internal void ValidateCreateContext(
string package,
bool isServer,
NetworkCredential credential,
string servicePrincipalName,
ChannelBinding channelBinding,
ProtectionLevel protectionLevel,
TokenImpersonationLevel impersonationLevel)
{
if (_exception != null && !_canRetryAuthentication)
{
throw _exception;
}
if (_context != null && _context.IsValidContext)
{
throw new InvalidOperationException(SR.net_auth_reauth);
}
if (credential == null)
{
throw new ArgumentNullException("credential");
}
if (servicePrincipalName == null)
{
throw new ArgumentNullException("servicePrincipalName");
}
if (impersonationLevel != TokenImpersonationLevel.Identification &&
impersonationLevel != TokenImpersonationLevel.Impersonation &&
impersonationLevel != TokenImpersonationLevel.Delegation)
{
throw new ArgumentOutOfRangeException("impersonationLevel", impersonationLevel.ToString(), SR.net_auth_supported_impl_levels);
}
if (_context != null && IsServer != isServer)
{
throw new InvalidOperationException(SR.net_auth_client_server);
}
_exception = null;
_remoteOk = false;
_framer = new StreamFramer(_innerStream);
_framer.WriteHeader.MessageId = FrameHeader.HandshakeId;
_expectedProtectionLevel = protectionLevel;
_expectedImpersonationLevel = isServer ? impersonationLevel : TokenImpersonationLevel.None;
_writeSequenceNumber = 0;
_readSequenceNumber = 0;
Interop.SspiCli.ContextFlags flags = Interop.SspiCli.ContextFlags.Connection;
// A workaround for the client when talking to Win9x on the server side.
if (protectionLevel == ProtectionLevel.None && !isServer)
{
package = NegotiationInfoClass.NTLM;
}
else if (protectionLevel == ProtectionLevel.EncryptAndSign)
{
flags |= Interop.SspiCli.ContextFlags.Confidentiality;
}
else if (protectionLevel == ProtectionLevel.Sign)
{
// Assuming user expects NT4 SP4 and above.
flags |= Interop.SspiCli.ContextFlags.ReplayDetect | Interop.SspiCli.ContextFlags.SequenceDetect | Interop.SspiCli.ContextFlags.InitIntegrity;
}
if (isServer)
{
if (_extendedProtectionPolicy.PolicyEnforcement == PolicyEnforcement.WhenSupported)
{
flags |= Interop.SspiCli.ContextFlags.AllowMissingBindings;
}
if (_extendedProtectionPolicy.PolicyEnforcement != PolicyEnforcement.Never &&
_extendedProtectionPolicy.ProtectionScenario == ProtectionScenario.TrustedProxy)
{
flags |= Interop.SspiCli.ContextFlags.ProxyBindings;
}
}
else
{
// Server side should not request any of these flags.
if (protectionLevel != ProtectionLevel.None)
{
flags |= Interop.SspiCli.ContextFlags.MutualAuth;
}
if (impersonationLevel == TokenImpersonationLevel.Identification)
{
flags |= Interop.SspiCli.ContextFlags.InitIdentify;
}
if (impersonationLevel == TokenImpersonationLevel.Delegation)
{
flags |= Interop.SspiCli.ContextFlags.Delegate;
}
}
_canRetryAuthentication = false;
try
{
_context = new NTAuthentication(isServer, package, credential, servicePrincipalName, flags, channelBinding);
}
catch (Win32Exception e)
{
throw new AuthenticationException(SR.net_auth_SSPI, e);
}
}
internal void ValidateCreateContext(string package, bool isServer, NetworkCredential credential, string servicePrincipalName, ChannelBinding channelBinding, ProtectionLevel protectionLevel, TokenImpersonationLevel impersonationLevel)
{
if ((this._Exception != null) && !this._CanRetryAuthentication)
{
throw this._Exception;
}
if ((this._Context != null) && this._Context.IsValidContext)
{
throw new InvalidOperationException(SR.GetString("net_auth_reauth"));
}
if (credential == null)
{
throw new ArgumentNullException("credential");
}
if (servicePrincipalName == null)
{
throw new ArgumentNullException("servicePrincipalName");
}
if (ComNetOS.IsWin9x && (protectionLevel != ProtectionLevel.None))
{
throw new NotSupportedException(SR.GetString("net_auth_no_protection_on_win9x"));
}
if (((impersonationLevel != TokenImpersonationLevel.Identification) && (impersonationLevel != TokenImpersonationLevel.Impersonation)) && (impersonationLevel != TokenImpersonationLevel.Delegation))
{
throw new ArgumentOutOfRangeException("impersonationLevel", impersonationLevel.ToString(), SR.GetString("net_auth_supported_impl_levels"));
}
if ((this._Context != null) && (this.IsServer != isServer))
{
throw new InvalidOperationException(SR.GetString("net_auth_client_server"));
}
this._Exception = null;
this._RemoteOk = false;
this._Framer = new StreamFramer(this._InnerStream);
this._Framer.WriteHeader.MessageId = 0x16;
this._ExpectedProtectionLevel = protectionLevel;
this._ExpectedImpersonationLevel = isServer ? impersonationLevel : TokenImpersonationLevel.None;
this._WriteSequenceNumber = 0;
this._ReadSequenceNumber = 0;
ContextFlags connection = ContextFlags.Connection;
if ((protectionLevel == ProtectionLevel.None) && !isServer)
{
package = "NTLM";
}
else if (protectionLevel == ProtectionLevel.EncryptAndSign)
{
connection |= ContextFlags.Confidentiality;
}
else if (protectionLevel == ProtectionLevel.Sign)
{
connection |= ContextFlags.AcceptStream | ContextFlags.SequenceDetect | ContextFlags.ReplayDetect;
}
if (isServer)
{
if (this._ExtendedProtectionPolicy.PolicyEnforcement == PolicyEnforcement.WhenSupported)
{
connection |= ContextFlags.AllowMissingBindings;
}
if ((this._ExtendedProtectionPolicy.PolicyEnforcement != PolicyEnforcement.Never) && (this._ExtendedProtectionPolicy.ProtectionScenario == ProtectionScenario.TrustedProxy))
{
connection |= ContextFlags.ProxyBindings;
}
}
else
{
if (protectionLevel != ProtectionLevel.None)
{
connection |= ContextFlags.MutualAuth;
}
if (impersonationLevel == TokenImpersonationLevel.Identification)
{
connection |= ContextFlags.AcceptIntegrity;
}
if (impersonationLevel == TokenImpersonationLevel.Delegation)
{
connection |= ContextFlags.Delegate;
}
}
this._CanRetryAuthentication = false;
if (!(credential is SystemNetworkCredential))
{
ExceptionHelper.ControlPrincipalPermission.Demand();
}
try
{
this._Context = new NTAuthentication(isServer, package, credential, servicePrincipalName, connection, channelBinding);
}
catch (Win32Exception exception)
{
throw new AuthenticationException(SR.GetString("net_auth_SSPI"), exception);
}
}
internal void ValidateCreateContext(
string package,
bool isServer,
NetworkCredential credential,
string servicePrincipalName,
ChannelBinding channelBinding,
ProtectionLevel protectionLevel,
TokenImpersonationLevel impersonationLevel)
{
if (_exception != null && !_canRetryAuthentication)
{
throw _exception;
}
if (_context != null && _context.IsValidContext)
{
throw new InvalidOperationException(SR.net_auth_reauth);
}
if (credential == null)
{
throw new ArgumentNullException(nameof(credential));
}
if (servicePrincipalName == null)
{
throw new ArgumentNullException(nameof(servicePrincipalName));
}
if (impersonationLevel != TokenImpersonationLevel.Identification &&
impersonationLevel != TokenImpersonationLevel.Impersonation &&
impersonationLevel != TokenImpersonationLevel.Delegation)
{
throw new ArgumentOutOfRangeException(nameof(impersonationLevel), impersonationLevel.ToString(), SR.net_auth_supported_impl_levels);
}
if (_context != null && IsServer != isServer)
{
throw new InvalidOperationException(SR.net_auth_client_server);
}
_exception = null;
_remoteOk = false;
_framer = new StreamFramer(_innerStream);
_framer.WriteHeader.MessageId = FrameHeader.HandshakeId;
_expectedProtectionLevel = protectionLevel;
_expectedImpersonationLevel = isServer ? impersonationLevel : TokenImpersonationLevel.None;
_writeSequenceNumber = 0;
_readSequenceNumber = 0;
Interop.SspiCli.ContextFlags flags = Interop.SspiCli.ContextFlags.Connection;
// A workaround for the client when talking to Win9x on the server side.
if (protectionLevel == ProtectionLevel.None && !isServer)
{
package = NegotiationInfoClass.NTLM;
}
else if (protectionLevel == ProtectionLevel.EncryptAndSign)
{
flags |= Interop.SspiCli.ContextFlags.Confidentiality;
}
else if (protectionLevel == ProtectionLevel.Sign)
{
// Assuming user expects NT4 SP4 and above.
flags |= Interop.SspiCli.ContextFlags.ReplayDetect | Interop.SspiCli.ContextFlags.SequenceDetect | Interop.SspiCli.ContextFlags.InitIntegrity;
}
if (isServer)
{
if (_extendedProtectionPolicy.PolicyEnforcement == PolicyEnforcement.WhenSupported)
{
flags |= Interop.SspiCli.ContextFlags.AllowMissingBindings;
}
if (_extendedProtectionPolicy.PolicyEnforcement != PolicyEnforcement.Never &&
_extendedProtectionPolicy.ProtectionScenario == ProtectionScenario.TrustedProxy)
{
flags |= Interop.SspiCli.ContextFlags.ProxyBindings;
}
}
else
{
// Server side should not request any of these flags.
if (protectionLevel != ProtectionLevel.None)
{
flags |= Interop.SspiCli.ContextFlags.MutualAuth;
}
if (impersonationLevel == TokenImpersonationLevel.Identification)
{
flags |= Interop.SspiCli.ContextFlags.InitIdentify;
}
if (impersonationLevel == TokenImpersonationLevel.Delegation)
{
flags |= Interop.SspiCli.ContextFlags.Delegate;
}
}
_canRetryAuthentication = false;
try
{
_context = new NTAuthentication(isServer, package, credential, servicePrincipalName, flags, channelBinding);
}
catch (Win32Exception e)
{
throw new AuthenticationException(SR.net_auth_SSPI, e);
}
}
//
internal void ValidateCreateContext(
string package,
bool isServer,
NetworkCredential credential,
string servicePrincipalName,
ChannelBinding channelBinding,
ProtectionLevel protectionLevel,
TokenImpersonationLevel impersonationLevel
)
{
if (_Exception != null && !_CanRetryAuthentication)
{
throw _Exception;
}
if (_Context != null && _Context.IsValidContext)
{
throw new InvalidOperationException(SR.GetString(SR.net_auth_reauth));
}
if (credential == null)
{
throw new ArgumentNullException("credential");
}
if (servicePrincipalName == null)
{
throw new ArgumentNullException("servicePrincipalName");
}
if (impersonationLevel != TokenImpersonationLevel.Identification &&
impersonationLevel != TokenImpersonationLevel.Impersonation &&
impersonationLevel != TokenImpersonationLevel.Delegation)
{
throw new ArgumentOutOfRangeException("impersonationLevel", impersonationLevel.ToString(), SR.GetString(SR.net_auth_supported_impl_levels));
}
if (_Context != null && IsServer != isServer)
{
throw new InvalidOperationException(SR.GetString(SR.net_auth_client_server));
}
_Exception = null;
_RemoteOk = false;
_Framer = new StreamFramer(_InnerStream);
_Framer.WriteHeader.MessageId = FrameHeader.HandshakeId;
_ExpectedProtectionLevel = protectionLevel;
_ExpectedImpersonationLevel = isServer? impersonationLevel: TokenImpersonationLevel.None;
_WriteSequenceNumber = 0;
_ReadSequenceNumber = 0;
ContextFlags flags = ContextFlags.Connection;
// A workaround for the client when talking to Win9x on the server side
if (protectionLevel == ProtectionLevel.None && !isServer)
{
package = NegotiationInfoClass.NTLM;
}
else if (protectionLevel == ProtectionLevel.EncryptAndSign)
{
flags |= ContextFlags.Confidentiality;
}
else if (protectionLevel == ProtectionLevel.Sign)
{
// Assuming user expects NT4 SP4 and above
flags |= ContextFlags.ReplayDetect | ContextFlags.SequenceDetect | ContextFlags.InitIntegrity;
}
if (isServer)
{
if (_ExtendedProtectionPolicy.PolicyEnforcement == PolicyEnforcement.WhenSupported)
{
flags |= ContextFlags.AllowMissingBindings;
}
if (_ExtendedProtectionPolicy.PolicyEnforcement != PolicyEnforcement.Never &&
_ExtendedProtectionPolicy.ProtectionScenario == ProtectionScenario.TrustedProxy)
{
flags |= ContextFlags.ProxyBindings;
}
}
else
{
// According to lzhu server side should not request any of these flags
if (protectionLevel != ProtectionLevel.None)
{
flags |= ContextFlags.MutualAuth;
}
if (impersonationLevel == TokenImpersonationLevel.Identification)
{
flags |= ContextFlags.InitIdentify;
}
if (impersonationLevel == TokenImpersonationLevel.Delegation)
{
flags |= ContextFlags.Delegate;
}
}
_CanRetryAuthentication = false;
//
// Security: We used to rely on NetworkCredential class to demand permission
// Switched over to explicit ControlPrincipalPermission demand (except for DefaultCredential case)
// The mitigated attack is brute-force pasword guessing through SSPI.
if (!(credential is SystemNetworkCredential))
{
ExceptionHelper.ControlPrincipalPermission.Demand();
}
try {
//
_Context = new NTAuthentication(isServer, package, credential, servicePrincipalName, flags, channelBinding);
}
catch (Win32Exception e)
{
throw new AuthenticationException(SR.GetString(SR.net_auth_SSPI), e);
}
}
