3.1.1.11.2.18 GetAuthSiloClaim
-
procedure GetAuthSiloClaim ( pADPrincipal : ADDRESS OF DSNAME) : CLAIM_ENTRY
This is a helper procedure that computes the value of the ad://ext/AuthenticationSilo constructed claim type for the specified principal.
pADPrincipal: The Active Directory principal to return an AuthenticationSilo claim for, if applicable.
Return Values: This procedure returns a CLAIM_ENTRY (section 2.2.18.5) if the specified principal is a member of an authentication silo; otherwise NULL.
Logical Processing:
-
claim : CLAIM_ENTRY; parentNC : DSName siloMember : DSName memberOfSilo : Boolean; assignedSilo : DSName /* AuthSiloClaim is not issued until the domain functional level is at DS_BEHAVIOR_WIN2012R2 or higher. */ parentNC := GetObjectNC(pADPrincipal) if (parentNC!msDS-BehaviorVersion < DS_BEHAVIOR_WIN2012R2) return NULL endif /* Check if user is assigned to an enforced silo. */ assignedSilo := pADPrincipal!msDS-AssignedAuthNPolicySilo if (assignedSilo = NULL || assignedSilo!msDS-AuthNPolicySiloEnforced = FALSE) return NULL endif /* Check if silo is configured with the user as a member. */ memberOfSilo := FALSE foreach (siloMember in assignedSilo!msDS-AuthNPolicySiloMembers) if (siloMember = pADPrincipal) memberOfSilo := TRUE break endif endfor if (memberOfSilo = FALSE) return NULL endif /* Fill in the claim details and return the claim. */ claim.Id := "ad://ext/AuthenticationSilo"; claim.Type := CLAIM_TYPE_STRING claim.ValueCount := 1 claim.Values := assignedSilo.name return claim;