public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
        {
            if (tokenRequirement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
            }

            SecurityTokenProvider result = null;
            if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
            {
                // this is the uncorrelated duplex case
                if (_parent.ClientCertificate.Certificate == null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials)));
                }
                result = new X509SecurityTokenProvider(_parent.ClientCertificate.Certificate, _parent.ClientCertificate.CloneCertificate);
            }
            else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
            {
                InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
                string tokenType = initiatorRequirement.TokenType;
                if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
                {
                    throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider (IsIssuedSecurityTokenRequirement(initiatorRequirement)");
                }
                else if (tokenType == SecurityTokenTypes.X509Certificate)
                {
                    if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange)
                    {
                        throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider X509Certificate - SecurityKeyUsage.Exchange");
                    }
                    else
                    {
                        if (_parent.ClientCertificate.Certificate == null)
                        {
                            throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials)));
                        }
                        result = new X509SecurityTokenProvider(_parent.ClientCertificate.Certificate, _parent.ClientCertificate.CloneCertificate);
                    }
                }
                else if (tokenType == SecurityTokenTypes.Kerberos)
                {
                    string spn = GetServicePrincipalName(initiatorRequirement);
                    result = new KerberosSecurityTokenProviderWrapper(
                        new KerberosSecurityTokenProvider(spn, _parent.Windows.AllowedImpersonationLevel, SecurityUtils.GetNetworkCredentialOrDefault(_parent.Windows.ClientCredential)));
                }
                else if (tokenType == SecurityTokenTypes.UserName)
                {
                    if (_parent.UserName.UserName == null)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.UserNamePasswordNotProvidedOnClientCredentials));
                    }
                    result = new UserNameSecurityTokenProvider(_parent.UserName.UserName, _parent.UserName.Password);
                }
                else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
                {
                    if (IsDigestAuthenticationScheme(initiatorRequirement))
                    {
                        result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(_parent.HttpDigest.ClientCredential), true, TokenImpersonationLevel.Delegation);
                    }
                    else
                    {

#pragma warning disable 618   // to disable AllowNtlm obsolete wanring.      
                        result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(_parent.Windows.ClientCredential),

                            _parent.Windows.AllowNtlm,
                            _parent.Windows.AllowedImpersonationLevel);
#pragma warning restore 618
                    }
                }
            }

            if ((result == null) && !tokenRequirement.IsOptionalToken)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement)));
            }

            return result;
        }
Пример #2
0
        public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
        {
            if (tokenRequirement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenRequirement));
            }

            SecurityTokenProvider result = null;

            if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
            {
                // this is the uncorrelated duplex case
                if (ClientCredentials.ClientCertificate.Certificate == null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials)));
                }
                result = new X509SecurityTokenProvider(ClientCredentials.ClientCertificate.Certificate, ClientCredentials.ClientCertificate.CloneCertificate);
            }
            else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
            {
                InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
                string tokenType = initiatorRequirement.TokenType;
                if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
                {
                    throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider (IsIssuedSecurityTokenRequirement(initiatorRequirement)");
                }
                else if (tokenType == SecurityTokenTypes.X509Certificate)
                {
                    if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange)
                    {
                        throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider X509Certificate - SecurityKeyUsage.Exchange");
                    }
                    else
                    {
                        if (ClientCredentials.ClientCertificate.Certificate == null)
                        {
                            throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials)));
                        }
                        result = new X509SecurityTokenProvider(ClientCredentials.ClientCertificate.Certificate, ClientCredentials.ClientCertificate.CloneCertificate);
                    }
                }
                else if (tokenType == SecurityTokenTypes.Kerberos)
                {
                    string spn = GetServicePrincipalName(initiatorRequirement);
                    result = new KerberosSecurityTokenProviderWrapper(
                        new KerberosSecurityTokenProvider(spn, ClientCredentials.Windows.AllowedImpersonationLevel, SecurityUtils.GetNetworkCredentialOrDefault(ClientCredentials.Windows.ClientCredential)));
                }
                else if (tokenType == SecurityTokenTypes.UserName)
                {
                    if (ClientCredentials.UserName.UserName == null)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.UserNamePasswordNotProvidedOnClientCredentials));
                    }
                    result = new UserNameSecurityTokenProvider(ClientCredentials.UserName.UserName, ClientCredentials.UserName.Password);
                }
                else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
                {
                    if (IsDigestAuthenticationScheme(initiatorRequirement))
                    {
                        result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(ClientCredentials.HttpDigest.ClientCredential), true, TokenImpersonationLevel.Delegation);
                    }
                    else
                    {
#pragma warning disable 618   // to disable AllowNtlm obsolete warning.
                        result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(ClientCredentials.Windows.ClientCredential),

                                                               ClientCredentials.Windows.AllowNtlm,
                                                               ClientCredentials.Windows.AllowedImpersonationLevel);
#pragma warning restore 618
                    }
                }
                else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
                {
                    result = CreateSecureConversationSecurityTokenProvider(initiatorRequirement);
                }
            }

            if ((result == null) && !tokenRequirement.IsOptionalToken)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement)));
            }

            return(result);
        }
        internal SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, bool disableInfoCard)
        {
            if (tokenRequirement == null)
            {
                throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
            }
            SecurityTokenProvider provider = null;

            if (disableInfoCard || !this.CardSpaceTryCreateSecurityTokenProviderStub(tokenRequirement, this, out provider))
            {
                if (((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && (tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)) && (tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange))
                {
                    if (this.parent.ClientCertificate.Certificate == null)
                    {
                        throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvidedOnClientCredentials")));
                    }
                    provider = new X509SecurityTokenProvider(this.parent.ClientCertificate.Certificate);
                }
                else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
                {
                    InitiatorServiceModelSecurityTokenRequirement requirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
                    string tokenType = requirement.TokenType;
                    if (this.IsIssuedSecurityTokenRequirement(requirement))
                    {
                        provider = this.CreateIssuedSecurityTokenProvider(requirement);
                    }
                    else if (tokenType == SecurityTokenTypes.X509Certificate)
                    {
                        if (requirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && (requirement.KeyUsage == SecurityKeyUsage.Exchange))
                        {
                            provider = this.CreateServerX509TokenProvider(requirement.TargetAddress);
                        }
                        else
                        {
                            if (this.parent.ClientCertificate.Certificate == null)
                            {
                                throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvidedOnClientCredentials")));
                            }
                            provider = new X509SecurityTokenProvider(this.parent.ClientCertificate.Certificate);
                        }
                    }
                    else if (tokenType == SecurityTokenTypes.Kerberos)
                    {
                        provider = new KerberosSecurityTokenProviderWrapper(new KerberosSecurityTokenProvider(this.GetServicePrincipalName(requirement), this.parent.Windows.AllowedImpersonationLevel, System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.Windows.ClientCredential)), this.GetCredentialsHandle(requirement));
                    }
                    else if (tokenType == SecurityTokenTypes.UserName)
                    {
                        if (this.parent.UserName.UserName == null)
                        {
                            throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("UserNamePasswordNotProvidedOnClientCredentials")));
                        }
                        provider = new UserNameSecurityTokenProvider(this.parent.UserName.UserName, this.parent.UserName.Password);
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
                    {
                        if (this.IsDigestAuthenticationScheme(requirement))
                        {
                            provider = new SspiSecurityTokenProvider(System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.HttpDigest.ClientCredential), true, this.parent.HttpDigest.AllowedImpersonationLevel);
                        }
                        else
                        {
                            provider = new SspiSecurityTokenProvider(System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.Windows.ClientCredential), this.parent.Windows.AllowNtlm, this.parent.Windows.AllowedImpersonationLevel);
                        }
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
                    {
                        provider = this.CreateSpnegoTokenProvider(requirement);
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
                    {
                        provider = this.CreateTlsnegoTokenProvider(requirement, true);
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
                    {
                        provider = this.CreateTlsnegoTokenProvider(requirement, false);
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
                    {
                        provider = this.CreateSecureConversationSecurityTokenProvider(requirement);
                    }
                }
            }
            if (provider == null)
            {
                throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateProviderForRequirement", new object[] { tokenRequirement })));
            }
            return(provider);
        }
        internal SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, bool disableInfoCard)
        {
            if (tokenRequirement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
            }

            SecurityTokenProvider result = null;
            if (disableInfoCard || !CardSpaceTryCreateSecurityTokenProviderStub(tokenRequirement, this, out result))
            {
                if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
                {
                    // this is the uncorrelated duplex case
                    if (parent.ClientCertificate.Certificate == null)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnClientCredentials)));
                    }
                    result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate);
                }
                else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
                {
                    InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
#pragma warning suppress 56506 // initiatorRequirement will never be null due to the preceding 'is' validation.
                    string tokenType = initiatorRequirement.TokenType;
                    if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
                    {
                        FederatedClientCredentialsParameters additionalParameters = this.FindFederatedChannelParameters(tokenRequirement);

                        if (additionalParameters != null && additionalParameters.IssuedSecurityToken != null)
                        {
                            return new SimpleSecurityTokenProvider(additionalParameters.IssuedSecurityToken, tokenRequirement);
                        }
                        
                        result = CreateIssuedSecurityTokenProvider(initiatorRequirement, additionalParameters);
                    }
                    else if (tokenType == SecurityTokenTypes.X509Certificate)
                    {
                        if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange)
                        {
                            result = CreateServerX509TokenProvider(initiatorRequirement.TargetAddress);
                        }
                        else
                        {
                            if (parent.ClientCertificate.Certificate == null)
                            {
                                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnClientCredentials)));
                            }
                            result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate);
                        }
                    }
                    else if (tokenType == SecurityTokenTypes.Kerberos)
                    {
                        string spn = GetServicePrincipalName(initiatorRequirement);
                        result = new KerberosSecurityTokenProviderWrapper(
                            new KerberosSecurityTokenProvider(spn, parent.Windows.AllowedImpersonationLevel, SecurityUtils.GetNetworkCredentialOrDefault(parent.Windows.ClientCredential)), 
                            GetCredentialsHandle(initiatorRequirement));
                    }
                    else if (tokenType == SecurityTokenTypes.UserName)
                    {
                        if (parent.UserName.UserName == null )
                        {
                            throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UserNamePasswordNotProvidedOnClientCredentials)));
                        }
                        result = new UserNameSecurityTokenProvider(parent.UserName.UserName, parent.UserName.Password);
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
                    {
                        if (IsDigestAuthenticationScheme(initiatorRequirement))
                        {
                            result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(parent.HttpDigest.ClientCredential), true, parent.HttpDigest.AllowedImpersonationLevel);
                        }
                        else
                        {

 #pragma warning disable 618   // to disable AllowNtlm obsolete wanring.      
  
                            result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(parent.Windows.ClientCredential), 
                      
                                parent.Windows.AllowNtlm, 
                                parent.Windows.AllowedImpersonationLevel);
 #pragma warning restore 618 
                   
                        }
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
                    {
                        result = CreateSpnegoTokenProvider(initiatorRequirement);
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
                    {
                        result = CreateTlsnegoTokenProvider(initiatorRequirement, true);
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
                    {
                        result = CreateTlsnegoTokenProvider(initiatorRequirement, false);
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
                    {
                        result = CreateSecureConversationSecurityTokenProvider(initiatorRequirement);
                    }
                }
            }

            if ((result == null) && !tokenRequirement.IsOptionalToken)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement)));
            }

            return result;
        }
 internal SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, bool disableInfoCard)
 {
     if (tokenRequirement == null)
     {
         throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
     }
     SecurityTokenProvider provider = null;
     if (disableInfoCard || !this.CardSpaceTryCreateSecurityTokenProviderStub(tokenRequirement, this, out provider))
     {
         if (((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && (tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)) && (tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange))
         {
             if (this.parent.ClientCertificate.Certificate == null)
             {
                 throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvidedOnClientCredentials")));
             }
             provider = new X509SecurityTokenProvider(this.parent.ClientCertificate.Certificate);
         }
         else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
         {
             InitiatorServiceModelSecurityTokenRequirement requirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
             string tokenType = requirement.TokenType;
             if (this.IsIssuedSecurityTokenRequirement(requirement))
             {
                 provider = this.CreateIssuedSecurityTokenProvider(requirement);
             }
             else if (tokenType == SecurityTokenTypes.X509Certificate)
             {
                 if (requirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && (requirement.KeyUsage == SecurityKeyUsage.Exchange))
                 {
                     provider = this.CreateServerX509TokenProvider(requirement.TargetAddress);
                 }
                 else
                 {
                     if (this.parent.ClientCertificate.Certificate == null)
                     {
                         throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvidedOnClientCredentials")));
                     }
                     provider = new X509SecurityTokenProvider(this.parent.ClientCertificate.Certificate);
                 }
             }
             else if (tokenType == SecurityTokenTypes.Kerberos)
             {
                 provider = new KerberosSecurityTokenProviderWrapper(new KerberosSecurityTokenProvider(this.GetServicePrincipalName(requirement), this.parent.Windows.AllowedImpersonationLevel, System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.Windows.ClientCredential)), this.GetCredentialsHandle(requirement));
             }
             else if (tokenType == SecurityTokenTypes.UserName)
             {
                 if (this.parent.UserName.UserName == null)
                 {
                     throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("UserNamePasswordNotProvidedOnClientCredentials")));
                 }
                 provider = new UserNameSecurityTokenProvider(this.parent.UserName.UserName, this.parent.UserName.Password);
             }
             else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
             {
                 if (this.IsDigestAuthenticationScheme(requirement))
                 {
                     provider = new SspiSecurityTokenProvider(System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.HttpDigest.ClientCredential), true, this.parent.HttpDigest.AllowedImpersonationLevel);
                 }
                 else
                 {
                     provider = new SspiSecurityTokenProvider(System.ServiceModel.Security.SecurityUtils.GetNetworkCredentialOrDefault(this.parent.Windows.ClientCredential), this.parent.Windows.AllowNtlm, this.parent.Windows.AllowedImpersonationLevel);
                 }
             }
             else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
             {
                 provider = this.CreateSpnegoTokenProvider(requirement);
             }
             else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
             {
                 provider = this.CreateTlsnegoTokenProvider(requirement, true);
             }
             else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
             {
                 provider = this.CreateTlsnegoTokenProvider(requirement, false);
             }
             else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
             {
                 provider = this.CreateSecureConversationSecurityTokenProvider(requirement);
             }
         }
     }
     if (provider == null)
     {
         throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateProviderForRequirement", new object[] { tokenRequirement })));
     }
     return provider;
 }
        internal SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, bool disableInfoCard)
        {
            if (tokenRequirement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
            }

            SecurityTokenProvider result = null;

            if (disableInfoCard || !CardSpaceTryCreateSecurityTokenProviderStub(tokenRequirement, this, out result))
            {
                if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
                {
                    // this is the uncorrelated duplex case
                    if (parent.ClientCertificate.Certificate == null)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnClientCredentials)));
                    }
                    result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate);
                }
                else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
                {
                    InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
#pragma warning suppress 56506 // initiatorRequirement will never be null due to the preceding 'is' validation.
                    string tokenType = initiatorRequirement.TokenType;
                    if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
                    {
                        FederatedClientCredentialsParameters additionalParameters = this.FindFederatedChannelParameters(tokenRequirement);

                        if (additionalParameters != null && additionalParameters.IssuedSecurityToken != null)
                        {
                            return(new SimpleSecurityTokenProvider(additionalParameters.IssuedSecurityToken, tokenRequirement));
                        }

                        result = CreateIssuedSecurityTokenProvider(initiatorRequirement, additionalParameters);
                    }
                    else if (tokenType == SecurityTokenTypes.X509Certificate)
                    {
                        if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange)
                        {
                            result = CreateServerX509TokenProvider(initiatorRequirement.TargetAddress);
                        }
                        else
                        {
                            if (parent.ClientCertificate.Certificate == null)
                            {
                                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnClientCredentials)));
                            }
                            result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate);
                        }
                    }
                    else if (tokenType == SecurityTokenTypes.Kerberos)
                    {
                        string spn = GetServicePrincipalName(initiatorRequirement);
                        result = new KerberosSecurityTokenProviderWrapper(
                            new KerberosSecurityTokenProvider(spn, parent.Windows.AllowedImpersonationLevel, SecurityUtils.GetNetworkCredentialOrDefault(parent.Windows.ClientCredential)),
                            GetCredentialsHandle(initiatorRequirement));
                    }
                    else if (tokenType == SecurityTokenTypes.UserName)
                    {
                        if (parent.UserName.UserName == null)
                        {
                            throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UserNamePasswordNotProvidedOnClientCredentials)));
                        }
                        result = new UserNameSecurityTokenProvider(parent.UserName.UserName, parent.UserName.Password);
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
                    {
                        if (IsDigestAuthenticationScheme(initiatorRequirement))
                        {
                            result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(parent.HttpDigest.ClientCredential), true, parent.HttpDigest.AllowedImpersonationLevel);
                        }
                        else
                        {
 #pragma warning disable 618   // to disable AllowNtlm obsolete wanring.

                            result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(parent.Windows.ClientCredential),

                                                                   parent.Windows.AllowNtlm,
                                                                   parent.Windows.AllowedImpersonationLevel);
 #pragma warning restore 618
                        }
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
                    {
                        result = CreateSpnegoTokenProvider(initiatorRequirement);
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
                    {
                        result = CreateTlsnegoTokenProvider(initiatorRequirement, true);
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
                    {
                        result = CreateTlsnegoTokenProvider(initiatorRequirement, false);
                    }
                    else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
                    {
                        result = CreateSecureConversationSecurityTokenProvider(initiatorRequirement);
                    }
                }
            }

            if ((result == null) && !tokenRequirement.IsOptionalToken)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement)));
            }

            return(result);
        }