private bool IsMatch(string trustee, string requestor, string domainName, AccessControlType aceType = AccessControlType.Allow) { var user = directory.GetUser(requestor); var p = directory.GetPrincipal(trustee); DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1); dacl.AddAccess(aceType, p.Sid, (int)AccessMask.Jit, InheritanceFlags.None, PropagationFlags.None); CommonSecurityDescriptor sd = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, dacl); string serverName; if (domainName == null) { serverName = discoveryServices.GetDomainController(discoveryServices.GetDomainNameDns(p.Sid)); } else { serverName = discoveryServices.GetDomainController(domainName); } using AuthorizationContext c = new AuthorizationContext(user.Sid, serverName); return(c.AccessCheck(sd, (int)AccessMask.Jit)); }
private bool CheckForSidInToken(SecurityIdentifier principalSid, SecurityIdentifier sidToCheck, SecurityIdentifier requestContext = null) { if (principalSid == null) { throw new ArgumentNullException(nameof(principalSid)); } if (sidToCheck == null) { throw new ArgumentNullException(nameof(sidToCheck)); } if (principalSid == sidToCheck) { return(true); } if (requestContext == null || requestContext.IsEqualDomainSid(CurrentDomainSid)) { using (AuthorizationContext context = new AuthorizationContext(principalSid)) { return(context.ContainsSid(sidToCheck)); } } else { string dnsDomain = discoveryServices.GetDomainNameDns(requestContext.AccountDomainSid); return(this.discoveryServices.Find2012DcAndExecuteWithRetry(dnsDomain, dc => { using (AuthorizationContext context = new AuthorizationContext(principalSid, dc)) { return context.ContainsSid(sidToCheck); } })); } }