protected override SspiNegotiationTokenProviderState CreateNegotiationState(EndpointAddress target, Uri via, TimeSpan timeout)
{
EnsureEndpointAddressDoesNotRequireEncryption(target);
EndpointIdentity identity = null;
if (this.identityVerifier == null)
{
identity = target.Identity;
}
else
{
this.identityVerifier.TryGetIdentity(target, out identity);
}
string spn;
if (this.AuthenticateServer || !this.AllowNtlm)
{
spn = SecurityUtils.GetSpnFromIdentity(identity, target);
}
else
{
// if an SPN or UPN identity is configured (for example, in mixed mode SSPI), then
// use that identity for Negotiate
Claim identityClaim = identity.IdentityClaim;
if (identityClaim != null && (identityClaim.ClaimType == ClaimTypes.Spn || identityClaim.ClaimType == ClaimTypes.Upn))
{
spn = identityClaim.Resource.ToString();
}
else
{
spn = "host/" + target.Uri.DnsSafeHost;
}
}
string packageName;
if (!this.allowNtlm && !SecurityUtils.IsOsGreaterThanXP())
{
packageName = "Kerberos";
}
else
{
packageName = "Negotiate";
}
WindowsSspiNegotiation sspiNegotiation = new WindowsSspiNegotiation(packageName, this.credentialsHandle,
this.AllowedImpersonationLevel, spn, true, this.InteractiveNegoExLogonEnabled, this.allowNtlm);
return(new SspiNegotiationTokenProviderState(sspiNegotiation));
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
WindowsSspiNegotiation windowsNegotiation = (WindowsSspiNegotiation)sspiNegotiation;
if (!windowsNegotiation.IsValidContext)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation")));
}
if (this.AuthenticateServer && !windowsNegotiation.IsMutualAuthFlag)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("CannotAuthenticateServer")));
}
SecurityTraceRecordHelper.TraceClientSpnego(windowsNegotiation);
return(System.ServiceModel.Security.SecurityUtils.CreatePrincipalNameAuthorizationPolicies(windowsNegotiation.ServicePrincipalName));
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
WindowsSspiNegotiation windowsNegotiation = (WindowsSspiNegotiation)sspiNegotiation;
if (!windowsNegotiation.IsValidContext)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation")));
}
SecurityTraceRecordHelper.TraceServiceSpnego(windowsNegotiation);
if (base.IsClientAnonymous)
{
return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
using (System.IdentityModel.SafeCloseHandle handle = windowsNegotiation.GetContextToken())
{
WindowsIdentity identity = new WindowsIdentity(handle.DangerousGetHandle(), windowsNegotiation.ProtocolName);
System.ServiceModel.Security.SecurityUtils.ValidateAnonymityConstraint(identity, this.AllowUnauthenticatedCallers);
List <IAuthorizationPolicy> list = new List <IAuthorizationPolicy>(1);
WindowsClaimSet issuance = new WindowsClaimSet(identity, windowsNegotiation.ProtocolName, this.extractGroupsForWindowsAccounts, false);
list.Add(new UnconditionalPolicy(issuance, TimeoutHelper.Add(DateTime.UtcNow, base.ServiceTokenLifetime)));
return(list.AsReadOnly());
}
}
protected override SspiNegotiationTokenAuthenticatorState CreateSspiState(byte[] incomingBlob, string incomingValueTypeUri)
{
ISspiNegotiation windowsNegotiation = new WindowsSspiNegotiation("Negotiate", this.credentialsHandle, DefaultServiceBinding);
return new SspiNegotiationTokenAuthenticatorState(windowsNegotiation);
}
protected override SspiNegotiationTokenAuthenticatorState CreateSspiState(byte[] incomingBlob, string incomingValueTypeUri)
{
ISspiNegotiation windowsNegotiation = new WindowsSspiNegotiation("Negotiate", this.credentialsHandle, DefaultServiceBinding);
return(new SspiNegotiationTokenAuthenticatorState(windowsNegotiation));
}
protected override SspiNegotiationTokenProviderState CreateNegotiationState(EndpointAddress target, Uri via, TimeSpan timeout)
{
EnsureEndpointAddressDoesNotRequireEncryption(target);
EndpointIdentity identity = null;
if (this.identityVerifier == null)
{
identity = target.Identity;
}
else
{
this.identityVerifier.TryGetIdentity(target, out identity);
}
string spn;
if (this.AuthenticateServer || !this.AllowNtlm)
{
spn = SecurityUtils.GetSpnFromIdentity(identity, target);
}
else
{
// if an SPN or UPN identity is configured (for example, in mixed mode SSPI), then
// use that identity for Negotiate
Claim identityClaim = identity.IdentityClaim;
if (identityClaim != null && (identityClaim.ClaimType == ClaimTypes.Spn || identityClaim.ClaimType == ClaimTypes.Upn))
{
spn = identityClaim.Resource.ToString();
}
else
{
spn = "host/" + target.Uri.DnsSafeHost;
}
}
string packageName;
if (!this.allowNtlm && !SecurityUtils.IsOsGreaterThanXP())
{
packageName = "Kerberos";
}
else
{
packageName = "Negotiate";
}
WindowsSspiNegotiation sspiNegotiation = new WindowsSspiNegotiation(packageName, this.credentialsHandle,
this.AllowedImpersonationLevel, spn, true, this.InteractiveNegoExLogonEnabled, this.allowNtlm);
return new SspiNegotiationTokenProviderState(sspiNegotiation);
}
