You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
385 lines
9.3 KiB
385 lines
9.3 KiB
///////////////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Copyright (c) Microsoft Corporation
|
|
//
|
|
// SYNOPSIS
|
|
//
|
|
// Defines the class AccountValidation.
|
|
//
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
|
|
#include <ias.h>
|
|
#include <ntsamuser.h>
|
|
#include <autohdl.h>
|
|
#include <iaslsa.h>
|
|
#include <iasntds.h>
|
|
#include <iastlutl.h>
|
|
#include <lmaccess.h>
|
|
#include <samutil.h>
|
|
#include <sdoias.h>
|
|
|
|
//////////
|
|
// Attributes that should be retrieved for each user.
|
|
//////////
|
|
const PCWSTR PER_USER_ATTRS[] =
|
|
{
|
|
L"userAccountControl",
|
|
L"accountExpires",
|
|
L"logonHours",
|
|
L"tokenGroups",
|
|
L"objectSid",
|
|
NULL
|
|
};
|
|
|
|
|
|
//////////
|
|
//
|
|
// Process an LDAP response.
|
|
//
|
|
// Based on the empirical evidence, it seems that userAccountControl and
|
|
// accountExpires are always present while logonHours is optional. However,
|
|
// none of these attributes are marked as mandatory in the LDAP schema. Since
|
|
// we have already done a rudimentary access check at bind, we will allow any
|
|
// of these attributes to be absent.
|
|
//
|
|
//////////
|
|
inline
|
|
DWORD
|
|
ValidateLdapResponse(
|
|
IASTL::IASRequest& request,
|
|
LDAPMessage* msg
|
|
)
|
|
{
|
|
// Retrieve the connection for this message.
|
|
LDAP* ld = ldap_conn_from_msg(NULL, msg);
|
|
|
|
PWCHAR *str;
|
|
PLDAP_BERVAL *data1, *data2;
|
|
|
|
// There is exactly one entry.
|
|
LDAPMessage* e = ldap_first_entry(ld, msg);
|
|
|
|
//////////
|
|
// Check the UserAccountControl flags.
|
|
//////////
|
|
|
|
ULONG userAccountControl;
|
|
str = ldap_get_valuesW(ld, e, L"userAccountControl");
|
|
if (str)
|
|
{
|
|
userAccountControl = (ULONG)_wtoi64(*str);
|
|
ldap_value_freeW(str);
|
|
|
|
if (userAccountControl & UF_ACCOUNTDISABLE)
|
|
{
|
|
return ERROR_ACCOUNT_DISABLED;
|
|
}
|
|
|
|
if (userAccountControl & UF_LOCKOUT)
|
|
{
|
|
return ERROR_ACCOUNT_LOCKED_OUT;
|
|
}
|
|
}
|
|
|
|
//////////
|
|
// Retrieve AccountExpires.
|
|
//////////
|
|
|
|
LARGE_INTEGER accountExpires;
|
|
str = ldap_get_valuesW(ld, e, L"accountExpires");
|
|
if (str)
|
|
{
|
|
accountExpires.QuadPart = _wtoi64(*str);
|
|
ldap_value_freeW(str);
|
|
}
|
|
else
|
|
{
|
|
accountExpires.QuadPart = 0;
|
|
}
|
|
|
|
//////////
|
|
// Retrieve LogonHours.
|
|
//////////
|
|
|
|
IAS_LOGON_HOURS logonHours;
|
|
data1 = ldap_get_values_lenW(ld, e, L"logonHours");
|
|
if (data1 != NULL)
|
|
{
|
|
logonHours.UnitsPerWeek = 8 * (USHORT)data1[0]->bv_len;
|
|
logonHours.LogonHours = (PUCHAR)data1[0]->bv_val;
|
|
}
|
|
else
|
|
{
|
|
logonHours.UnitsPerWeek = 0;
|
|
logonHours.LogonHours = NULL;
|
|
}
|
|
|
|
//////////
|
|
// Check the account restrictions.
|
|
//////////
|
|
|
|
DWORD status;
|
|
LARGE_INTEGER sessionTimeout;
|
|
status = IASCheckAccountRestrictions(
|
|
&accountExpires,
|
|
&logonHours,
|
|
&sessionTimeout
|
|
);
|
|
|
|
InsertInternalTimeout(request, sessionTimeout);
|
|
|
|
ldap_value_free_len(data1);
|
|
|
|
if (status != NO_ERROR) { return status; }
|
|
|
|
//////////
|
|
// Retrieve tokenGroups and objectSid.
|
|
//////////
|
|
|
|
data1 = ldap_get_values_lenW(ld, e, L"tokenGroups");
|
|
data2 = ldap_get_values_lenW(ld, e, L"objectSid");
|
|
|
|
PTOKEN_GROUPS allGroups;
|
|
ULONG length;
|
|
if (data1 && data2)
|
|
{
|
|
// Allocate memory for the TOKEN_GROUPS struct.
|
|
ULONG numGroups = ldap_count_values_len(data1);
|
|
PTOKEN_GROUPS tokenGroups =
|
|
(PTOKEN_GROUPS)_alloca(
|
|
FIELD_OFFSET(TOKEN_GROUPS, Groups) +
|
|
sizeof(SID_AND_ATTRIBUTES) * numGroups
|
|
);
|
|
|
|
// Store the number of groups.
|
|
tokenGroups->GroupCount = numGroups;
|
|
|
|
// Store the group SIDs.
|
|
for (ULONG i = 0; i < numGroups; ++i)
|
|
{
|
|
tokenGroups->Groups[i].Sid = (PSID)data1[i]->bv_val;
|
|
tokenGroups->Groups[i].Attributes = SE_GROUP_ENABLED;
|
|
}
|
|
|
|
// Expand the group membership locally.
|
|
status = IASGetAliasMembership(
|
|
(PSID)data2[0]->bv_val,
|
|
tokenGroups,
|
|
CoTaskMemAlloc,
|
|
&allGroups,
|
|
&length
|
|
);
|
|
}
|
|
else
|
|
{
|
|
status = ERROR_ACCESS_DENIED;
|
|
}
|
|
|
|
ldap_value_free_len(data1);
|
|
ldap_value_free_len(data2);
|
|
|
|
if (status != NO_ERROR) { return status; }
|
|
|
|
//////////
|
|
// Initialize and store the attribute.
|
|
//////////
|
|
|
|
IASTL::IASAttribute attr(true);
|
|
attr->dwId = IAS_ATTRIBUTE_TOKEN_GROUPS;
|
|
attr->Value.itType = IASTYPE_OCTET_STRING;
|
|
attr->Value.OctetString.dwLength = length;
|
|
attr->Value.OctetString.lpValue = (PBYTE)allGroups;
|
|
|
|
attr.store(request);
|
|
|
|
return NO_ERROR;
|
|
}
|
|
|
|
|
|
HRESULT AccountValidation::Initialize()
|
|
{
|
|
return IASNtdsInitialize();
|
|
}
|
|
|
|
|
|
HRESULT AccountValidation::Shutdown() throw ()
|
|
{
|
|
IASNtdsUninitialize();
|
|
return S_OK;
|
|
}
|
|
|
|
|
|
IASREQUESTSTATUS AccountValidation::onSyncRequest(IRequest* pRequest) throw ()
|
|
{
|
|
try
|
|
{
|
|
IASTL::IASRequest request(pRequest);
|
|
|
|
//////////
|
|
// Only process requests that don't have Token-Groups already.
|
|
//////////
|
|
|
|
IASTL::IASAttribute tokenGroups;
|
|
if (!tokenGroups.load(
|
|
request,
|
|
IAS_ATTRIBUTE_TOKEN_GROUPS,
|
|
IASTYPE_OCTET_STRING
|
|
))
|
|
{
|
|
//////////
|
|
// Extract the NT4-Account-Name attribute.
|
|
//////////
|
|
|
|
IASTL::IASAttribute identity;
|
|
if (identity.load(
|
|
request,
|
|
IAS_ATTRIBUTE_NT4_ACCOUNT_NAME,
|
|
IASTYPE_STRING
|
|
))
|
|
{
|
|
//////////
|
|
// Convert the User-Name to SAM format.
|
|
//////////
|
|
|
|
SamExtractor extractor(*identity);
|
|
PCWSTR domain = extractor.getDomain();
|
|
PCWSTR username = extractor.getUsername();
|
|
|
|
IASTracePrintf(
|
|
"Validating Windows account %S\\%S.",
|
|
domain,
|
|
username
|
|
);
|
|
|
|
//////////
|
|
// Validate the account.
|
|
//////////
|
|
|
|
if (!tryNativeMode(request, domain, username))
|
|
{
|
|
doDownlevel(request, domain, username);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
catch (const _com_error& ce)
|
|
{
|
|
IASTraceExcept();
|
|
IASProcessFailure(pRequest, ce.Error());
|
|
}
|
|
|
|
return IAS_REQUEST_STATUS_CONTINUE;
|
|
}
|
|
|
|
|
|
void AccountValidation::doDownlevel(
|
|
IASTL::IASRequest& request,
|
|
PCWSTR domainName,
|
|
PCWSTR username
|
|
)
|
|
{
|
|
IASTraceString("Using downlevel APIs to validate account.");
|
|
|
|
//////////
|
|
// Inject the user's groups.
|
|
//////////
|
|
|
|
IASTL::IASAttribute groups(true);
|
|
|
|
DWORD status;
|
|
LARGE_INTEGER sessionTimeout;
|
|
status = IASGetGroupsForUser(
|
|
username,
|
|
domainName,
|
|
&CoTaskMemAlloc,
|
|
(PTOKEN_GROUPS*)&groups->Value.OctetString.lpValue,
|
|
&groups->Value.OctetString.dwLength,
|
|
&sessionTimeout
|
|
);
|
|
|
|
InsertInternalTimeout(request, sessionTimeout);
|
|
|
|
if (status == NO_ERROR)
|
|
{
|
|
// Insert the groups.
|
|
groups->dwId = IAS_ATTRIBUTE_TOKEN_GROUPS;
|
|
groups->Value.itType = IASTYPE_OCTET_STRING;
|
|
groups.store(request);
|
|
|
|
IASTraceString("Successfully validated account.");
|
|
}
|
|
else
|
|
{
|
|
IASTraceFailure("IASGetGroupsForUser", status);
|
|
status = IASMapWin32Error(status, IAS_SERVER_UNAVAILABLE);
|
|
IASProcessFailure(request, status);
|
|
}
|
|
}
|
|
|
|
|
|
bool AccountValidation::tryNativeMode(
|
|
IASTL::IASRequest& request,
|
|
PCWSTR domainName,
|
|
PCWSTR username
|
|
)
|
|
{
|
|
//////////
|
|
// Only handle domain users.
|
|
//////////
|
|
|
|
if (IASGetRole() != IAS_ROLE_DC && IASIsDomainLocal(domainName))
|
|
{
|
|
return false;
|
|
}
|
|
|
|
//////////
|
|
// Query the DS.
|
|
//////////
|
|
|
|
DWORD error;
|
|
IASNtdsResult result;
|
|
error = IASNtdsQueryUserAttributes(
|
|
domainName,
|
|
username,
|
|
LDAP_SCOPE_BASE,
|
|
const_cast<PWCHAR*>(PER_USER_ATTRS),
|
|
&result
|
|
);
|
|
|
|
switch (error)
|
|
{
|
|
case NO_ERROR:
|
|
{
|
|
// We got something back, so validate the response.
|
|
error = ValidateLdapResponse(request, result.msg);
|
|
if (error == NO_ERROR)
|
|
{
|
|
IASTraceString("Successfully validated account.");
|
|
return true;
|
|
}
|
|
|
|
IASTraceFailure("ValidateLdapResponse", error);
|
|
break;
|
|
}
|
|
|
|
case ERROR_DS_NOT_INSTALLED:
|
|
case ERROR_INVALID_DOMAIN_ROLE:
|
|
{
|
|
// No DS, so we can't handle.
|
|
return false;
|
|
}
|
|
|
|
default:
|
|
{
|
|
// We have a DS for this user, but we can't talk to it.
|
|
break;
|
|
}
|
|
}
|
|
|
|
IASProcessFailure(
|
|
request,
|
|
IASMapWin32Error(error, IAS_DOMAIN_UNAVAILABLE)
|
|
);
|
|
|
|
return true;
|
|
}
|