Checking the SIDs in the WindowsClaimSet

  • Article

In continuation to my post of SAM vs PP, we concluded that to avoid fractured policy checking we can still check if the user belongs to a particular group by checking the occurence of an SID in the WindowsClaimSet that he submits to the service.

One of the problems that I faced to view the SID of an object was in the SDDL format for direct comparison. The Sid is basically represented as a SDDL string. If someone can point me to some proper tool besides these, it would be greatly helpful. these are the one's i used.
You can use GetSID.exe that is a part of the the support tools that ship with Windows 2003 to find the SID as SDDL string. Or there is another tool PSID from SysInternals that helps you get this string pretty easily and both are command line tools.

Once you get this value you can compare the Claim Set for the occurence of this SID to figure out if the user provided a claim.
 

using System;
using System.Collections.Generic;

using System.Text;

using System.ServiceModel;

using System.IdentityModel.Policy;

using System.Collections.ObjectModel;

using KBE.Service.Diagnostics;

using System.Security.Permissions;

using System.Security.Principal;

using System.IdentityModel.Claims;

using System.Configuration;

public class CustomServiceAuthorizationManager : ServiceAuthorizationManager

{

protected override bool CheckAccessCore(OperationContext operationContext)

{

System.Diagnostics.Debug.WriteLine("CheckAccess -- Started" + Utility.GetUserDetails());
try

        {

foreach (ClaimSet cs in OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets)

            {
if (cs is WindowsClaimSet)
{
foreach (Claim c in cs)
{
if (c.ClaimType == ClaimTypes.Sid)
{

SecurityIdentifier sid = c.Resource as SecurityIdentifier;

                            if (sid != null)
{
// Check if the SID is a claim for the group
if (sid.Value == ConfigurationManager.AppSettings["AuthorizationPermissionRole"])
return true;

}
}
}
}
}
return false;

        }
catch (Exception ex)
{
System.Diagnostics.Debug.WriteLine("\tException : " + ex.Message);
throw;
}
finally
{
System.Diagnostics.Debug.WriteLine("CheckAccess -- Ended");
}
}

    protected override ReadOnlyCollection<IAuthorizationPolicy> GetAuthorizationPolicies(OperationContext operationContext)
    {
        return base.GetAuthorizationPolicies(operationContext);
    }
}

Configuraiton Entry

<appSettings>

  <add key="AuthorizationPermissionRole" value="Some SID String"/>

</appSettings>