archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
3.8 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/inetsrv/iis/svcs/iiscrmap/iiscrmap.cxx

935 lines
19 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  7. opyright (c) 1996 Microsoft Corporation
  9. Module Name:
  11. iiscrmap.cxx
  13. Abstract:
  15. Certificate to NT account mapper
  17. Author:
  19. Philippe Choquier (phillich) 17-may-1996
  20. Alex Mallet (amallet) 13-Feb-1998
  22. --*/
  24. #ifdef __cplusplus
  25. extern "C" {
  26. #endif
  29. # include <nt.h>
  30. # include <ntrtl.h>
  31. # include <nturtl.h>
  32. # include <windows.h>
  34. #include <stdio.h>
  35. #if 1 // DBCS
  36. #include <mbstring.h>
  37. #endif
  39. #include <schnlsp.h>
  41. #include <wincrypt.h>
  42. #include <issperr.h>
  43. #include <certmap.h>
  44. #include <cmnull.hxx>
  45. #include <lmcons.h>
  47. #ifdef __cplusplus
  48. };
  49. #endif
  51. #include <iis64.h>
  52. #include <iiscrmap.hxx>
  54. extern "C" {
  56. #include <tchar.h>
  58. #include <iisfiltp.h>
  60. } // extern "C"
  62. #include <tslogon.hxx>
  64. #include <iismap.hxx>
  65. #include <iiscmr.hxx>
  66. #include "mapmsg.h"
  68. #include <dbgutil.h>
  69. #include <buffer.hxx>
  70. #include <ole2.h>
  71. #include <imd.h>
  72. #include <mb.hxx>
  73. #include <iiscnfgp.h>
  74. #include <reftrace.h>
  75. #include <iiscert.hxx>
  76. #include <iisctl.hxx>
  77. #include <capiutil.hxx>
  78. #include <sslinfo.hxx>
  80. #define CALLC WINAPI
  82. CRITICAL_SECTION g_csInitCritSec;
  83. DWORD g_dwNumLocators;
  84. extern MAPPER_VTABLE g_MapperVtable;
  85. HANDLE g_hModule;
  87. //
  88. //
  89. //
  90. DECLARE_DEBUG_PRINTS_OBJECT();
  91. #include <initguid.h>
  92. DEFINE_GUID(IisCrMapGuid,
  93. 0x784d8913, 0xaa8c, 0x11d2, 0x92, 0x5e, 0x00, 0xc0, 0x4f, 0x72, 0xd9, 0x0e);
  96. extern "C"
  97. BOOL
  98. WINAPI
  99. DLLEntry(
  100. HINSTANCE hDll,
  101. DWORD dwReason,
  102. LPVOID lpvReserved
  103. )
  104. {
  105. switch ( dwReason )
  106. {
  107. case DLL_PROCESS_ATTACH:
  109. #ifdef _NO_TRACING_
  110. CREATE_DEBUG_PRINT_OBJECT( "IISCRMAP" );
  111. #else
  112. CREATE_DEBUG_PRINT_OBJECT( "IISCRMAP" , IisCrMapGuid);
  113. #endif
  114. INITIALIZE_CRITICAL_SECTION( &g_csInitCritSec );
  115. g_dwNumLocators = 0;
  116. g_hModule = hDll;
  118. break;
  120. case DLL_PROCESS_DETACH:
  122. if ( g_dwNumLocators )
  123. {
  124. DBGPRINTF((DBG_CONTEXT,
  125. "Still have %d locators left !\n",
  126. g_dwNumLocators));
  127. }
  129. DELETE_DEBUG_PRINT_OBJECT();
  130. DeleteCriticalSection( &g_csInitCritSec );
  131. break;
  133. default:
  134. break;
  135. }
  137. return TRUE;
  138. }
  142. extern "C"
  143. DWORD CALLC
  144. CreateInstance(
  145. OUT HMAPPER** pHMapper
  146. )
  147. /*++
  149. Routine Description:
  151. Called to initialize the mapper
  153. Arguments:
  155. None
  157. Returns:
  159. Ptr to mapper vtable if success, otherwise NULL
  161. --*/
  162. {
  163. IisMapper *pMap;
  165. if ( !(pMap = (IisMapper*)LocalAlloc( LMEM_FIXED, sizeof(IisMapper) )) )
  166. {
  167. return SEC_E_INSUFFICIENT_MEMORY;
  168. }
  170. memcpy ( &pMap->mvtEntryPoints, &g_MapperVtable, sizeof(MAPPER_VTABLE) );
  172. pMap->hMapper.m_vtable = &pMap->mvtEntryPoints;
  173. pMap->hMapper.m_dwMapperVersion = MAPPER_INTERFACE_VER;
  174. pMap->hMapper.m_Reserved1 = NULL;
  175. pMap->lRefCount = 1;
  176. pMap->fIsIisCompliant = TRUE;
  177. pMap->hInst = (HINSTANCE)g_hModule;
  178. pMap->pCert11Mapper = NULL;
  179. pMap->pCertWMapper = NULL;
  180. pMap->pvInfo = NULL;
  182. pMap->dwSignature = IIS_MAPPER_SIGNATURE;
  184. *pHMapper = (HMAPPER*)pMap;
  186. return SEC_E_OK;
  187. }
  190. extern "C"
  191. LONG CALLC
  192. IisReferenceMapper(
  193. OUT HMAPPER* pMap
  194. )
  195. /*++
  197. Routine Description:
  199. Increment reference count to mapper
  201. Arguments:
  203. pMap - ptr to mapper struct
  205. Returns:
  207. Ref count
  209. --*/
  210. {
  211. LONG l;
  213. EnterCriticalSection( &g_csInitCritSec );
  214. l = ++((IisMapper*)pMap)->lRefCount;
  215. LeaveCriticalSection( &g_csInitCritSec );
  217. return l;
  218. }
  221. extern "C"
  222. LONG CALLC
  223. IisDeReferenceMapper(
  224. OUT HMAPPER* pMap
  225. )
  226. /*++
  228. Routine Description:
  230. Decrement reference count to mapper
  232. Arguments:
  234. pMap - ptr to mapper struct
  236. Returns:
  238. Ref count
  240. --*/
  241. {
  242. LONG l;
  244. EnterCriticalSection( &g_csInitCritSec );
  245. if ( !(l = --((IisMapper*)pMap)->lRefCount) )
  246. {
  247. LocalFree( pMap );
  248. }
  249. LeaveCriticalSection( &g_csInitCritSec );
  251. return l;
  252. }
  255. extern "C"
  256. DWORD CALLC
  257. IisGetChallenge(
  258. HMAPPER*,
  259. PBYTE,
  260. DWORD,
  261. PBYTE,
  262. LPDWORD
  263. )
  264. /*++
  266. Routine Description:
  268. Get challenge for auth sequence
  270. Arguments:
  272. Not used
  274. Returns:
  276. FALSE ( not supported )
  278. --*/
  279. {
  280. return SEC_E_UNSUPPORTED_FUNCTION;
  281. }
  284. extern "C"
  285. DWORD CALLC
  286. IisGetIssuerList(
  287. IN HMAPPER* phMapper,
  288. IN LPVOID pvReserved,
  289. OUT LPBYTE pIssuer,
  290. IN OUT DWORD * pdwIssuer
  291. )
  292. /*++
  294. Routine Description:
  296. Called to retrieve the list of preferred cert issuers
  298. Arguments:
  300. phMapper - pointer to mapper object
  301. pvReserved - nothing useful, right now
  302. pIssuer -- updated with ptr buffer of issuers. If NULL, caller wants to get size of buffer
  303. required for issuer list
  304. pdwIssuer -- updated with issuers buffer size
  306. Returns:
  308. SEC_E_* error code
  310. --*/
  311. {
  312. IIS_SSL_INFO *pSslInfo = (IIS_SSL_INFO *) ((IisMapper*) phMapper)->pvInfo;
  313. BOOL fSuccess = FALSE;
  315. //
  316. // Can't get at any instance-specific information, so we'll just pretend
  317. // that nothing happened
  318. //
  319. if ( !pSslInfo )
  320. {
  321. *pdwIssuer = 0;
  322. return SEC_E_OK;
  323. }
  325. //
  326. // Pull out all the trusted CAs
  327. //
  328. PCCERT_CONTEXT *apContexts = NULL;
  329. PCCERT_CONTEXT pCert = NULL;
  330. DWORD dwCertsFound = 0;
  331. DWORD dwCertsInCTL = 0;
  332. DWORD dwTotalSize = 0;
  333. DWORD dwPosition = 0;
  335. if ( !pSslInfo->GetTrustedIssuerCerts( &apContexts,
  336. &dwCertsFound ) )
  337. {
  338. return SEC_E_UNTRUSTED_ROOT;
  339. }
  342. //
  343. // Figure out total size of chain and whether the buffer passed in is big
  344. // enough. Each cert is to be encoded as [MSB of length] [LSB of length] [cert],
  345. // so two extra bytes need to be added to the length for each cert
  346. //
  347. for ( DWORD dwIndex = 0; dwIndex < dwCertsFound; dwIndex++ )
  348. {
  349. dwTotalSize += apContexts[dwIndex]->cbCertEncoded;
  350. }
  351. dwTotalSize += 2*dwCertsFound;
  353. //
  354. // Caller is only interested in size or buffer is too small
  355. //
  356. if ( !pIssuer || ( pIssuer &&
  357. (*pdwIssuer < dwTotalSize) ) )
  358. {
  359. *pdwIssuer = dwTotalSize;
  360. goto cleanup;
  361. }
  363. //
  364. // Fill in the cert info : [MSB of length] [LSB of length] [Actual cert]
  365. //
  366. for ( dwIndex = 0 ; dwIndex < dwCertsFound; dwIndex++ )
  367. {
  368. pIssuer[dwPosition++] = (BYTE) ((apContexts[dwIndex]->cbCertEncoded) & 0xFF00) >> 8;
  369. pIssuer[dwPosition++] = (BYTE) (apContexts[dwIndex]->cbCertEncoded) & 0xFF;
  370. memcpy( pIssuer + dwPosition, apContexts[dwIndex]->pbCertEncoded,
  371. apContexts[dwIndex]->cbCertEncoded );
  372. dwPosition += apContexts[dwIndex]->cbCertEncoded;
  373. }
  375. DBG_ASSERT( dwPosition == dwTotalSize );
  377. *pdwIssuer = dwTotalSize;
  379. fSuccess = TRUE;
  381. cleanup:
  382. if ( apContexts )
  383. {
  384. for ( dwIndex = 0; dwIndex < dwCertsFound; dwIndex++ )
  385. {
  386. CertFreeCertificateContext( apContexts[dwIndex] );
  387. }
  388. delete [] apContexts;
  389. }
  391. return fSuccess ? SEC_E_OK : SEC_E_UNTRUSTED_ROOT;
  393. #if 0
  394. return ((CIisCert11Mapper*)(((IisMapper*)phMapper)->pCert11Mapper))->GetIssuerBuffer( (LPBYTE)pIssuer, pdwIssuer );
  395. #endif
  396. }
  399. extern "C"
  400. __declspec( dllexport )
  401. DWORD CALLC
  402. MapperFree(
  403. LPVOID pvBuff
  404. )
  405. /*++
  407. Routine Description:
  409. Called to delete list of issuers returned by GetIssuerList
  411. Arguments:
  413. pvBuff -- ptr to buffer alloced by the mapper DLL
  415. Returns:
  417. SEC_E_* error code
  419. --*/
  420. {
  421. //
  422. // Dead code, I believe
  423. //
  424. DBG_ASSERT( TRUE );
  426. LocalFree( pvBuff );
  428. return SEC_E_OK;
  429. }
  433. extern "C"
  434. BOOL CALLC
  435. TerminateMapper(
  436. VOID
  437. )
  438. /*++
  440. Routine Description:
  442. Called to terminate the mapper
  444. Arguments:
  446. None
  448. Returns:
  450. --*/
  451. {
  452. return TRUE;
  453. }
  456. extern "C"
  457. DWORD CALLC
  458. IisMapCredential(
  459. IN HMAPPER * phMapper,
  460. IN DWORD dwCredentialType,
  461. IN PVOID pCredential,
  462. IN PVOID pAuthority,
  463. OUT HLOCATOR * phToken
  464. )
  465. /*++
  467. Routine Description:
  469. Called to map a certificate to a NT account
  471. Arguments:
  473. phMapper - ptr to hmapper struct
  474. dwCredentialType -- type of credential
  475. pCredential - ptr to client cert
  476. pAuthority - ptr to Certifying Authority cert
  477. phToken -- updated with impersonation access token
  479. Returns:
  481. SEC_E_* error code
  483. --*/
  484. {
  485. CIisMapping * pQuery = NULL;
  486. CIisMapping * pResult = NULL;
  487. BOOL fSt;
  488. LPSTR pAcct;
  489. LPSTR pPwd;
  490. LPSTR pA;
  491. DWORD dwA;
  492. DWORD dwD;
  493. int x;
  494. BOOL fAllocedAcct = FALSE;
  495. CHAR achDomain[256];
  496. CHAR achUser[64];
  497. CHAR achCookie[64];
  498. CIisCert11Mapper* pCertMapper;
  499. CIisRuleMapper* pCertWildcard;
  500. LPSTR pEnabled;
  501. DWORD dwE;
  502. DWORD dwP;
  503. CHAR achPwd[PWLEN + 1];
  504. PCERT_CONTEXT pClientCert = (PCERT_CONTEXT) pCredential;
  506. DBG_ASSERT( pClientCert );
  508. //
  509. // Reject request if we do not understand the format
  510. //
  512. if ( dwCredentialType != X509_ASN_CHAIN )
  513. {
  514. SetLastError( ERROR_INVALID_PARAMETER );
  515. return SEC_E_NOT_SUPPORTED;
  516. }
  518. //
  519. // IIS 4 used the pAuthority parameter; IIS 5 doesn't, and Schannel always passes in
  520. // NULL, so remove the error check for it
  521. //
  522. #if 0
  523. //
  524. // Reject request if CA not recognized
  525. //
  527. //
  528. // Removing IsCeritificateVerified() since we don't have what
  529. // we need to do the appropriate queries
  530. //
  532. if ( pAuthority == NULL )
  533. {
  534. SetLastError( ERROR_INVALID_PARAMETER );
  535. return SEC_E_INTERNAL_ERROR;
  536. }
  537. #endif
  539. pCertMapper = (CIisCert11Mapper*)((IisMapper*)phMapper)->pCert11Mapper;
  540. pCertWildcard = (CIisRuleMapper*)((IisMapper*)phMapper)->pCertWMapper;
  542. if ( !pCertMapper )
  543. {
  544. goto wildcard_mapper;
  545. }
  549. #if DBG
  550. CHAR szSubjectName[1024];
  551. CHAR szIssuerName[1024];
  552. if ( CertGetNameString( pClientCert,
  553. CERT_NAME_SIMPLE_DISPLAY_TYPE,
  554. 0,
  555. NULL,
  556. szSubjectName,
  557. 1024 ) &&
  558. CertGetNameString( pClientCert,
  559. CERT_NAME_SIMPLE_DISPLAY_TYPE,
  560. CERT_NAME_ISSUER_FLAG,
  561. NULL,
  562. szIssuerName,
  563. 1024 ) )
  564. {
  565. DBGPRINTF((DBG_CONTEXT,
  566. "[IisMapCredential] Trying to map client cert for subject %s, issued by %s \n",
  567. szSubjectName,
  568. szIssuerName));
  569. }
  570. else
  571. {
  572. DBGPRINTF((DBG_CONTEXT,
  573. "[IisMapCredential] Couldn't get subject or issuer name for client cert : 0x%x\n",
  574. GetLastError()));
  575. }
  576. #endif
  578. //
  579. // Create a mapping request object
  580. //
  582. if ( !(pQuery = pCertMapper->CreateNewMapping( pClientCert->pbCertEncoded,
  583. pClientCert->cbCertEncoded ) ) )
  584. {
  585. DBGPRINTF((DBG_CONTEXT,
  586. "[IisMapCredential] Failed to create cert mapping query !\n"));
  587. return SEC_E_INTERNAL_ERROR;
  588. }
  590. //
  591. // Look for a match. If not found, log event
  592. //
  594. pCertMapper->Lock();
  596. if ( pCertMapper->FindMatch( pQuery,
  597. &pResult ) )
  598. {
  599. if ( !pResult->MappingGetField( IISMDB_INDEX_CERT11_NT_ACCT,
  600. &pAcct,
  601. &dwA,
  602. FALSE ) ||
  603. !pResult->MappingGetField( IISMDB_INDEX_CERT11_ENABLED,
  604. &pEnabled,
  605. &dwE,
  606. FALSE ) ||
  607. !pResult->MappingGetField( IISMDB_INDEX_CERT11_NT_PWD,
  608. &pPwd,
  609. &dwP,
  610. FALSE ) )
  611. {
  612. pCertMapper->Unlock();
  613. delete pQuery;
  614. return SEC_E_INTERNAL_ERROR;
  615. }
  617. strncpy( achPwd,
  618. pPwd,
  619. sizeof( achPwd ) - 1 );
  621. delete pQuery;
  623. //
  624. // if mapping not enabled, ignore it
  625. //
  627. if ( !dwE ||
  628. ( dwE == sizeof(DWORD) && *(UNALIGNED64 DWORD *)pEnabled == 0 ) ||
  629. ( dwE && *pEnabled == '0' ) )
  630. {
  631. pCertMapper->Unlock();
  632. pCertMapper = NULL;
  633. goto wildcard_mapper;
  634. }
  635. }
  636. else
  637. {
  638. #if 0
  639. //
  640. // log event
  641. //
  643. LPCTSTR pA[CERT_MAP_NB_FIELDS];
  644. for ( UINT x = 0 ; x < CERT_MAP_NB_FIELDS ; ++x )
  645. {
  646. if ( !pQuery->MappingGetField( x, (LPSTR*)(pA+x) ) || pA[x] == NULL )
  647. {
  648. pA[x] = "";
  649. }
  650. }
  651. ReportIisMapEvent( EVENTLOG_INFORMATION_TYPE,
  652. IISMAP_EVENT_NO_MAPPING,
  653. CERT_MAP_NB_FIELDS,
  654. pA );
  655. #endif
  657. pCertMapper->Unlock();
  658. pCertMapper = NULL;
  660. delete pQuery;
  662. //
  663. // Try to find a match using wildcard mapper
  664. //
  666. wildcard_mapper:
  668. if ( pCertWildcard )
  669. {
  670. if ( !pCertWildcard->Match( pClientCert,
  671. (PCERT_CONTEXT)pAuthority,
  672. achCookie,
  673. achPwd ) )
  674. {
  675. //
  676. // Set token to special value '1' for mappings that deny access
  677. //
  678. if ( GetLastError() == ERROR_ACCESS_DENIED )
  679. {
  680. *phToken = (HLOCATOR)1;
  681. return SEC_E_OK;
  682. }
  683. else
  684. {
  685. pAcct = NULL;
  686. }
  687. }
  688. else
  689. {
  690. pAcct = achCookie;
  691. dwA = strlen( pAcct );
  692. }
  693. }
  694. else
  695. {
  696. pAcct = NULL;
  697. }
  698. }
  700. if ( pAcct == NULL )
  701. {
  702. if ( pCertMapper )
  703. {
  704. pCertMapper->Unlock();
  705. }
  707. return SEC_E_UNKNOWN_CREDENTIALS;
  708. }
  710. // break in domain & user name
  711. // copy to local storage so we can unlock mapper object
  713. LPSTR pSep;
  714. LPSTR pUser;
  715. #if 1 // DBCS enabling for user name
  716. // pAcct is always zero terminated
  717. if ( (pSep = (LPSTR)_mbschr( (PUCHAR)pAcct, '\\' )) )
  718. #else
  719. if ( (pSep = (LPSTR)memchr( pAcct, '\\', dwA )) )
  720. #endif
  721. {
  722. if ( (pSep - pAcct) < sizeof(achDomain) )
  723. {
  724. memcpy( achDomain, pAcct, DIFF(pSep - pAcct) );
  725. achDomain[pSep - pAcct] = '\0';
  726. }
  727. else
  728. {
  729. SetLastError( ERROR_INVALID_PARAMETER );
  730. pCertMapper->Unlock();
  731. return SEC_E_UNKNOWN_CREDENTIALS;
  732. }
  733. pUser = pSep + 1;
  734. dwA -= DIFF(pSep - pAcct) + 1;
  735. }
  736. else
  737. {
  738. achDomain[0] = '\0';
  739. pUser = pAcct;
  740. }
  741. if ( dwA >= sizeof(achUser) || dwA <= 0 )
  742. {
  743. SetLastError( ERROR_INVALID_PARAMETER );
  744. pCertMapper->Unlock();
  745. return SEC_E_UNKNOWN_CREDENTIALS;
  746. }
  747. memcpy( achUser, pUser, dwA );
  748. achUser[dwA] = '\0';
  750. if ( pCertMapper )
  751. {
  752. pCertMapper->Unlock();
  753. }
  755. if ( fAllocedAcct )
  756. {
  757. LocalFree( pAcct );
  758. }
  760. DBGPRINTF((DBG_CONTEXT,
  761. "Found a mapping, %s\\%s\n",
  762. (achDomain[0] == '\0' ? "<no domain>" : achDomain),
  763. achUser));
  765. fSt = LogonUserA( achUser,
  766. achDomain,
  767. achPwd,
  768. LOGON32_LOGON_INTERACTIVE,
  769. LOGON32_PROVIDER_DEFAULT,
  770. (HANDLE*)phToken );
  772. if ( !fSt )
  773. {
  774. LPCTSTR pA[2];
  775. CHAR achAcct[128];
  777. DBGPRINTF((DBG_CONTEXT,
  778. "Logon of %s\\%s failed, error 0x%x\n",
  779. (achDomain[0] == '\0' ? "<no domain>" : achDomain),
  780. achUser,
  781. GetLastError()));
  783. wsprintf( achAcct, "%s\\%s", achDomain, achUser );
  784. if ( FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
  785. NULL,
  786. GetLastError(),
  787. MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
  788. (LPSTR)&pA[1],
  789. 0,
  790. NULL ) )
  791. {
  792. pA[0] = achAcct;
  794. ReportIisMapEvent( EVENTLOG_ERROR_TYPE,
  795. IISMAP_EVENT_ERROR_LOGON,
  796. sizeof(pA)/sizeof(LPCTSTR),
  797. pA );
  799. LocalFree( (LPVOID)pA[1] );
  800. }
  801. }
  802. else
  803. {
  804. DBGPRINTF((DBG_CONTEXT,
  805. "[IisMapCredential] Successful logon, token 0x%p\n",
  806. *phToken));
  808. g_dwNumLocators++;
  809. }
  811. return fSt ? SEC_E_OK : SEC_E_UNKNOWN_CREDENTIALS;
  812. }
  814. extern "C"
  815. DWORD CALLC IisQueryMappedCredentialAttributes( IN HMAPPER *phMapper,
  816. IN HLOCATOR hLocator,
  817. IN ULONG ulAttribute,
  818. OUT PVOID pBuffer,
  819. IN OUT DWORD *pcbBuffer )
  820. {
  821. if ( !pBuffer || ( *pcbBuffer < sizeof( HLOCATOR ) ) )
  822. {
  823. *pcbBuffer = sizeof( HLOCATOR );
  824. }
  825. else
  826. {
  827. *((HLOCATOR*)pBuffer) = hLocator;
  828. }
  830. return SEC_E_OK;
  831. }
  833. extern "C"
  834. DWORD CALLC
  835. IisGetAccessToken(
  836. IN HMAPPER* phMapper,
  837. IN HLOCATOR tokenhandle,
  838. OUT HANDLE *phToken
  839. )
  840. /*++
  842. Routine Description:
  844. Called to retrieve an access token from a mapping
  846. Arguments:
  848. phMapper - pointer to mapper to use
  849. tokenhandle -- HLOCATOR returned by MapCredential
  850. phToken -- updated with potentially new token
  852. Returns:
  854. SEC_E_* error code
  856. --*/
  857. {
  859. #if 1
  860. *phToken = (HANDLE) tokenhandle;
  862. return SEC_E_OK;
  863. #else
  864. //
  865. // Special value '1' is used to denote mappings that -deny- access
  866. //
  867. if ( tokenhandle == 1 )
  868. {
  869. *phToken = (HANDLE)tokenhandle;
  870. }
  871. else
  872. {
  873. if ( !DuplicateTokenEx( (HANDLE)tokenhandle,
  874. TOKEN_ALL_ACCESS,
  875. NULL,
  876. SecurityImpersonation,
  877. TokenPrimary,
  878. phToken ))
  879. {
  880. return SEC_E_INVALID_TOKEN;
  881. }
  882. }
  884. return SEC_E_OK;
  885. #endif
  886. }
  889. extern "C"
  890. DWORD CALLC
  891. IisCloseLocator(
  892. IN HMAPPER* phMapper,
  893. IN HLOCATOR tokenhandle
  894. )
  895. /*++
  897. Routine Description:
  899. Called to close a HLOCATOR returned by MapCredential
  901. Arguments:
  903. tokenhandle -- HLOCATOR
  905. Returns:
  907. SEC_E_* error code
  909. --*/
  910. {
  911. DBG_ASSERT( g_dwNumLocators > 0 );
  913. if ( tokenhandle != 1 && tokenhandle != NULL )
  914. {
  915. CloseHandle( (HANDLE)tokenhandle );
  916. g_dwNumLocators--;
  917. }
  919. return SEC_E_OK;
  920. }
  923. MAPPER_VTABLE g_MapperVtable={
  924. (REF_MAPPER_FN)IisReferenceMapper,
  925. (DEREF_MAPPER_FN)IisDeReferenceMapper,
  926. (GET_ISSUER_LIST_FN)IisGetIssuerList,
  927. (GET_CHALLENGE_FN)IisGetChallenge,
  928. (MAP_CREDENTIAL_FN)IisMapCredential,
  929. (GET_ACCESS_TOKEN_FN)IisGetAccessToken,
  930. (CLOSE_LOCATOR_FN)IisCloseLocator,
  931. (QUERY_MAPPED_CREDENTIAL_ATTRIBUTES_FN)IisQueryMappedCredentialAttributes
  932. } ;