protected override SspiNegotiationTokenProviderState CreateNegotiationState(EndpointAddress target, Uri via, TimeSpan timeout) { EnsureEndpointAddressDoesNotRequireEncryption(target); EndpointIdentity identity = null; if (this.identityVerifier == null) { identity = target.Identity; } else { this.identityVerifier.TryGetIdentity(target, out identity); } string spn; if (this.AuthenticateServer || !this.AllowNtlm) { spn = SecurityUtils.GetSpnFromIdentity(identity, target); } else { // if an SPN or UPN identity is configured (for example, in mixed mode SSPI), then // use that identity for Negotiate Claim identityClaim = identity.IdentityClaim; if (identityClaim != null && (identityClaim.ClaimType == ClaimTypes.Spn || identityClaim.ClaimType == ClaimTypes.Upn)) { spn = identityClaim.Resource.ToString(); } else { spn = "host/" + target.Uri.DnsSafeHost; } } string packageName; if (!this.allowNtlm && !SecurityUtils.IsOsGreaterThanXP()) { packageName = "Kerberos"; } else { packageName = "Negotiate"; } WindowsSspiNegotiation sspiNegotiation = new WindowsSspiNegotiation(packageName, this.credentialsHandle, this.AllowedImpersonationLevel, spn, true, this.InteractiveNegoExLogonEnabled, this.allowNtlm); return(new SspiNegotiationTokenProviderState(sspiNegotiation)); }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { WindowsSspiNegotiation windowsNegotiation = (WindowsSspiNegotiation)sspiNegotiation; if (!windowsNegotiation.IsValidContext) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation"))); } if (this.AuthenticateServer && !windowsNegotiation.IsMutualAuthFlag) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("CannotAuthenticateServer"))); } SecurityTraceRecordHelper.TraceClientSpnego(windowsNegotiation); return(System.ServiceModel.Security.SecurityUtils.CreatePrincipalNameAuthorizationPolicies(windowsNegotiation.ServicePrincipalName)); }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { WindowsSspiNegotiation windowsNegotiation = (WindowsSspiNegotiation)sspiNegotiation; if (!windowsNegotiation.IsValidContext) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation"))); } SecurityTraceRecordHelper.TraceServiceSpnego(windowsNegotiation); if (base.IsClientAnonymous) { return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } using (System.IdentityModel.SafeCloseHandle handle = windowsNegotiation.GetContextToken()) { WindowsIdentity identity = new WindowsIdentity(handle.DangerousGetHandle(), windowsNegotiation.ProtocolName); System.ServiceModel.Security.SecurityUtils.ValidateAnonymityConstraint(identity, this.AllowUnauthenticatedCallers); List <IAuthorizationPolicy> list = new List <IAuthorizationPolicy>(1); WindowsClaimSet issuance = new WindowsClaimSet(identity, windowsNegotiation.ProtocolName, this.extractGroupsForWindowsAccounts, false); list.Add(new UnconditionalPolicy(issuance, TimeoutHelper.Add(DateTime.UtcNow, base.ServiceTokenLifetime))); return(list.AsReadOnly()); } }
protected override SspiNegotiationTokenAuthenticatorState CreateSspiState(byte[] incomingBlob, string incomingValueTypeUri) { ISspiNegotiation windowsNegotiation = new WindowsSspiNegotiation("Negotiate", this.credentialsHandle, DefaultServiceBinding); return new SspiNegotiationTokenAuthenticatorState(windowsNegotiation); }
protected override SspiNegotiationTokenAuthenticatorState CreateSspiState(byte[] incomingBlob, string incomingValueTypeUri) { ISspiNegotiation windowsNegotiation = new WindowsSspiNegotiation("Negotiate", this.credentialsHandle, DefaultServiceBinding); return(new SspiNegotiationTokenAuthenticatorState(windowsNegotiation)); }
protected override SspiNegotiationTokenProviderState CreateNegotiationState(EndpointAddress target, Uri via, TimeSpan timeout) { EnsureEndpointAddressDoesNotRequireEncryption(target); EndpointIdentity identity = null; if (this.identityVerifier == null) { identity = target.Identity; } else { this.identityVerifier.TryGetIdentity(target, out identity); } string spn; if (this.AuthenticateServer || !this.AllowNtlm) { spn = SecurityUtils.GetSpnFromIdentity(identity, target); } else { // if an SPN or UPN identity is configured (for example, in mixed mode SSPI), then // use that identity for Negotiate Claim identityClaim = identity.IdentityClaim; if (identityClaim != null && (identityClaim.ClaimType == ClaimTypes.Spn || identityClaim.ClaimType == ClaimTypes.Upn)) { spn = identityClaim.Resource.ToString(); } else { spn = "host/" + target.Uri.DnsSafeHost; } } string packageName; if (!this.allowNtlm && !SecurityUtils.IsOsGreaterThanXP()) { packageName = "Kerberos"; } else { packageName = "Negotiate"; } WindowsSspiNegotiation sspiNegotiation = new WindowsSspiNegotiation(packageName, this.credentialsHandle, this.AllowedImpersonationLevel, spn, true, this.InteractiveNegoExLogonEnabled, this.allowNtlm); return new SspiNegotiationTokenProviderState(sspiNegotiation); }