Checking the SIDs in the WindowsClaimSet

In continuation to my post of SAM vs PP, we concluded that to avoid fractured policy checking we can still check if the user belongs to a particular group by checking the occurence of an SID in the WindowsClaimSet that he submits to the service.

One of the problems that I faced to view the SID of an object was in the SDDL format for direct comparison. The Sid is basically represented as a SDDL string. If someone can point me to some proper tool besides these, it would be greatly helpful. these are the one’s i used.
You can use GetSID.exe that is a part of the the support tools that ship with Windows 2003 to find the SID as SDDL string. Or there is another tool PSID from SysInternals that helps you get this string pretty easily and both are command line tools.

Once you get this value you can compare the Claim Set for the occurence of this SID to figure out if the user provided a claim.
 

using System;
using
System.Collections.Generic;
using
System.Text;
using
System.ServiceModel;
using
System.IdentityModel.Policy;
using
System.Collections.ObjectModel;
using
KBE.Service.Diagnostics;
using
System.Security.Permissions;
using
System.Security.Principal;
using
System.IdentityModel.Claims;
using
System.Configuration;

 

public class CustomServiceAuthorizationManager : ServiceAuthorizationManager
{
    protected override bool CheckAccessCore(OperationContext operationContext)
    {
        System.Diagnostics.Debug.WriteLine(“CheckAccess — Started” + Utility.GetUserDetails());
        try

        {
            foreach (ClaimSet cs in OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets)

            {
                if (cs is WindowsClaimSet)
                {
                    foreach (Claim c in cs)
                    {
                        if (c.ClaimType == ClaimTypes.Sid)
                        {
                            SecurityIdentifier sid = c.Resource as SecurityIdentifier;

                            if (sid != null)
                            {
                                // Check if the SID is a claim for the group
                               
if (sid.Value == ConfigurationManager.AppSettings[“AuthorizationPermissionRole”])
                                    return true;

                            }
                       }
                    }
                }
            }
            return false;

        }
        catch (Exception ex)
        {
            System.Diagnostics.Debug.WriteLine(“tException : “ + ex.Message);
            throw;
        }
        finally
       
{
            System.Diagnostics.Debug.WriteLine(“CheckAccess — Ended”);
        }
    }

    protected override ReadOnlyCollection<IAuthorizationPolicy> GetAuthorizationPolicies(OperationContext operationContext)
    {
        return base.GetAuthorizationPolicies(operationContext);
    }
}

Configuraiton Entry

<appSettings>

  <add key=AuthorizationPermissionRole value=Some SID String/>

</appSettings>