Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / New Users / August 2005

Tip: Looking for answers? Try searching our database.

Validating User Credentials

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Anthony Yott - 02 Aug 2005 19:22 GMT
We have a need to prompt the user for their domain, username and password in
order to authenticate them against Active Directory. We have to support
Windows 2000, XP and 2003. I know that I can authenticate all of the
supported platforms using Directory Services/LDAPqueries but doing this
doesn't return a token (which I need) as in the case of LogonUser.
Unfortunately LogonUser requires "act as part of operating system" privliges
for Win 2000. Keith Brown has an SSPI work-around but I can't get it to work
in Beta2 of Whidbey. He basically uses the NegotiateStream class to perform a
handshake between client and server but I'm getting a "Authentication failed
because the remote party has closed the transport stream." error on the
AuthenticateAsClient method (code shown next).

MemoryStream couple = new MemoryStream();

using (NegotiateStream clientStream = new NegotiateStream(couple))
using (NegotiateStream serverStream = new NegotiateStream(couple))
  {
      string spn = WindowsIdentity.GetCurrent().Name;
       NetworkCredential cred = new NetworkCredential(principal, password,
authority);
       clientStream.AuthenticateAsClient(cred, spn, ProtectionLevel.None,
TokenImpersonationLevel.Impersonation);
       
serverStream.AuthenticateAsServer((NetworkCredential)CredentialCache.DefaultCredentials, ProtectionLevel.None, TokenImpersonationLevel.None);

      return serverStream.IsAuthenticated ?
(WindowsIdentity)serverStream.RemoteIdentity : null;
}


I guess I'm wondering if anyone has been able to get his sample working or
has done something similar for Windows 2000 clients. I've found some samples
using the NegotiateStream class but they are opening sockets, etc and I don't
really want to do all that just to authenticate login credentials.

Also, can any of the experts on the board recommend best practices for
authenticating users in a client/server (winform) environment? Any comments
or suggestions would be greatly appreciated.

Signature

Thanks in advance,
Anthony Yott

Reply to this Message
Anthony Yott - 02 Aug 2005 20:00 GMT
Forgot to mention that one of the requirements is the need to authenticate
when the client is disconnected from the network. LogonUser provides this
facility which is what makes it a really attractive choice except for it's
limitation with Win 2000.
Signature

Anthony Yott

> We have a need to prompt the user for their domain, username and password in
> order to authenticate them against Active Directory. We have to support
[quoted text clipped - 34 lines]
> authenticating users in a client/server (winform) environment? Any comments
> or suggestions would be greatly appreciated.
Reply to this Message
Willy Denoyette [MVP] - 03 Aug 2005 08:50 GMT
You need a "networkstream" to establish a network authentication handshake.
One option is to set-up a local tcp connection using the loopback interface
and use the socket stream to negotiate. Note that this way you can't use
domain credentials.
Something like this will do...

// Requires Whidbey - Beta2 !!!!!!!!
     WindowsIdentity wi = null;
     Thread t = new Thread(delegate() {
       TcpListener l = new TcpListener(IPAddress.Parse("127.0.0.1"),9999);
       l.Start();
       TcpClient s = l.AcceptTcpClient();
       NegotiateStream nsServ = new NegotiateStream(s.GetStream());
       nsServ.AuthenticateAsServer(CredentialCache.DefaultNetworkCredentials,ProtectionLevel.None,
       TokenImpersonationLevel.Impersonation);
       wi = (WindowsIdentity)nsServ.RemoteIdentity;
     });
     t.Start();
     TcpClient cli = new TcpClient();
     cli.Connect("127.0.0.1", 9999);
     NegotiateStream nsCli = new NegotiateStream(cli.GetStream());
     string spn = WindowsIdentity.GetCurrent().Name;
     NetworkCredential cred = new NetworkCredential("testuser", "kevin");
     nsCli.AuthenticateAsClient(cred, spn,
       ProtectionLevel.None, TokenImpersonationLevel.Impersonation);
     Console.WriteLine("Client Identity: {0} - Token {1}", wi.Name,
wi.Token.ToString());

Willy.

> We have a need to prompt the user for their domain, username and password
> in
[quoted text clipped - 42 lines]
> comments
> or suggestions would be greatly appreciated.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.