public HttpTransportSecurity() { this.clientCredentialType = DefaultClientCredentialType; this.proxyCredentialType = DefaultProxyCredentialType; this.realm = DefaultRealm; this.extendedProtectionPolicy = ChannelBindingUtility.DefaultPolicy; }
internal SecurityProtocolFactory(SecurityProtocolFactory factory) : this() { if (factory == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("factory"); } this.actAsInitiator = factory.actAsInitiator; this.addTimestamp = factory.addTimestamp; this.detectReplays = factory.detectReplays; this.incomingAlgorithmSuite = factory.incomingAlgorithmSuite; this.maxCachedNonces = factory.maxCachedNonces; this.maxClockSkew = factory.maxClockSkew; this.outgoingAlgorithmSuite = factory.outgoingAlgorithmSuite; this.replayWindow = factory.replayWindow; this.channelSupportingTokenAuthenticatorSpecification = new Collection <SupportingTokenAuthenticatorSpecification>(new List <SupportingTokenAuthenticatorSpecification>(factory.channelSupportingTokenAuthenticatorSpecification)); this.scopedSupportingTokenAuthenticatorSpecification = new Dictionary <string, ICollection <SupportingTokenAuthenticatorSpecification> >(factory.scopedSupportingTokenAuthenticatorSpecification); this.standardsManager = factory.standardsManager; this.timestampValidityDuration = factory.timestampValidityDuration; this.auditLogLocation = factory.auditLogLocation; this.suppressAuditFailure = factory.suppressAuditFailure; this.serviceAuthorizationAuditLevel = factory.serviceAuthorizationAuditLevel; this.messageAuthenticationAuditLevel = factory.messageAuthenticationAuditLevel; if (factory.securityBindingElement != null) { this.securityBindingElement = (System.ServiceModel.Channels.SecurityBindingElement)factory.securityBindingElement.Clone(); } this.securityTokenManager = factory.securityTokenManager; this.privacyNoticeUri = factory.privacyNoticeUri; this.privacyNoticeVersion = factory.privacyNoticeVersion; this.endpointFilterTable = factory.endpointFilterTable; this.extendedProtectionPolicy = factory.extendedProtectionPolicy; }
protected HttpTransportBindingElement(HttpTransportBindingElement elementToBeCloned) : base(elementToBeCloned) { this.allowCookies = elementToBeCloned.allowCookies; this.authenticationScheme = elementToBeCloned.authenticationScheme; this.bypassProxyOnLocal = elementToBeCloned.bypassProxyOnLocal; this.decompressionEnabled = elementToBeCloned.decompressionEnabled; this.hostNameComparisonMode = elementToBeCloned.hostNameComparisonMode; this.inheritBaseAddressSettings = elementToBeCloned.InheritBaseAddressSettings; this.keepAliveEnabled = elementToBeCloned.keepAliveEnabled; this.maxBufferSize = elementToBeCloned.maxBufferSize; this.maxBufferSizeInitialized = elementToBeCloned.maxBufferSizeInitialized; this.method = elementToBeCloned.method; this.proxyAddress = elementToBeCloned.proxyAddress; this.proxyAuthenticationScheme = elementToBeCloned.proxyAuthenticationScheme; this.realm = elementToBeCloned.realm; this.transferMode = elementToBeCloned.transferMode; this.unsafeConnectionNtlmAuthentication = elementToBeCloned.unsafeConnectionNtlmAuthentication; this.useDefaultWebProxy = elementToBeCloned.useDefaultWebProxy; this.webProxy = elementToBeCloned.webProxy; this.extendedProtectionPolicy = elementToBeCloned.ExtendedProtectionPolicy; if (elementToBeCloned.anonymousUriPrefixMatcher != null) { this.anonymousUriPrefixMatcher = new HttpAnonymousUriPrefixMatcher(elementToBeCloned.anonymousUriPrefixMatcher); } }
internal void ValidateCreateContext( string package, NetworkCredential credential, string servicePrincipalName, ExtendedProtectionPolicy policy, ProtectionLevel protectionLevel, TokenImpersonationLevel impersonationLevel) { if (policy != null) { // One of these must be set if EP is turned on if (policy.CustomChannelBinding == null && policy.CustomServiceNames == null) { throw new ArgumentException(SR.net_auth_must_specify_extended_protection_scheme, nameof(policy)); } _extendedProtectionPolicy = policy; } else { _extendedProtectionPolicy = new ExtendedProtectionPolicy(PolicyEnforcement.Never); } ValidateCreateContext(package, true, credential, servicePrincipalName, _extendedProtectionPolicy.CustomChannelBinding, protectionLevel, impersonationLevel); }
public TcpTransportSecurity() { this.clientCredentialType = DefaultClientCredentialType; this.protectionLevel = DefaultProtectionLevel; this.extendedProtectionPolicy = ChannelBindingUtility.DefaultPolicy; this.sslProtocols = TransportDefaults.SslProtocols; }
public void HttpTransportSecurity_DisableTransportAuthentication() { ExtendedProtectionPolicy policy = new ExtendedProtectionPolicy(PolicyEnforcement.Never); HttpTransportSecurity security = new HttpTransportSecurity() { ClientCredentialType = HttpClientCredentialType.Basic, ProxyCredentialType = HttpProxyCredentialType.Basic, Realm = "MyRealm", ExtendedProtectionPolicy = policy }; HttpTransportBindingElement binding = new HttpTransportBindingElement(); // first configure it security.ConfigureTransportAuthentication(binding); Assert.AreEqual(AuthenticationSchemes.Basic, binding.AuthenticationScheme, "AuthenticationScheme failed to init"); Assert.AreEqual(AuthenticationSchemes.Basic, binding.ProxyAuthenticationScheme, "ProxyAuthenticationScheme failed to init"); Assert.AreEqual("MyRealm", binding.Realm, "Realm failed to init"); Assert.AreEqual(policy, binding.ExtendedProtectionPolicy, "ExtendedProtectionPolicy failed to init"); // then disable it security.DisableTransportAuthentication(binding); Assert.AreEqual(AuthenticationSchemes.Anonymous, binding.AuthenticationScheme, "AuthenticationScheme failed to init"); Assert.AreEqual(AuthenticationSchemes.Anonymous, binding.ProxyAuthenticationScheme, "ProxyAuthenticationScheme failed to init"); Assert.AreEqual(string.Empty, binding.Realm, "Realm failed to init"); Assert.AreEqual(policy, binding.ExtendedProtectionPolicy, "ExtendedProtectionPolicy failed to init"); }
//does not validate the ExtendedProtectionPolicy.CustomServiceNames collections on the policies public static bool AreEqual(ExtendedProtectionPolicy policy1, ExtendedProtectionPolicy policy2) { Fx.Assert(policy1 != null, "policy1 param cannot be null"); Fx.Assert(policy2 != null, "policy2 param cannot be null"); if (policy1.PolicyEnforcement == PolicyEnforcement.Never && policy2.PolicyEnforcement == PolicyEnforcement.Never) { return true; } if (policy1.PolicyEnforcement != policy2.PolicyEnforcement) { return false; } if (policy1.ProtectionScenario != policy2.ProtectionScenario) { return false; } if (policy1.CustomChannelBinding != policy2.CustomChannelBinding) { return false; } return true; }
public override object ConvertTo(ITypeDescriptorContext context, CultureInfo culture, object value, Type destinationType) { if (destinationType == typeof(InstanceDescriptor)) { ExtendedProtectionPolicy policy = value as ExtendedProtectionPolicy; if (policy != null) { Type[] typeArray; object[] objArray; if (policy.PolicyEnforcement == PolicyEnforcement.Never) { typeArray = new Type[] { typeof(PolicyEnforcement) }; objArray = new object[] { PolicyEnforcement.Never }; } else { typeArray = new Type[] { typeof(PolicyEnforcement), typeof(ProtectionScenario), typeof(ICollection) }; object[] array = null; if ((policy.CustomServiceNames != null) && (policy.CustomServiceNames.Count > 0)) { array = new object[policy.CustomServiceNames.Count]; ((ICollection)policy.CustomServiceNames).CopyTo(array, 0); } objArray = new object[] { policy.PolicyEnforcement, policy.ProtectionScenario, array }; } return(new InstanceDescriptor(typeof(ExtendedProtectionPolicy).GetConstructor(typeArray), objArray)); } } return(base.ConvertTo(context, culture, value, destinationType)); }
protected TcpTransportBindingElement(TcpTransportBindingElement elementToBeCloned) : base(elementToBeCloned) { this.listenBacklog = elementToBeCloned.listenBacklog; this.portSharingEnabled = elementToBeCloned.portSharingEnabled; this.teredoEnabled = elementToBeCloned.teredoEnabled; this.connectionPoolSettings = elementToBeCloned.connectionPoolSettings.Clone(); this.extendedProtectionPolicy = elementToBeCloned.ExtendedProtectionPolicy; }
public TcpTransportBindingElement() { this.listenBacklog = 10; this.portSharingEnabled = false; this.teredoEnabled = false; this.connectionPoolSettings = new TcpConnectionPoolSettings(); this.extendedProtectionPolicy = ChannelBindingUtility.DefaultPolicy; }
internal HttpListenerContext(HttpListener httpListener, RequestContextBase memoryBlob) { if (Logging.On) Logging.PrintInfo(Logging.HttpListener, this, ".ctor", "httpListener#" + ValidationHelper.HashString(httpListener) + " requestBlob=" + ValidationHelper.HashString((IntPtr) memoryBlob.RequestBlob)); m_Listener = httpListener; m_Request = new HttpListenerRequest(this, memoryBlob); m_AuthenticationSchemes = httpListener.AuthenticationSchemes; m_ExtendedProtectionPolicy = httpListener.ExtendedProtectionPolicy; GlobalLog.Print("HttpListenerContext#" + ValidationHelper.HashString(this) + "::.ctor() HttpListener#" + ValidationHelper.HashString(m_Listener) + " HttpListenerRequest#" + ValidationHelper.HashString(m_Request)); }
internal void ValidateCreateContext(string package, NetworkCredential credential, string servicePrincipalName, ExtendedProtectionPolicy policy, ProtectionLevel protectionLevel, TokenImpersonationLevel impersonationLevel) { throw new PlatformNotSupportedException(); }
public ExtendedProtectionPolicyHelper(System.Security.Authentication.ExtendedProtection.ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy) { this._channelBinding = channelBinding; this._serviceNameCollection = null; this._checkServiceBinding = true; if (extendedProtectionPolicy != null) { this._policyEnforcement = extendedProtectionPolicy.PolicyEnforcement; this._protectionScenario = extendedProtectionPolicy.ProtectionScenario; this._serviceNameCollection = extendedProtectionPolicy.CustomServiceNames; } if (this._policyEnforcement == System.Security.Authentication.ExtendedProtection.PolicyEnforcement.Never) { this._checkServiceBinding = false; } }
public static bool AreEqual(ExtendedProtectionPolicy policy1, ExtendedProtectionPolicy policy2) { if ((policy1.PolicyEnforcement != PolicyEnforcement.Never) || (policy2.PolicyEnforcement != PolicyEnforcement.Never)) { if (policy1.PolicyEnforcement != policy2.PolicyEnforcement) { return false; } if (policy1.ProtectionScenario != policy2.ProtectionScenario) { return false; } if (policy1.CustomChannelBinding != policy2.CustomChannelBinding) { return false; } } return true; }
public HttpTransportBindingElement() { this.allowCookies = false; this.authenticationScheme = AuthenticationSchemes.Anonymous; this.bypassProxyOnLocal = false; this.decompressionEnabled = true; this.hostNameComparisonMode = System.ServiceModel.HostNameComparisonMode.StrongWildcard; this.keepAliveEnabled = true; this.maxBufferSize = 0x10000; this.method = string.Empty; this.proxyAuthenticationScheme = AuthenticationSchemes.Anonymous; this.proxyAddress = null; this.realm = ""; this.transferMode = System.ServiceModel.TransferMode.Buffered; this.unsafeConnectionNtlmAuthentication = false; this.useDefaultWebProxy = true; this.webProxy = null; this.extendedProtectionPolicy = ChannelBindingUtility.DefaultPolicy; }
public static void InitializeFrom(ExtendedProtectionPolicy source, ExtendedProtectionPolicyElement destination) { if (!IsDefaultPolicy(source)) { destination.PolicyEnforcement = source.PolicyEnforcement; destination.ProtectionScenario = source.ProtectionScenario; destination.CustomServiceNames.Clear(); if (source.CustomServiceNames != null) { foreach (string name in source.CustomServiceNames) { ServiceNameElement entry = new ServiceNameElement(); entry.Name = name; destination.CustomServiceNames.Add(entry); } } } }
public HttpChannelListener(HttpTransportBindingElement bindingElement, BindingContext context) : base(bindingElement, context, HttpTransportDefaults.GetDefaultMessageEncoderFactory(), bindingElement.HostNameComparisonMode) { if (bindingElement.TransferMode == System.ServiceModel.TransferMode.Buffered) { if (bindingElement.MaxReceivedMessageSize > 0x7fffffffL) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("bindingElement.MaxReceivedMessageSize", System.ServiceModel.SR.GetString("MaxReceivedMessageSizeMustBeInIntegerRange"))); } if (bindingElement.MaxBufferSize != bindingElement.MaxReceivedMessageSize) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("bindingElement", System.ServiceModel.SR.GetString("MaxBufferSizeMustMatchMaxReceivedMessageSize")); } } else if (bindingElement.MaxBufferSize > bindingElement.MaxReceivedMessageSize) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("bindingElement", System.ServiceModel.SR.GetString("MaxBufferSizeMustNotExceedMaxReceivedMessageSize")); } if ((bindingElement.AuthenticationScheme == AuthenticationSchemes.Basic) && (bindingElement.ExtendedProtectionPolicy.PolicyEnforcement == PolicyEnforcement.Always)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("ExtendedProtectionPolicyBasicAuthNotSupported"))); } this.authenticationScheme = bindingElement.AuthenticationScheme; this.keepAliveEnabled = bindingElement.KeepAliveEnabled; base.InheritBaseAddressSettings = bindingElement.InheritBaseAddressSettings; this.maxBufferSize = bindingElement.MaxBufferSize; this.method = bindingElement.Method; this.realm = bindingElement.Realm; this.transferMode = bindingElement.TransferMode; this.unsafeConnectionNtlmAuthentication = bindingElement.UnsafeConnectionNtlmAuthentication; this.credentialProvider = context.BindingParameters.Find <SecurityCredentialsManager>(); this.acceptor = new TransportReplyChannelAcceptor(this); this.securityCapabilities = bindingElement.GetProperty <ISecurityCapabilities>(context); this.extendedProtectionPolicy = GetPolicyWithDefaultSpnCollection(bindingElement.ExtendedProtectionPolicy, this.authenticationScheme, base.HostNameComparisonModeInternal, base.Uri, out this.usingDefaultSpnList); if (bindingElement.AnonymousUriPrefixMatcher != null) { this.anonymousUriPrefixMatcher = new HttpAnonymousUriPrefixMatcher(bindingElement.AnonymousUriPrefixMatcher); } }
public HttpListener() { if (Logging.On) { Logging.Enter(Logging.HttpListener, this, "HttpListener", ""); } if (!UnsafeNclNativeMethods.HttpApi.Supported) { throw new PlatformNotSupportedException(); } this.m_State = 0; this.m_InternalLock = new object(); this.m_DefaultServiceNames = new ServiceNameStore(); if (Version == UnsafeNclNativeMethods.HttpApi.HTTP_API_VERSION.Version20) { this.m_TimeoutManager = new HttpListenerTimeoutManager(this); } this.m_ExtendedProtectionPolicy = new System.Security.Authentication.ExtendedProtection.ExtendedProtectionPolicy(PolicyEnforcement.Never); if (Logging.On) { Logging.Exit(Logging.HttpListener, this, "HttpListener", ""); } }
public override object ConvertTo(ITypeDescriptorContext context, CultureInfo culture, object value, Type destinationType) { if (destinationType == typeof(InstanceDescriptor)) { ExtendedProtectionPolicy policy = value as ExtendedProtectionPolicy; if (policy != null) { Type[] parameterTypes; object[] parameterValues; if (policy.PolicyEnforcement == PolicyEnforcement.Never) { parameterTypes = new Type[] { typeof(PolicyEnforcement) }; parameterValues = new object[] { PolicyEnforcement.Never }; } else { parameterTypes = new Type[] { typeof(PolicyEnforcement), typeof(ProtectionScenario), typeof(ICollection) }; object[] customServiceNames = null; if (policy.CustomServiceNames?.Count > 0) { customServiceNames = new object[policy.CustomServiceNames.Count]; ((ICollection)policy.CustomServiceNames).CopyTo(customServiceNames, 0); } parameterValues = new object[] { policy.PolicyEnforcement, policy.ProtectionScenario, customServiceNames }; } ConstructorInfo constructor = typeof(ExtendedProtectionPolicy).GetConstructor(parameterTypes); return(new InstanceDescriptor(constructor, parameterValues)); } } return(base.ConvertTo(context, culture, value, destinationType)); }
private static void FillExtendedProtectionPolicy(IWmiInstance instance, ExtendedProtectionPolicy policy) { IWmiInstance instance2 = instance.NewInstance("ExtendedProtectionPolicy"); instance2.SetProperty("PolicyEnforcement", policy.PolicyEnforcement.ToString()); instance2.SetProperty("ProtectionScenario", policy.ProtectionScenario.ToString()); if (policy.CustomServiceNames != null) { List<string> list = new List<string>(policy.CustomServiceNames.Count); foreach (string str in policy.CustomServiceNames) { list.Add(str); } instance2.SetProperty("CustomServiceNames", list.ToArray()); } if (policy.CustomChannelBinding != null) { instance2.SetProperty("CustomChannelBinding", policy.CustomChannelBinding.GetType().ToString()); } instance.SetProperty("ExtendedProtectionPolicy", instance2); }
public byte[] GetOutgoingBlob(byte[] incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy protectionPolicy) { ThrowIfDisposed(); int statusCode = 0; // use the confidentiality option to ensure we can encrypt messages SspiContextFlags requestedFlags = SspiContextFlags.Confidentiality | SspiContextFlags.ReplayDetect | SspiContextFlags.SequenceDetect; if (this.doMutualAuth) { requestedFlags |= SspiContextFlags.MutualAuth; } if (this.impersonationLevel == TokenImpersonationLevel.Delegation) { requestedFlags |= SspiContextFlags.Delegate; } else if (this.isServer == false && this.impersonationLevel == TokenImpersonationLevel.Identification) { requestedFlags |= SspiContextFlags.InitIdentify; } else if (this.isServer == false && this.impersonationLevel == TokenImpersonationLevel.Anonymous) { requestedFlags |= SspiContextFlags.InitAnonymous; } ExtendedProtectionPolicyHelper policyHelper = new ExtendedProtectionPolicyHelper(channelbinding, protectionPolicy); if (isServer) { if (policyHelper.PolicyEnforcement == PolicyEnforcement.Always && policyHelper.ChannelBinding == null && policyHelper.ProtectionScenario != ProtectionScenario.TrustedProxy) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SecurityChannelBindingMissing))); } if (policyHelper.PolicyEnforcement == PolicyEnforcement.WhenSupported) { requestedFlags |= SspiContextFlags.ChannelBindingAllowMissingBindings; } if (policyHelper.ProtectionScenario == ProtectionScenario.TrustedProxy) { requestedFlags |= SspiContextFlags.ChannelBindingProxyBindings; } } List<SecurityBuffer> list = new List<SecurityBuffer>(2); if (incomingBlob != null) { list.Add(new SecurityBuffer(incomingBlob, BufferType.Token)); } // when deciding if the channel binding should be added to the security buffer // it is necessary to differentiate between client and server. // Server rules were added to policyHelper as they are shared with Kerb and I want them consistent // Client adds if not null. if (this.isServer) { if (policyHelper.ShouldAddChannelBindingToASC()) { list.Add(new SecurityBuffer(policyHelper.ChannelBinding)); } } else { if (policyHelper.ChannelBinding != null) { list.Add(new SecurityBuffer(policyHelper.ChannelBinding)); } } SecurityBuffer[] inSecurityBuffer = null; if (list.Count > 0) { inSecurityBuffer = list.ToArray(); } SecurityBuffer outSecurityBuffer = new SecurityBuffer(this.tokenSize, BufferType.Token); if (!this.isServer) { //client session statusCode = SspiWrapper.InitializeSecurityContext(this.credentialsHandle, ref this.securityContext, this.servicePrincipalName, requestedFlags, Endianness.Network, inSecurityBuffer, outSecurityBuffer, ref this.contextFlags); } else { // server session //This check is to save an unnecessary ASC call. bool isServerSecurityContextNull = this.securityContext == null; SspiContextFlags serverContextFlags = this.contextFlags; statusCode = SspiWrapper.AcceptSecurityContext(this.credentialsHandle, ref this.securityContext, requestedFlags, Endianness.Network, inSecurityBuffer, outSecurityBuffer, ref this.contextFlags); if (statusCode == (int)SecurityStatus.InvalidToken && !isServerSecurityContextNull) { // Call again into ASC after deleting the Securitycontext. If this securitycontext is not deleted // then when the client sends NTLM blob the service will treat it as Nego2blob and will fail to authenticate the client. this.contextFlags = serverContextFlags; CloseContext(); statusCode = SspiWrapper.AcceptSecurityContext(this.credentialsHandle, ref this.securityContext, requestedFlags, Endianness.Network, inSecurityBuffer, outSecurityBuffer, ref this.contextFlags); } } if (DiagnosticUtility.ShouldTraceInformation) { IMD.SecurityTraceRecordHelper.TraceChannelBindingInformation(policyHelper, this.isServer, channelbinding); } if ((statusCode & unchecked((int)0x80000000)) != 0) { if (!this.isServer && this.interactiveNegoLogonEnabled && SecurityUtils.IsOSGreaterThanOrEqualToWin7() && SspiWrapper.IsSspiPromptingNeeded((uint)statusCode) && SspiWrapper.IsNegotiateExPackagePresent()) { // If we have prompted enough number of times (DefaultMaxPromptAttempts) with wrong credentials, then we do not prompt again and throw. if (MaxPromptAttempts >= DefaultMaxPromptAttempts) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception(statusCode, SR.GetString(SR.InvalidClientCredentials))); } IntPtr ppAuthIdentity = IntPtr.Zero; uint errorCode = SspiWrapper.SspiPromptForCredential(this.servicePrincipalName, this.clientPackageName, out ppAuthIdentity, ref this.saveClientCredentialsOnSspiUi); if (errorCode == (uint)CredentialStatus.Success) { IntPtr ppNewAuthIdentity = IntPtr.Zero; if (!this.allowNtlm) { // When Ntlm is explicitly disabled we don't want the collected //creds from the Kerb/NTLM tile to be used for NTLM auth. uint status = UnsafeNativeMethods.SspiExcludePackage(ppAuthIdentity, "NTLM", out ppNewAuthIdentity); } else { ppNewAuthIdentity = ppAuthIdentity; } this.credentialsHandle = SspiWrapper.AcquireCredentialsHandle(this.clientPackageName, CredentialUse.Outbound, ref ppNewAuthIdentity); if (IntPtr.Zero != ppNewAuthIdentity) { UnsafeNativeMethods.SspiFreeAuthIdentity(ppNewAuthIdentity); } CloseContext(); MaxPromptAttempts++; return this.GetOutgoingBlob(null, channelbinding, protectionPolicy); } else { // Call into SspiPromptForCredential had an error. Time to throw. if (IntPtr.Zero != ppAuthIdentity) { UnsafeNativeMethods.SspiFreeAuthIdentity(ppAuthIdentity); } CloseContext(); this.isCompleted = true; throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception((int)errorCode, SR.GetString(SR.SspiErrorOrInvalidClientCredentials))); } } CloseContext(); this.isCompleted = true; if (!this.isServer && (statusCode == (int)SecurityStatus.TargetUnknown || statusCode == (int)SecurityStatus.WrongPrincipal)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception(statusCode, SR.GetString(SR.IncorrectSpnOrUpnSpecified, this.servicePrincipalName))); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception(statusCode, SR.GetString(SR.InvalidSspiNegotiation))); } } if (DiagnosticUtility.ShouldTraceInformation) { if (this.isServer) { SecurityTraceRecordHelper.TraceServiceOutgoingSpnego(this); } else { SecurityTraceRecordHelper.TraceClientOutgoingSpnego(this); } } if (statusCode == (int)SecurityStatus.OK) { // we're done this.isCompleted = true; // These must all be true to check service binding // 1. we are the service (listener) // 2. caller is not anonymous // 3. protocol is not Kerberos // 4. policy is set to check service binding // if (isServer && ((this.contextFlags & SspiContextFlags.AcceptAnonymous) == 0) && (string.Compare(this.ProtocolName, NegotiationInfoClass.Kerberos, StringComparison.OrdinalIgnoreCase) != 0) && policyHelper.ShouldCheckServiceBinding) { // in the server case the servicePrincipalName is the defaultServiceBinding if (DiagnosticUtility.ShouldTraceInformation) { string serviceBindingNameSentByClient; SspiWrapper.QuerySpecifiedTarget(securityContext, out serviceBindingNameSentByClient); IMD.SecurityTraceRecordHelper.TraceServiceNameBindingOnServer( serviceBindingNameSentByClient, this.servicePrincipalName, policyHelper.ServiceNameCollection); } policyHelper.CheckServiceBinding(this.securityContext, this.servicePrincipalName); } } else { // we need to continue } return outSecurityBuffer.token; }
public virtual Task AuthenticateAsServerAsync(NetworkCredential credential, ExtendedProtectionPolicy policy, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel requiredImpersonationLevel) { throw new PlatformNotSupportedException(); }
public virtual Task AuthenticateAsServerAsync(ExtendedProtectionPolicy policy) { throw new PlatformNotSupportedException(); }
private static System.Security.Authentication.ExtendedProtection.ExtendedProtectionPolicy GetPolicyWithDefaultSpnCollection(System.Security.Authentication.ExtendedProtection.ExtendedProtectionPolicy policy, AuthenticationSchemes authenticationScheme, System.ServiceModel.HostNameComparisonMode hostNameComparisonMode, Uri listenUri, out bool usingDefaultSpnList) { if ((((policy.PolicyEnforcement != PolicyEnforcement.Never) && (policy.CustomServiceNames == null)) && ((policy.CustomChannelBinding == null) && (authenticationScheme != AuthenticationSchemes.Anonymous))) && string.Equals(listenUri.Scheme, Uri.UriSchemeHttp, StringComparison.OrdinalIgnoreCase)) { usingDefaultSpnList = true; return(new System.Security.Authentication.ExtendedProtection.ExtendedProtectionPolicy(policy.PolicyEnforcement, policy.ProtectionScenario, GetDefaultSpnList(hostNameComparisonMode, listenUri))); } usingDefaultSpnList = false; return(policy); }
private IAsyncResult BeginAuthenticateAsServer( NetworkCredential credential, ExtendedProtectionPolicy policy, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel requiredImpersonationLevel, AsyncCallback asyncCallback, object asyncState) { #if DEBUG using (GlobalLog.SetThreadKind(ThreadKinds.User | ThreadKinds.Async)) { #endif _negoState.ValidateCreateContext(_package, credential, string.Empty, policy, requiredProtectionLevel, requiredImpersonationLevel); LazyAsyncResult result = new LazyAsyncResult(_negoState, asyncState, asyncCallback); _negoState.ProcessAuthentication(result); return result; #if DEBUG } #endif }
private ArrayList BuildChallenge(AuthenticationSchemes authenticationScheme, ulong connectionId, out NTAuthentication newContext, ExtendedProtectionPolicy policy, bool isSecureConnection) { if (NetEventSource.IsEnabled) NetEventSource.Info(this, "AuthenticationScheme:" + authenticationScheme.ToString()); ArrayList challenges = null; newContext = null; if ((authenticationScheme & AuthenticationSchemes.Negotiate) != 0) { AddChallenge(ref challenges, AuthConstants.Negotiate); } if ((authenticationScheme & AuthenticationSchemes.Ntlm) != 0) { AddChallenge(ref challenges, AuthConstants.NTLM); } if ((authenticationScheme & AuthenticationSchemes.Digest) != 0) { if (NetEventSource.IsEnabled) NetEventSource.Info(this, "WDigest"); throw new NotImplementedException(); } if ((authenticationScheme & AuthenticationSchemes.Basic) != 0) { AddChallenge(ref challenges, "Basic realm =\"" + Realm + "\""); } return challenges; }
internal HttpListenerContext HandleAuthentication(RequestContextBase memoryBlob, out bool stoleBlob) { if (NetEventSource.IsEnabled) NetEventSource.Info(this, "HandleAuthentication() memoryBlob:0x" + ((IntPtr)memoryBlob.RequestBlob).ToString("x")); string challenge = null; stoleBlob = false; // Some things we need right away. Lift them out now while it's convenient. string verb = Interop.HttpApi.GetVerb(memoryBlob.RequestBlob); string authorizationHeader = Interop.HttpApi.GetKnownHeader(memoryBlob.RequestBlob, (int)HttpRequestHeader.Authorization); ulong connectionId = memoryBlob.RequestBlob->ConnectionId; ulong requestId = memoryBlob.RequestBlob->RequestId; bool isSecureConnection = memoryBlob.RequestBlob->pSslInfo != null; if (NetEventSource.IsEnabled) NetEventSource.Info(this, $"HandleAuthentication() authorizationHeader: ({authorizationHeader})"); // if the app has turned on AuthPersistence, an anonymous request might // be authenticated by virtue of it coming on a connection that was // previously authenticated. // assurance that we do this only for NTLM/Negotiate is not here, but in the // code that caches WindowsIdentity instances in the Dictionary. DisconnectAsyncResult disconnectResult; DisconnectResults.TryGetValue(connectionId, out disconnectResult); if (UnsafeConnectionNtlmAuthentication) { if (authorizationHeader == null) { WindowsPrincipal principal = disconnectResult?.AuthenticatedConnection; if (principal != null) { if (NetEventSource.IsEnabled) NetEventSource.Info(this, $"Principal: {principal} principal.Identity.Name: {principal.Identity.Name} creating request"); stoleBlob = true; HttpListenerContext ntlmContext = new HttpListenerContext(this, memoryBlob); ntlmContext.SetIdentity(principal, null); ntlmContext.Request.ReleasePins(); return ntlmContext; } } else { // They sent an authorization - destroy their previous credentials. if (NetEventSource.IsEnabled) NetEventSource.Info(this, "Clearing principal cache"); if (disconnectResult != null) { disconnectResult.AuthenticatedConnection = null; } } } // Figure out what schemes we're allowing, what context we have. stoleBlob = true; HttpListenerContext httpContext = null; NTAuthentication oldContext = null; NTAuthentication newContext = null; NTAuthentication context = null; AuthenticationSchemes headerScheme = AuthenticationSchemes.None; AuthenticationSchemes authenticationScheme = AuthenticationSchemes; ExtendedProtectionPolicy extendedProtectionPolicy = _extendedProtectionPolicy; try { // Take over handling disconnects for now. if (disconnectResult != null && !disconnectResult.StartOwningDisconnectHandling()) { // Just disconnected just then. Pretend we didn't see the disconnectResult. disconnectResult = null; } // Pick out the old context now. By default, it'll be removed in the finally, unless context is set somewhere. if (disconnectResult != null) { oldContext = disconnectResult.Session; } httpContext = new HttpListenerContext(this, memoryBlob); AuthenticationSchemeSelector authenticationSelector = _authenticationDelegate; if (authenticationSelector != null) { try { httpContext.Request.ReleasePins(); authenticationScheme = authenticationSelector(httpContext.Request); // Cache the results of authenticationSelector (if any) httpContext.AuthenticationSchemes = authenticationScheme; if (NetEventSource.IsEnabled) NetEventSource.Info(this, $"AuthenticationScheme: {authenticationScheme}"); } catch (Exception exception) when (!ExceptionCheck.IsFatal(exception)) { if (NetEventSource.IsEnabled) { NetEventSource.Error(this, SR.Format(SR.net_log_listener_delegate_exception, exception)); NetEventSource.Info(this, $"authenticationScheme: {authenticationScheme}"); } SendError(requestId, HttpStatusCode.InternalServerError, null); httpContext.Close(); return null; } } else { // We didn't give the request to the user yet, so we haven't lost control of the unmanaged blob and can // continue to reuse the buffer. stoleBlob = false; } ExtendedProtectionSelector extendedProtectionSelector = _extendedProtectionSelectorDelegate; if (extendedProtectionSelector != null) { extendedProtectionPolicy = extendedProtectionSelector(httpContext.Request); if (extendedProtectionPolicy == null) { extendedProtectionPolicy = new ExtendedProtectionPolicy(PolicyEnforcement.Never); } // Cache the results of extendedProtectionSelector (if any) httpContext.ExtendedProtectionPolicy = extendedProtectionPolicy; } // Then figure out what scheme they're trying (if any are allowed) int index = -1; if (authorizationHeader != null && (authenticationScheme & ~AuthenticationSchemes.Anonymous) != AuthenticationSchemes.None) { // Find the end of the scheme name. Trust that HTTP.SYS parsed out just our header ok. for (index = 0; index < authorizationHeader.Length; index++) { if (authorizationHeader[index] == ' ' || authorizationHeader[index] == '\t' || authorizationHeader[index] == '\r' || authorizationHeader[index] == '\n') { break; } } // Currently only allow one Authorization scheme/header per request. if (index < authorizationHeader.Length) { if ((authenticationScheme & AuthenticationSchemes.Negotiate) != AuthenticationSchemes.None && string.Compare(authorizationHeader, 0, AuthConstants.Negotiate, 0, index, StringComparison.OrdinalIgnoreCase) == 0) { headerScheme = AuthenticationSchemes.Negotiate; } else if ((authenticationScheme & AuthenticationSchemes.Ntlm) != AuthenticationSchemes.None && string.Compare(authorizationHeader, 0, AuthConstants.NTLM, 0, index, StringComparison.OrdinalIgnoreCase) == 0) { headerScheme = AuthenticationSchemes.Ntlm; } else if ((authenticationScheme & AuthenticationSchemes.Digest) != AuthenticationSchemes.None && string.Compare(authorizationHeader, 0, AuthConstants.Digest, 0, index, StringComparison.OrdinalIgnoreCase) == 0) { headerScheme = AuthenticationSchemes.Digest; } else if ((authenticationScheme & AuthenticationSchemes.Basic) != AuthenticationSchemes.None && string.Compare(authorizationHeader, 0, AuthConstants.Basic, 0, index, StringComparison.OrdinalIgnoreCase) == 0) { headerScheme = AuthenticationSchemes.Basic; } else { if (NetEventSource.IsEnabled) NetEventSource.Error(this, SR.Format(SR.net_log_listener_unsupported_authentication_scheme, authorizationHeader, authenticationScheme)); } } } // httpError holds the error we will return if an Authorization header is present but can't be authenticated HttpStatusCode httpError = HttpStatusCode.InternalServerError; // See if we found an acceptable auth header if (headerScheme == AuthenticationSchemes.None) { if (NetEventSource.IsEnabled) NetEventSource.Error(this, SR.Format(SR.net_log_listener_unmatched_authentication_scheme, authenticationScheme.ToString(), (authorizationHeader == null ? "<null>" : authorizationHeader))); // If anonymous is allowed, just return the context. Otherwise go for the 401. if ((authenticationScheme & AuthenticationSchemes.Anonymous) != AuthenticationSchemes.None) { if (!stoleBlob) { stoleBlob = true; httpContext.Request.ReleasePins(); } return httpContext; } httpError = HttpStatusCode.Unauthorized; httpContext.Request.DetachBlob(memoryBlob); httpContext.Close(); httpContext = null; } else { throw new NotImplementedException(); } // if we're not giving a request to the application, we need to send an error ArrayList challenges = null; if (httpContext == null) { // If we already have a challenge, just use it. Otherwise put a challenge for each acceptable scheme. if (challenge != null) { AddChallenge(ref challenges, challenge); } else { // We're starting over. Any context SSPI might have wanted us to keep is useless. if (newContext != null) { if (newContext == context) { context = null; } if (newContext != oldContext) { NTAuthentication toClose = newContext; newContext = null; toClose.CloseContext(); } else { newContext = null; } } // If we're sending something besides 401, do it here. if (httpError != HttpStatusCode.Unauthorized) { if (NetEventSource.IsEnabled) NetEventSource.Info(this, "ConnectionId:" + connectionId + " because of error:" + httpError.ToString()); SendError(requestId, httpError, null); return null; } challenges = BuildChallenge(authenticationScheme, connectionId, out newContext, extendedProtectionPolicy, isSecureConnection); } } // Check if we need to call WaitForDisconnect, because if we do and it fails, we want to send a 500 instead. if (disconnectResult == null && newContext != null) { RegisterForDisconnectNotification(connectionId, ref disconnectResult); // Failed - send 500. if (disconnectResult == null) { if (newContext != null) { if (newContext == context) { context = null; } if (newContext != oldContext) { NTAuthentication toClose = newContext; newContext = null; toClose.CloseContext(); } else { newContext = null; } } if (NetEventSource.IsEnabled) NetEventSource.Info(this, "connectionId:" + connectionId + " because of failed HttpWaitForDisconnect"); SendError(requestId, HttpStatusCode.InternalServerError, null); httpContext.Request.DetachBlob(memoryBlob); httpContext.Close(); return null; } } // Update Session if necessary. if (oldContext != newContext) { if (oldContext == context) { // Prevent the finally from closing this twice. context = null; } NTAuthentication toClose = oldContext; oldContext = newContext; disconnectResult.Session = newContext; if (toClose != null) { // Save digest context in digest cache, we may need it later because of // subsequest responses to the same req on the same/diff connection if ((authenticationScheme & AuthenticationSchemes.Digest) != 0) { SaveDigestContext(toClose); } else { toClose.CloseContext(); } } } // Send the 401 here. if (httpContext == null) { SendError(requestId, challenges != null && challenges.Count > 0 ? HttpStatusCode.Unauthorized : HttpStatusCode.Forbidden, challenges); if (NetEventSource.IsEnabled) NetEventSource.Info(this, "Scheme:" + authenticationScheme); return null; } if (!stoleBlob) { stoleBlob = true; httpContext.Request.ReleasePins(); } return httpContext; } catch { if (httpContext != null) { httpContext.Request.DetachBlob(memoryBlob); httpContext.Close(); } if (newContext != null) { if (newContext == context) { // Prevent the finally from closing this twice. context = null; } if (newContext != oldContext) { NTAuthentication toClose = newContext; newContext = null; toClose.CloseContext(); } else { newContext = null; } } throw; } finally { try { // Clean up the previous context if necessary. if (oldContext != null && oldContext != newContext) { // Clear out Session if it wasn't already. if (newContext == null && disconnectResult != null) { disconnectResult.Session = null; } // Save digest context in digest cache, we may need it later because of // subsequest responses to the same req on the same/diff connection if ((authenticationScheme & AuthenticationSchemes.Digest) != 0) { SaveDigestContext(oldContext); } else { oldContext.CloseContext(); } } // Delete any context created but not stored. if (context != null && oldContext != context && newContext != context) { context.CloseContext(); } } finally { // Check if the connection got deleted while in this method, and clear out the hashtables if it did. // In a nested finally because if this doesn't happen, we leak. if (disconnectResult != null) { disconnectResult.FinishOwningDisconnectHandling(); } } } }
public static bool IsDefaultPolicy(ExtendedProtectionPolicy policy) { return Object.ReferenceEquals(policy, defaultPolicy); }
public virtual Task AuthenticateAsServerAsync( NetworkCredential credential, ExtendedProtectionPolicy policy, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel requiredImpersonationLevel) { return Task.Factory.FromAsync((callback, state) => BeginAuthenticateAsServer(credential, policy, requiredProtectionLevel, requiredImpersonationLevel, callback, state), EndAuthenticateAsClient, null); }
internal override void WriteTo(XmlWriter xml) { if (xml == null) return; if (this.policyHelper != null) { xml.WriteElementString("PolicyEnforcement", this.policyHelper.PolicyEnforcement.ToString()); xml.WriteElementString("ProtectionScenario", this.policyHelper.ProtectionScenario.ToString()); xml.WriteStartElement("ServiceNameCollection"); if (this.policyHelper.ServiceNameCollection != null && this.policyHelper.ServiceNameCollection.Count > 0) { foreach (string serviceName in this.policyHelper.ServiceNameCollection) { xml.WriteElementString("ServiceName", serviceName); } } xml.WriteFullEndElement(); if (this.isServer) { this.channelBindingUsed = this.policyHelper.ShouldAddChannelBindingToASC(); } else { this.channelBindingUsed = this.policyHelper.ChannelBinding != null; } xml.WriteElementString("ChannelBindingUsed", this.channelBindingUsed.ToString()); if (this.channelBinding != null && this.policyHelper.PolicyEnforcement != PolicyEnforcement.Never && this.channelBindingUsed == true) { ExtendedProtectionPolicy extendedProtection = new ExtendedProtectionPolicy(policyHelper.PolicyEnforcement, channelBinding); xml.WriteElementString("ChannelBindingData", GetBase64EncodedChannelBindingData(extendedProtection)); } } else { // This is the case for KerberosRequestorSecurityToken where policyHelper is null. if (this.channelBinding != null) { xml.WriteElementString("ChannelBindingUsed", "true"); // We do not know the PolicyEnforcement value here on the client side and we can not pass Never //as ExtendedProtectionPolicy constructor would throw on PolicyEnforcement.Never ExtendedProtectionPolicy extendedProtection = new ExtendedProtectionPolicy(PolicyEnforcement.WhenSupported, channelBinding); xml.WriteElementString("ChannelBindingData", GetBase64EncodedChannelBindingData(extendedProtection)); } else { xml.WriteElementString("ChannelBindingUsed", "false"); xml.WriteElementString("ChannelBindingData", null); } } }
public HttpListener() { if (NetEventSource.IsEnabled) NetEventSource.Enter(this); _state = State.Stopped; _internalLock = new object(); _defaultServiceNames = new ServiceNameStore(); _timeoutManager = new HttpListenerTimeoutManager(this); // default: no CBT checks on any platform (appcompat reasons); applies also to PolicyEnforcement // config element _extendedProtectionPolicy = new ExtendedProtectionPolicy(PolicyEnforcement.Never); if (NetEventSource.IsEnabled) NetEventSource.Exit(this); }
internal string GetBase64EncodedChannelBindingData(ExtendedProtectionPolicy extendedProtectionPolicy) { MemoryStream ms = new MemoryStream(); BinaryFormatter formatter = new BinaryFormatter(); formatter.Serialize(ms, extendedProtectionPolicy); byte[] channelBindingData = ms.GetBuffer(); return Convert.ToBase64String(channelBindingData, Base64FormattingOptions.None); }
public virtual void ValidateHttpSettings(string virtualPath, bool isMetadataListener, bool usingDefaultSpnList, ref AuthenticationSchemes supportedSchemes, ref ExtendedProtectionPolicy extendedProtectionPolicy, ref string realm) { }
private IAsyncResult BeginAuthenticateAsServer(ExtendedProtectionPolicy policy, AsyncCallback asyncCallback, object asyncState) { return BeginAuthenticateAsServer((NetworkCredential)CredentialCache.DefaultCredentials, policy, ProtectionLevel.EncryptAndSign, TokenImpersonationLevel.Identification, asyncCallback, asyncState); }
public override void ValidateHttpSettings(string virtualPath, bool isMetadataListener, bool usingDefaultSpnList, ref AuthenticationSchemes bindingElementAuthenticationSchemes, ref ExtendedProtectionPolicy extendedProtectionPolicy, ref string realm) { // Verify the authentication settings AuthenticationSchemes hostSupportedSchemes = HostedTransportConfigurationManager.MetabaseSettings.GetAuthenticationSchemes(virtualPath); if ((bindingElementAuthenticationSchemes & hostSupportedSchemes) == 0) { if (bindingElementAuthenticationSchemes == AuthenticationSchemes.Negotiate || bindingElementAuthenticationSchemes == AuthenticationSchemes.Ntlm || bindingElementAuthenticationSchemes == AuthenticationSchemes.IntegratedWindowsAuthentication) { throw FxTrace.Exception.AsError(new NotSupportedException(SR.Hosting_AuthSchemesRequireWindowsAuth)); } else { throw FxTrace.Exception.AsError(new NotSupportedException(SR.Hosting_AuthSchemesRequireOtherAuth(bindingElementAuthenticationSchemes.ToString()))); } } //only use AuthenticationSchemes, which are supported both in IIS and the WCF binding bindingElementAuthenticationSchemes &= hostSupportedSchemes; if (bindingElementAuthenticationSchemes != AuthenticationSchemes.Anonymous) { //Compare the ExtendedProtectionPolicy setttings to IIS ExtendedProtectionPolicy iisPolicy = HostedTransportConfigurationManager.MetabaseSettings.GetExtendedProtectionPolicy(virtualPath); if (iisPolicy == null) //OS doesn't support CBT { if (extendedProtectionPolicy.PolicyEnforcement == PolicyEnforcement.Always) { throw FxTrace.Exception.AsError(new NotSupportedException(SR.ExtendedProtectionNotSupported)); } } else { if (isMetadataListener && ChannelBindingUtility.IsDefaultPolicy(extendedProtectionPolicy)) { //push the IIS policy onto the metadataListener if and only if the default policy is //in force. policy for non metadata listeners will still have to match IIS policy. extendedProtectionPolicy = iisPolicy; } else { if (!ChannelBindingUtility.AreEqual(iisPolicy, extendedProtectionPolicy)) { string mismatchErrorMessage; if (iisPolicy.PolicyEnforcement != extendedProtectionPolicy.PolicyEnforcement) { mismatchErrorMessage = SR.ExtendedProtectionPolicyEnforcementMismatch(iisPolicy.PolicyEnforcement, extendedProtectionPolicy.PolicyEnforcement); } else if (iisPolicy.ProtectionScenario != extendedProtectionPolicy.ProtectionScenario) { mismatchErrorMessage = SR.ExtendedProtectionPolicyScenarioMismatch(iisPolicy.ProtectionScenario, extendedProtectionPolicy.ProtectionScenario); } else { Fx.Assert(iisPolicy.CustomChannelBinding != extendedProtectionPolicy.CustomChannelBinding, "new case in ChannelBindingUtility.AreEqual to account for"); mismatchErrorMessage = SR.ExtendedProtectionPolicyCustomChannelBindingMismatch; } if (mismatchErrorMessage != null) { throw FxTrace.Exception.AsError(new NotSupportedException(SR.Hosting_ExtendedProtectionPoliciesMustMatch(mismatchErrorMessage))); } } //when using the default SPN list we auto generate, we should make sure that the IIS policy is also the default... ServiceNameCollection listenerSpnList = usingDefaultSpnList ? null : extendedProtectionPolicy.CustomServiceNames; if (!ChannelBindingUtility.IsSubset(iisPolicy.CustomServiceNames, listenerSpnList)) { throw FxTrace.Exception.AsError(new NotSupportedException(SR.Hosting_ExtendedProtectionPoliciesMustMatch(SR.Hosting_ExtendedProtectionSPNListNotSubset))); } } } } // Do not set realm for Cassini. if (!ServiceHostingEnvironment.IsSimpleApplicationHost) { // Set the realm realm = HostedTransportConfigurationManager.MetabaseSettings.GetRealm(virtualPath); } }
public virtual Task AuthenticateAsServerAsync(ExtendedProtectionPolicy policy) { return Task.Factory.FromAsync(BeginAuthenticateAsServer, EndAuthenticateAsServer, policy, null); }
public virtual void AuthenticateAsServer(ExtendedProtectionPolicy policy) { AuthenticateAsServer((NetworkCredential)CredentialCache.DefaultCredentials, policy, ProtectionLevel.EncryptAndSign, TokenImpersonationLevel.Identification); }
public byte[] GetOutgoingBlob(byte[] incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy protectionPolicy) { ThrowIfDisposed(); SecurityBuffer incomingSecurity = null; if (incomingBlob != null) { incomingSecurity = new SecurityBuffer(incomingBlob, BufferType.Token); } SecurityBuffer outgoingSecurity = new SecurityBuffer(null, BufferType.Token); this.remoteCertificate = null; int statusCode = 0; if (this.isServer == true) { statusCode = SspiWrapper.AcceptSecurityContext( this.credentialsHandle, ref this.securityContext, ServerStandardFlags | (this.clientCertRequired ? SspiContextFlags.MutualAuth : SspiContextFlags.Zero), Endianness.Native, incomingSecurity, outgoingSecurity, ref this.attributes ); } else { statusCode = SspiWrapper.InitializeSecurityContext( this.credentialsHandle, ref this.securityContext, this.destination, ClientStandardFlags, Endianness.Native, incomingSecurity, outgoingSecurity, ref this.attributes ); } if ((statusCode & unchecked((int)0x80000000)) != 0) { this.Dispose(); throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception(statusCode)); } if (statusCode == (int)SecurityStatus.OK) { // we're done // ensure that the key negotiated is strong enough if (SecurityUtils.ShouldValidateSslCipherStrength()) { SslConnectionInfo connectionInfo = (SslConnectionInfo)SspiWrapper.QueryContextAttributes(this.securityContext, ContextAttribute.ConnectionInfo); if (connectionInfo == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.CannotObtainSslConnectionInfo))); } SecurityUtils.ValidateSslCipherStrength(connectionInfo.DataKeySize); } this.isCompleted = true; } else if (statusCode == (int)SecurityStatus.CredentialsNeeded) { // the server requires the client to supply creds // Currently we dont attempt to find the client cert to choose at runtime // so just re-call the function AcquireClientCredentials(); if (this.ClientCertificate != null) { this.wasClientCertificateSent = true; } return this.GetOutgoingBlob(incomingBlob, channelbinding, protectionPolicy); } else if (statusCode != (int)SecurityStatus.ContinueNeeded) { this.Dispose(); if (statusCode == (int)SecurityStatus.InternalError) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception(statusCode, SR.GetString(SR.LsaAuthorityNotContacted))); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception(statusCode)); } } return outgoingSecurity.token; }
public virtual void AuthenticateAsServer(NetworkCredential credential, ExtendedProtectionPolicy policy, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel requiredImpersonationLevel) { #if DEBUG using (DebugThreadTracking.SetThreadKind(ThreadKinds.User | ThreadKinds.Sync)) { #endif _negoState.ValidateCreateContext(_package, credential, string.Empty, policy, requiredProtectionLevel, requiredImpersonationLevel); _negoState.ProcessAuthentication(null); #if DEBUG } #endif }