/// <summary>
/// Note: The 'limitblankpassworduse' (Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa)
/// will cause AcceptSecurityContext to return SEC_E_LOGON_DENIED when the correct password is blank.
/// </summary>
public User Authenticate(string accountNameToAuth, byte[] lmResponse, byte[] ntlmResponse)
{
if (accountNameToAuth == String.Empty ||
(String.Equals(accountNameToAuth, "Guest", StringComparison.InvariantCultureIgnoreCase) && IsPasswordEmpty(lmResponse, ntlmResponse) && this.EnableGuestLogin))
{
int guestIndex = IndexOf("Guest");
if (guestIndex >= 0)
{
return(this[guestIndex]);
}
return(null);
}
int index = IndexOf(accountNameToAuth);
if (index >= 0)
{
// We should not spam the security event log, and should call the Windows LogonUser API
// just to verify the user has a blank password.
if (!AreEmptyPasswordsAllowed() &&
IsPasswordEmpty(lmResponse, ntlmResponse) &&
LoginAPI.HasEmptyPassword(accountNameToAuth))
{
throw new EmptyPasswordNotAllowedException();
}
AuthenticateMessage authenticateMessage = new AuthenticateMessage();
authenticateMessage.NegotiateFlags = NegotiateFlags.NegotiateUnicode | NegotiateFlags.NegotiateOEM | NegotiateFlags.RequestTarget | NegotiateFlags.NegotiateSign | NegotiateFlags.NegotiateSeal | NegotiateFlags.NegotiateLanManagerKey | NegotiateFlags.NegotiateNTLMKey | NegotiateFlags.NegotiateAlwaysSign | NegotiateFlags.NegotiateVersion | NegotiateFlags.Negotiate128 | NegotiateFlags.Negotiate56;
authenticateMessage.UserName = accountNameToAuth;
authenticateMessage.LmChallengeResponse = lmResponse;
authenticateMessage.NtChallengeResponse = ntlmResponse;
authenticateMessage.Version = Authentication.Version.Server2003;
byte[] authenticateMessageBytes = authenticateMessage.GetBytes();
bool success = SSPIHelper.AuthenticateType3Message(m_serverContext, authenticateMessageBytes);
if (success)
{
return(this[index]);
}
}
return(null);
}
/// <summary>
/// Note: The 'limitblankpassworduse' (Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa)
/// will cause AcceptSecurityContext to return SEC_E_LOGON_DENIED when the correct password is blank.
/// </summary>
public User Authenticate(byte[] authenticateMessageBytes)
{
AuthenticateMessage message = new AuthenticateMessage(authenticateMessageBytes);
if ((message.NegotiateFlags & NegotiateFlags.NegotiateAnonymous) > 0 ||
(String.Equals(message.UserName, "Guest", StringComparison.InvariantCultureIgnoreCase) && IsPasswordEmpty(message) && this.EnableGuestLogin))
{
int guestIndex = IndexOf("Guest");
if (guestIndex >= 0)
{
return(this[guestIndex]);
}
return(null);
}
int index = IndexOf(message.UserName);
if (index >= 0)
{
// We should not spam the security event log, and should call the Windows LogonUser API
// just to verify the user has a blank password.
if (!AreEmptyPasswordsAllowed() &&
IsPasswordEmpty(message) &&
LoginAPI.HasEmptyPassword(message.UserName))
{
throw new EmptyPasswordNotAllowedException();
}
bool success = SSPIHelper.AuthenticateType3Message(m_serverContext, authenticateMessageBytes);
if (success)
{
return(this[index]);
}
}
return(null);
}
