protected virtual void AddGroups(PrivilegedAttributeCertificate pac, ICollection <Claim> claims) { var logonInfo = pac.LogonInfo; if (logonInfo == null) { return; } var domainSid = logonInfo.DomainSid.Value; foreach (var g in logonInfo.GroupSids) { var sid = g.Value; claims.Add(new Claim(ClaimTypes.GroupSid, sid)); if (sid.StartsWith(domainSid)) { var friendly = SecurityIdentifierNames.GetFriendlyName(sid, domainSid); if (!sid.Equals(friendly, StringComparison.OrdinalIgnoreCase)) { claims.Add(new Claim(ClaimTypes.Role, friendly)); } } } }
private static void AddSids(ICollection <Claim> claims, string domainSid, IEnumerable <SecurityIdentifier> sids) { foreach (var g in sids) { var sid = g.Value; claims.Add(new Claim(ClaimTypes.GroupSid, sid)); if (sid.StartsWith(domainSid, StringComparison.OrdinalIgnoreCase)) { var friendly = SecurityIdentifierNames.GetFriendlyName(sid, domainSid); if (!string.IsNullOrWhiteSpace(friendly)) { claims.Add(new Claim(ClaimTypes.Role, friendly)); } } } }
internal void DescribeTicket(KerberosIdentity identity) { this.WriteLine(); var adpac = identity.Restrictions.FirstOrDefault(r => r.Key == AuthorizationDataType.AdWin2kPac); var pac = (PrivilegedAttributeCertificate)adpac.Value?.FirstOrDefault(); var properties = new List <(string, object)>() { (SR.Resource("CommandLine_WhoAmI_UserName"), $"{identity.Name}"), }; if (this.All || this.Logon) { var objects = new object[] { pac.LogonInfo, pac.ClientInformation, pac.DelegationInformation, pac.UpnDomainInformation, pac.CredentialType }; GetObjectProperties(objects, properties); } if (this.All || this.Claims) { var others = new List <Claim>(); foreach (var claim in identity.Claims) { if (claim.Type == ClaimTypes.Role || claim.Type == ClaimTypes.GroupSid) { continue; } else { others.Add(claim); } } properties.Add(("", SR.Resource("CommandLine_WhoAmI_Claims"))); foreach (var claim in others) { properties.Add((CollapseSchemaUrl(claim.Type), claim.Value)); } } this.WriteProperties(properties); if (this.All || this.Groups) { this.WriteLine(); this.WriteHeader(SR.Resource("CommandLine_WhoAmI_Groups")); this.WriteLine(); var certSids = new List <SecurityIdentifier>(); if (pac.CredentialType != null) { certSids.Add(SecurityIdentifier.WellKnown.ThisOrganizationCertificate); } var sids = certSids.Union(pac.LogonInfo.ExtraSids).Union(pac.LogonInfo.GroupSids).Union(pac.LogonInfo.ResourceGroups).Select(s => new { Sid = s, Name = SecurityIdentifierNames.GetFriendlyName(s.Value, pac.LogonInfo.DomainSid.Value) }); var max = sids.Max(s => s.Sid.Value.Length); var maxName = sids.Max(s => s.Name?.Length ?? 0); foreach (var group in sids.OrderBy(c => c.Sid.Value)) { this.WriteLine(1, string.Format("{0} {1} {{Attr}}", (group.Name ?? "").PadRight(maxName), group.Sid.Value.PadRight(max)), group.Sid.Attributes); } } }