/// <summary> /// get constructed claim for the specified principal /// </summary> /// <param name="principal">target principal</param> /// <returns>a CLAIM_ENTRY if the specified principal is a member of an authentication silo</returns> CLAIM_ENTRY?getAuthSiloClaim(DirectoryEntry principal) { //AuthSiloClaim is not issued until the domain functional level is at DS_BEHAVIOR_WIN2012R2 or higher. using (DirectoryEntry root = new DirectoryEntry("LDAP://" + domainNC)) { if (root.Properties[ConstValue.msDSBehaviorVersion] == null) { return(null); } if ((root.Properties[ConstValue.msDSBehaviorVersion] == null) || (int.Parse(root.Properties[ConstValue.msDSBehaviorVersion].Value.ToString()) < ConstValue.WinSvr2012R2)) { return(null); } if ((principal.Properties[ConstValue.msDSAssignedAuthNPolicySilo] == null) || (principal.Properties[ConstValue.msDSAssignedAuthNPolicySilo].Value == null)) { return(null); } //Check if user is assigned to an enforced silo. using (DirectoryEntry assignedSilo = new DirectoryEntry("LDAP://" + principal.Properties[ConstValue.msDSAssignedAuthNPolicySilo].Value.ToString())) { if ((assignedSilo.Properties[ConstValue.msDSAuthNPolicySiloEnforced] == null) || (!bool.Parse(assignedSilo.Properties[ConstValue.msDSAuthNPolicySiloEnforced].Value.ToString()))) { return(null); } if (assignedSilo.Properties[ConstValue.msDSAuthNPolicySiloMembers] == null) { return(null); } //Check if silo is configured with the user as a member. bool memberOfSilo = false; string dn = principal.Properties[ConstValue.distinguishedname].Value.ToString(); foreach (var siloMember in assignedSilo.Properties[ConstValue.msDSAuthNPolicySiloMembers]) { if (siloMember.Equals(dn)) { memberOfSilo = true; break; } } if (memberOfSilo == false) { return(null); } //Fill in the claim details and return the claim. CLAIM_ENTRY claim = new CLAIM_ENTRY(); claim.Id = ConstValue.authSiloClaimName; claim.Type = CLAIM_TYPE.CLAIM_TYPE_STRING; claim.Values.Struct3 = new CLAIM_TYPE_VALUE_LPWSTR(); claim.Values.Struct3.ValueCount = 1; claim.Values.Struct3.StringValues = new string[] { assignedSilo.Properties[ConstValue.name].Value.ToString() }; return(claim); } } }
/// <summary> /// get constructed claim for the specified principal /// </summary> /// <param name="principal">target principal</param> /// <returns>a CLAIM_ENTRY if the specified principal is a member of an authentication silo</returns> CLAIM_ENTRY? getAuthSiloClaim(DirectoryEntry principal) { //AuthSiloClaim is not issued until the domain functional level is at DS_BEHAVIOR_WIN2012R2 or higher. using (DirectoryEntry root = new DirectoryEntry("LDAP://" + domainNC)) { if (root.Properties[ConstValue.msDSBehaviorVersion] == null) { return null; } if ((root.Properties[ConstValue.msDSBehaviorVersion] == null) || (int.Parse(root.Properties[ConstValue.msDSBehaviorVersion].Value.ToString()) < ConstValue.WinSvr2012R2)) { return null; } if ((principal.Properties[ConstValue.msDSAssignedAuthNPolicySilo] == null) || (principal.Properties[ConstValue.msDSAssignedAuthNPolicySilo].Value == null)) { return null; } //Check if user is assigned to an enforced silo. using (DirectoryEntry assignedSilo = new DirectoryEntry("LDAP://" + principal.Properties[ConstValue.msDSAssignedAuthNPolicySilo].Value.ToString())) { if ((assignedSilo.Properties[ConstValue.msDSAuthNPolicySiloEnforced] == null) || (!bool.Parse(assignedSilo.Properties[ConstValue.msDSAuthNPolicySiloEnforced].Value.ToString()))) { return null; } if (assignedSilo.Properties[ConstValue.msDSAuthNPolicySiloMembers] == null) { return null; } //Check if silo is configured with the user as a member. bool memberOfSilo = false; string dn = principal.Properties[ConstValue.distinguishedname].Value.ToString(); foreach (var siloMember in assignedSilo.Properties[ConstValue.msDSAuthNPolicySiloMembers]) { if (siloMember.Equals(dn)) { memberOfSilo = true; break; } } if (memberOfSilo == false) { return null; } //Fill in the claim details and return the claim. CLAIM_ENTRY claim = new CLAIM_ENTRY(); claim.Id = ConstValue.authSiloClaimName; claim.Type = CLAIM_TYPE.CLAIM_TYPE_STRING; claim.Values.Struct3 = new CLAIM_TYPE_VALUE_LPWSTR(); claim.Values.Struct3.ValueCount = 1; claim.Values.Struct3.StringValues = new string[] { assignedSilo.Properties[ConstValue.name].Value.ToString() }; return claim; } } }