domainName = Environment.MachineName;
            }
            var contextType =
                domainName.Equals(Environment.MachineName, StringComparison.CurrentCultureIgnoreCase)
                    ? ContextType.Machine
                    : ContextType.Domain;

            try
            {
                var principalContext = new PrincipalContext(contextType, domainName);


                //look up the user in Active Directory or the Local Machine
                if (ActiveDirectoryUserSearch.FindUserPrincipal(userName, principalContext)
                    .FirstOrDefault() is UserPrincipal user)
                {
                    userPriciple = user;
                    return(true);
                }
            }
            catch
            {
                //ignore
            }
            userPriciple = null;
            return(false);
        }
예제 #2
0
        public ValidationResult Validate(string domainName, string userName, string password, string clientId, string remoteHttpAddress)
        {
            var result = new ValidationResult();

            //Log.Information(
            //    $"ValidateCredentials called for user {(!string.IsNullOrEmpty(domainName) ? $"{domainName}\\{userName}" : userName)}");
            if (string.IsNullOrEmpty(domainName))
            {
                domainName = Environment.MachineName;
            }
            var contextType =
                domainName.Equals(Environment.MachineName, StringComparison.CurrentCultureIgnoreCase)
                    ? ContextType.Machine
                    : ContextType.Domain;

            try
            {
                var principalContext = new PrincipalContext(contextType, domainName);

                try
                {
                    //look up the user in Active Directory or the Local Machine
                    if (ActiveDirectoryUserSearch.FindUserPrincipal(userName, principalContext)
                        .FirstOrDefault() is UserPrincipal user)
                    {
                        result.Sub         = user.Sid.Value;
                        result.DisplayName = user.DisplayName;
                        //Use the UserStore to record the process as the user is authenticated
                        var  userId        = _userStore.UpdateUserInfo(user, domainName, contextType.ToString());
                        var  options       = ContextOptions.Negotiate;
                        bool authSucceeded = principalContext.ValidateCredentials(userName, password, options);

                        if (authSucceeded)
                        {
                            //build the Claims Principle to return in the token
                            result.IsValidated = true;
                            _userStore.UserAuthenticated(user, domainName, contextType.ToString(), remoteHttpAddress, clientId);
                            var additionalClaims = _userStore.GetAdditionalClaims(userId);
                            result.Identity = BuildClaimsPrincipal(user, additionalClaims);
                        }
                        else
                        {
                            if (user.IsAccountLockedOut())
                            {
                                result.ErrorMessage = "Account Locked";
                                _userStore.UserAccountLocked(user, domainName, contextType.ToString(), remoteHttpAddress, clientId);
                            }

                            if (user.Enabled == false)
                            {
                                result.ErrorMessage = "Account Disabled";
                                _userStore.UserAccountDisabled(user, domainName, contextType.ToString(), remoteHttpAddress, clientId);
                            }
                            //bad password
                            result.ErrorMessage = "Invalid password";
                            _userStore.UserProvidedInvalidCredentials(user, domainName, contextType.ToString(), remoteHttpAddress, clientId);
                        }
                    }
                    else
                    {
                        //bad username, no user to log this against
                        result.ErrorMessage = "Invalid username";
                        //todo: log attempts with bad user names, currently only in the local log: needs a bit of design
                        //note this will only trigger if AD can't find the user name
                        //either have a single stream for all unknown names or add streams for bad names likely option 1
                    }
                }
                catch (Exception e)
                {
                    result.ErrorMessage = e.Message;
                }
            }
            catch (Exception e)
            {
                //Log.Error($"{e.Message}, stack trace of the exception is:{e.StackTrace}");
                result.ErrorMessage = e.Message;
            }

            return(result);
        }