private bool IsMatch(string trustee, string requestor, string domainName, AccessControlType aceType = AccessControlType.Allow)
{
var user = directory.GetUser(requestor);
var p = directory.GetPrincipal(trustee);
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
dacl.AddAccess(aceType, p.Sid, (int)AccessMask.Jit, InheritanceFlags.None, PropagationFlags.None);
CommonSecurityDescriptor sd = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, dacl);
string serverName;
if (domainName == null)
{
serverName = discoveryServices.GetDomainController(discoveryServices.GetDomainNameDns(p.Sid));
}
else
{
serverName = discoveryServices.GetDomainController(domainName);
}
using AuthorizationContext c = new AuthorizationContext(user.Sid, serverName);
return(c.AccessCheck(sd, (int)AccessMask.Jit));
}
private bool CheckForSidInToken(SecurityIdentifier principalSid, SecurityIdentifier sidToCheck, SecurityIdentifier requestContext = null)
{
if (principalSid == null)
{
throw new ArgumentNullException(nameof(principalSid));
}
if (sidToCheck == null)
{
throw new ArgumentNullException(nameof(sidToCheck));
}
if (principalSid == sidToCheck)
{
return(true);
}
if (requestContext == null || requestContext.IsEqualDomainSid(CurrentDomainSid))
{
using (AuthorizationContext context = new AuthorizationContext(principalSid))
{
return(context.ContainsSid(sidToCheck));
}
}
else
{
string dnsDomain = discoveryServices.GetDomainNameDns(requestContext.AccountDomainSid);
return(this.discoveryServices.Find2012DcAndExecuteWithRetry(dnsDomain, dc =>
{
using (AuthorizationContext context = new AuthorizationContext(principalSid, dc))
{
return context.ContainsSid(sidToCheck);
}
}));
}
}
