in wwauth/Google.Solutions.WWAuth/Adapters/Adfs/AdfsAdapterBase.cs [84:146]
public async Task VerifyActiveDirectoryConnectivity()
{
await Task.Run(() =>
{
//
// Check if computer is domain joined at all
// (irrespective of the user we're running as).
//
Domain domain;
string domainContainer;
try
{
domain = Domain.GetComputerDomain();
domainContainer = domain
.GetDirectoryEntry()
.Properties["distinguishedName"]
.Value as string;
this.Logger.Info(
"Computer joined to domain '{0}', ({1})",
domain.Name,
domainContainer);
}
catch (Exception e)
{
throw new TokenAcquisitionException(
"The current computer is not domain-joined and can't use " +
"integrated windows authentication", e);
}
//
// Check if we can lookup the server's SPN. If that fails, we
// know that obtaining a Kerberos ticket will fail (causing a
// fallback to NTLM).
//
var spn = this.ServicePrincipalName;
try
{
using (var root = new DirectoryEntry())
using (var searcher = new DirectorySearcher(root)
{
Filter = $"(servicePrincipalName={spn})"
})
{
var result = searcher.FindOne();
if (result == null)
{
throw new ActiveDirectoryObjectNotFoundException(
$"SPN '{spn}' not found in directory");
}
this.Logger.Info("SPN '{0}' resolved to '{1}'", spn, result.Path);
}
}
catch (Exception e)
{
throw new TokenAcquisitionException(
$"The Kerberos SPN '{spn}' does not exist in Active Directory. " +
$"Add the SPN to the service account used by AD FS to enable " +
$"Kerberos authentication.", e);
}
});
}