private static ADUser ResolveCertificateFromCacheOrAD(HttpClientCertificate certificate, string orgName)
{
Logger.EnterFunction(ExTraceGlobals.CertAuthTracer, "ResolveCertificateFromCacheOrAD");
X509Identifier x509Identifier = CertificateAuthenticationModule.CreateCertificateIdentity(certificate);
ADUser aduser = CertificateAuthenticationModule.GetUserFromCache(x509Identifier);
if (aduser == null)
{
aduser = CertificateAuthenticationModule.ResolveCertificate(x509Identifier, orgName);
if (aduser != null)
{
CertificateAuthenticationModule.AddUserToCache(x509Identifier, aduser);
}
}
else
{
HttpLogger.SafeAppendGenericInfo("ResolveCertificateFromCacheOrAD", "Cache");
}
if (aduser == null)
{
Logger.LogEvent(CertificateAuthenticationModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_UserNotFound, certificate.Subject, new object[]
{
certificate.Subject
});
Logger.LogVerbose("Found no user by certificate {0}", new object[]
{
certificate.Subject
});
}
else
{
Logger.LogVerbose("Found user {0} by certificate {1}", new object[]
{
aduser.Name,
certificate.Subject
});
}
Logger.ExitFunction(ExTraceGlobals.CertAuthTracer, "ResolveCertificateFromCacheOrAD");
return(aduser);
}
private static void OnAuthenticateRequest(object source, EventArgs args)
{
HttpApplication httpApplication = (HttpApplication)source;
HttpContext context = httpApplication.Context;
if (context.Request.IsAuthenticated)
{
return;
}
HttpRequest request = context.Request;
if (!CertificateHeaderAuthModule.IsValidCertificateHeaderRequest(request))
{
return;
}
Logger.LogVerbose("Request of Authentication for certificate {0}.", new object[]
{
request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"]
});
int i = 0;
while (i < CertificateHeaderAuthModule.maxRetryForADTransient)
{
try
{
X509Identifier x509Identifier = CertificateHeaderAuthModule.CreateCertificateIdentity(request);
ADUser aduser = CertificateHeaderAuthModule.GetUserFromCache(x509Identifier);
if (aduser == null)
{
aduser = CertificateAuthenticationModule.ResolveCertificate(x509Identifier, null);
if (aduser != null)
{
CertificateHeaderAuthModule.AddUserToCache(x509Identifier, aduser);
}
}
if (aduser == null)
{
Logger.LogEvent(CertificateHeaderAuthModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_UserNotFound, request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"], new object[]
{
request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"],
"CertificateHeader"
});
Logger.LogVerbose("Certificate authentication succeeded but certificate {0} cannot be mapped to an AD account.", new object[]
{
request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"]
});
break;
}
IIdentity identity;
if (aduser.RecipientTypeDetails == RecipientTypeDetails.LinkedUser)
{
identity = new GenericIdentity(aduser.Sid.ToString(), "CertificateLinkedUser");
}
else
{
identity = new WindowsIdentity(aduser.UserPrincipalName);
}
if (!OrganizationId.ForestWideOrgId.Equals(aduser.OrganizationId))
{
HttpContext.Current.Items[CertificateAuthenticationModule.TenantCertificateOrganizaitonItemName] = aduser.OrganizationId.OrganizationalUnit.Name;
}
context.User = new GenericPrincipal(identity, new string[0]);
Logger.LogVerbose("User correctly authenticated and linked to Certificate {0}.", new object[]
{
request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"]
});
if (i > 0)
{
Logger.LogEvent(CertificateHeaderAuthModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_TransientRecovery, null, new object[]
{
request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"],
i,
"CertificateHeader"
});
}
break;
}
catch (ADTransientException ex)
{
i++;
if (i == 1)
{
Logger.LogEvent(CertificateHeaderAuthModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_TransientError, null, new object[]
{
ex,
request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"],
"CertificateHeader"
});
}
Logger.LogError(string.Format("AD Transient Error when processing certificate authentication {0}.", request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"]), ex);
if (i > CertificateHeaderAuthModule.maxRetryForADTransient)
{
throw;
}
}
catch (Exception ex2)
{
Logger.LogEvent(CertificateHeaderAuthModule.eventLogger, TaskEventLogConstants.Tuple_CertAuth_ServerError, null, new object[]
{
ex2,
request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"],
"CertificateHeader"
});
Logger.LogError(string.Format("AD Transient Error when processing certificate authentication {0}.", request.Headers["X-Exchange-PowerShell-Client-Cert-Subject"]), ex2);
throw;
}
}
}
