示例#1
0
        //
        internal void ValidateCreateContext(
                                            string package,
                                            bool isServer,
                                            NetworkCredential credential,
                                            string servicePrincipalName,
                                            ChannelBinding channelBinding,
                                            ProtectionLevel         protectionLevel,
                                            TokenImpersonationLevel impersonationLevel
                                            )
        {

            if (_Exception != null && !_CanRetryAuthentication) {
                throw _Exception;
            }

            if (_Context != null && _Context.IsValidContext) {
                throw new InvalidOperationException(SR.GetString(SR.net_auth_reauth));
            }

            if (credential == null) {
                throw new ArgumentNullException("credential");
            }

            if (servicePrincipalName == null) {
                throw new ArgumentNullException("servicePrincipalName");
            }

            if (impersonationLevel != TokenImpersonationLevel.Identification &&
                impersonationLevel != TokenImpersonationLevel.Impersonation &&
                impersonationLevel != TokenImpersonationLevel.Delegation)
            {
                throw new ArgumentOutOfRangeException("impersonationLevel", impersonationLevel.ToString(), SR.GetString(SR.net_auth_supported_impl_levels));
            }

            if (_Context != null && IsServer != isServer) {
                throw new InvalidOperationException(SR.GetString(SR.net_auth_client_server));
            }

            _Exception = null;
            _RemoteOk = false;
            _Framer = new StreamFramer(_InnerStream);
            _Framer.WriteHeader.MessageId = FrameHeader.HandshakeId;

            _ExpectedProtectionLevel    = protectionLevel;
            _ExpectedImpersonationLevel = isServer? impersonationLevel: TokenImpersonationLevel.None;
            _WriteSequenceNumber        = 0;
            _ReadSequenceNumber         = 0;

            ContextFlags flags = ContextFlags.Connection;

            // A workaround for the client when talking to Win9x on the server side
            if (protectionLevel == ProtectionLevel.None && !isServer)
            {
                package = NegotiationInfoClass.NTLM;
            }

            else if (protectionLevel == ProtectionLevel.EncryptAndSign)
            {
                flags |= ContextFlags.Confidentiality;
            }
            else if (protectionLevel == ProtectionLevel.Sign)
            {
                // Assuming user expects NT4 SP4 and above
                flags |= ContextFlags.ReplayDetect | ContextFlags.SequenceDetect | ContextFlags.InitIntegrity;
            }

            if (isServer)
            {
                if (_ExtendedProtectionPolicy.PolicyEnforcement == PolicyEnforcement.WhenSupported) { flags |= ContextFlags.AllowMissingBindings; }
                if (_ExtendedProtectionPolicy.PolicyEnforcement != PolicyEnforcement.Never &&
                    _ExtendedProtectionPolicy.ProtectionScenario == ProtectionScenario.TrustedProxy)
                {
                    flags |= ContextFlags.ProxyBindings;
                }
            }
            else
            {
                // According to lzhu server side should not request any of these flags
                if (protectionLevel != ProtectionLevel.None)                        {flags |= ContextFlags.MutualAuth;}
                if (impersonationLevel == TokenImpersonationLevel.Identification)   {flags |= ContextFlags.InitIdentify;}
                if (impersonationLevel == TokenImpersonationLevel.Delegation)       {flags |= ContextFlags.Delegate;}
            }
            

            _CanRetryAuthentication = false;

            //
            // Security: We used to rely on NetworkCredential class to demand permission
            //           Switched over to explicit ControlPrincipalPermission demand (except for DefaultCredential case)
            //           The mitigated attack is brute-force pasword guessing through SSPI.
            if (!(credential is SystemNetworkCredential))
                ExceptionHelper.ControlPrincipalPermission.Demand();

            try {
                //
                _Context = new NTAuthentication(isServer, package, credential, servicePrincipalName, flags, channelBinding);
            }
            catch (Win32Exception e)
            {
                throw new AuthenticationException(SR.GetString(SR.net_auth_SSPI), e);
            }
        }
 internal void ValidateCreateContext(string package, bool isServer, NetworkCredential credential, string servicePrincipalName, ChannelBinding channelBinding, ProtectionLevel protectionLevel, TokenImpersonationLevel impersonationLevel)
 {
     if ((this._Exception != null) && !this._CanRetryAuthentication)
     {
         throw this._Exception;
     }
     if ((this._Context != null) && this._Context.IsValidContext)
     {
         throw new InvalidOperationException(SR.GetString("net_auth_reauth"));
     }
     if (credential == null)
     {
         throw new ArgumentNullException("credential");
     }
     if (servicePrincipalName == null)
     {
         throw new ArgumentNullException("servicePrincipalName");
     }
     if (ComNetOS.IsWin9x && (protectionLevel != ProtectionLevel.None))
     {
         throw new NotSupportedException(SR.GetString("net_auth_no_protection_on_win9x"));
     }
     if (((impersonationLevel != TokenImpersonationLevel.Identification) && (impersonationLevel != TokenImpersonationLevel.Impersonation)) && (impersonationLevel != TokenImpersonationLevel.Delegation))
     {
         throw new ArgumentOutOfRangeException("impersonationLevel", impersonationLevel.ToString(), SR.GetString("net_auth_supported_impl_levels"));
     }
     if ((this._Context != null) && (this.IsServer != isServer))
     {
         throw new InvalidOperationException(SR.GetString("net_auth_client_server"));
     }
     this._Exception = null;
     this._RemoteOk = false;
     this._Framer = new StreamFramer(this._InnerStream);
     this._Framer.WriteHeader.MessageId = 0x16;
     this._ExpectedProtectionLevel = protectionLevel;
     this._ExpectedImpersonationLevel = isServer ? impersonationLevel : TokenImpersonationLevel.None;
     this._WriteSequenceNumber = 0;
     this._ReadSequenceNumber = 0;
     ContextFlags connection = ContextFlags.Connection;
     if ((protectionLevel == ProtectionLevel.None) && !isServer)
     {
         package = "NTLM";
     }
     else if (protectionLevel == ProtectionLevel.EncryptAndSign)
     {
         connection |= ContextFlags.Confidentiality;
     }
     else if (protectionLevel == ProtectionLevel.Sign)
     {
         connection |= ContextFlags.AcceptStream | ContextFlags.SequenceDetect | ContextFlags.ReplayDetect;
     }
     if (isServer)
     {
         if (this._ExtendedProtectionPolicy.PolicyEnforcement == PolicyEnforcement.WhenSupported)
         {
             connection |= ContextFlags.AllowMissingBindings;
         }
         if ((this._ExtendedProtectionPolicy.PolicyEnforcement != PolicyEnforcement.Never) && (this._ExtendedProtectionPolicy.ProtectionScenario == ProtectionScenario.TrustedProxy))
         {
             connection |= ContextFlags.ProxyBindings;
         }
     }
     else
     {
         if (protectionLevel != ProtectionLevel.None)
         {
             connection |= ContextFlags.MutualAuth;
         }
         if (impersonationLevel == TokenImpersonationLevel.Identification)
         {
             connection |= ContextFlags.AcceptIntegrity;
         }
         if (impersonationLevel == TokenImpersonationLevel.Delegation)
         {
             connection |= ContextFlags.Delegate;
         }
     }
     this._CanRetryAuthentication = false;
     if (!(credential is SystemNetworkCredential))
     {
         ExceptionHelper.ControlPrincipalPermission.Demand();
     }
     try
     {
         this._Context = new NTAuthentication(isServer, package, credential, servicePrincipalName, connection, channelBinding);
     }
     catch (Win32Exception exception)
     {
         throw new AuthenticationException(SR.GetString("net_auth_SSPI"), exception);
     }
 }