UPNIdentityConstraint Class

Namespace: System.Net.Security
Assembly: System (in System.dll)

Implements the IIdentityConstraint interface to constrain the identity of a NegotiateStream object to a User Principal Name (UPN).

Remarks

This class is used to specify the User Principal Name (UPN) that a NegotiateStream object must connect to. If the UPN provided during the authentication process does not match the UPN specified in the UPNIdentityConstraint object, the connection will fail.

This is particularly useful in scenarios where you need to ensure that a client is connecting to a specific server identified by its UPN, adding an extra layer of security and preventing man-in-the-middle attacks.

Requirements

.NET Framework versions: Supported in the following versions: 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8

Namespace:System.Net.Security

Assembly: System (in System.dll)

Inheritance Hierarchy:

Object
↳ UPNIdentityConstraint

Constructors

public UPNIdentityConstraint(string upn)

Initializes a new instance of the UPNIdentityConstraint class with the specified User Principal Name.

Parameters:

upn: The User Principal Name to constrain the identity to.

Methods

public bool IsSatisfiedBy(IIdentity identity)

Determines whether the specified identity satisfies the constraint.

Parameters:

identity: An IIdentity object that represents the identity to check.

Returns:

true if the identity is satisfied; otherwise, false.

Remarks: This method compares the UPN of the provided IIdentity object with the UPN specified during the construction of the UPNIdentityConstraint object.

Example

using System;
using System.Net.Security;
using System.Security.Principal;

public class Example
{
    public static void Main(string[] args)
    {
        string serverUpn = "service@example.com";
        IIdentity clientIdentity = new GenericIdentity("clientUser", "Kerberos"); // Example client identity

        // Create a UPN identity constraint for the server
        UPNIdentityConstraint constraint = new UPNIdentityConstraint(serverUpn);

        // Simulate receiving an identity and checking against the constraint
        // In a real scenario, this identity would come from NegotiateStream

        // To make this example runnable, we'll create a mock identity that has a UPN
        public class MockUPNIdentity : IIdentity
        {
            public string Name { get; }
            public string AuthenticationType { get; }
            public string UPN { get; }
            public bool IsAuthenticated { get; }

            public MockUPNIdentity(string name, string authType, string upn)
            {
                Name = name;
                AuthenticationType = authType;
                UPN = upn;
                IsAuthenticated = true;
            }
        }

        IIdentity authenticatedIdentity = new MockUPNIdentity("testuser@example.com", "Kerberos", "testuser@example.com");


        if (constraint.IsSatisfiedBy(authenticatedIdentity))
        {
            Console.WriteLine("Identity is satisfied by the UPN constraint.");
        }
        else
        {
            Console.WriteLine("Identity does NOT satisfy the UPN constraint.");
        }

        IIdentity wrongUpnIdentity = new MockUPNIdentity("other@example.net", "Kerberos", "other@example.net");

        if (constraint.IsSatisfiedBy(wrongUpnIdentity))
        {
            Console.WriteLine("Second identity is satisfied by the UPN constraint.");
        }
        else
        {
            Console.WriteLine("Second identity does NOT satisfy the UPN constraint.");
        }
    }
}

Fields

The UPNIdentityConstraint class does not expose any public fields.

Properties

The UPNIdentityConstraint class does not expose any public properties.

UPNIdentityConstraint