-
Notifications
You must be signed in to change notification settings - Fork 9.8k
/
PostConfigureNegotiateOptions.cs
93 lines (82 loc) · 3.83 KB
/
PostConfigureNegotiateOptions.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
using System.Diagnostics;
using System.DirectoryServices.Protocols;
using System.Linq;
using System.Net;
using Microsoft.AspNetCore.Hosting.Server;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
namespace Microsoft.AspNetCore.Authentication.Negotiate;
/// <summary>
/// Reconfigures the NegotiateOptions to defer to the integrated server authentication if present.
/// </summary>
public class PostConfigureNegotiateOptions : IPostConfigureOptions<NegotiateOptions>
{
private readonly IServerIntegratedAuth? _serverAuth;
private readonly ILogger<NegotiateHandler> _logger;
/// <summary>
/// Creates a new <see cref="PostConfigureNegotiateOptions"/>
/// </summary>
/// <param name="serverAuthServices"></param>
/// <param name="logger"></param>
public PostConfigureNegotiateOptions(IEnumerable<IServerIntegratedAuth> serverAuthServices, ILogger<NegotiateHandler> logger)
{
_serverAuth = serverAuthServices.LastOrDefault();
_logger = logger;
}
/// <summary>
/// Invoked to post configure a TOptions instance.
/// </summary>
/// <param name="name">The name of the options instance being configured.</param>
/// <param name="options">The options instance to configure.</param>
public void PostConfigure(string? name, NegotiateOptions options)
{
// If the server supports integrated authentication...
if (_serverAuth != null)
{
// And it's on...
if (_serverAuth.IsEnabled)
{
// Forward to the server if something else wasn't already configured.
if (options.ForwardDefault == null)
{
Debug.Assert(_serverAuth.AuthenticationScheme != null);
options.ForwardDefault = _serverAuth.AuthenticationScheme;
options.DeferToServer = true;
_logger.Deferring();
}
}
// Otherwise fail, you shouldn't be using this auth handler on a server that supports integrated auth.
else
{
throw new InvalidOperationException("The Negotiate Authentication handler cannot be used on a server that directly supports Windows Authentication."
+ " Enable Windows Authentication for the server and the Negotiate Authentication handler will defer to it.");
}
}
var ldapSettings = options.LdapSettings;
if (ldapSettings.EnableLdapClaimResolution)
{
ldapSettings.Validate();
if (ldapSettings.LdapConnection == null)
{
var di = new LdapDirectoryIdentifier(server: ldapSettings.Domain, fullyQualifiedDnsHostName: true, connectionless: false);
if (string.IsNullOrEmpty(ldapSettings.MachineAccountName))
{
// Use default credentials
ldapSettings.LdapConnection = new LdapConnection(di);
}
else
{
// Use specific specific machine account
var machineAccount = ldapSettings.MachineAccountName + "@" + ldapSettings.Domain;
var credentials = new NetworkCredential(machineAccount, ldapSettings.MachineAccountPassword);
ldapSettings.LdapConnection = new LdapConnection(di, credentials);
}
ldapSettings.LdapConnection.SessionOptions.ProtocolVersion = 3; //Setting LDAP Protocol to latest version
ldapSettings.LdapConnection.Timeout = TimeSpan.FromMinutes(1);
}
ldapSettings.LdapConnection.Bind(); // This line actually makes the connection.
}
}
}