 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / January 2006user authentication without iis
Hi, Im setting up a win32 based client/server aplication in C#. (Not a webservice) The server (a pc) must perfrom an action when the client (pc or pocket pc device) sends it a message via TCP/IP communication. Because of company policy I can not use IIS. So I must do my own user authentication to ensure the server is comunicating with a genuine client. I setup a server side remoting object to act as a comunications channel, The object is a kinda message queue. Clients enque to it, server dequeues from it. The clients use Activator.GetObject to hook up with the server and send messages to the sso(server side object). The server monitors the sso and when a command is available it deques it and performs the command it dequeues. My question is how can I secure this so that only a client with correct username/password can create messages which will be acepted by the server. The idea is that each message has some challange response setup so that people can't impersonate the client. The message also needs to be securly authenticated so that the server can recognise if the message it recived was altered in any way since it left the client. Every article I read says use IIS, but I'm not allowed to .... I tried to find a C# implementation of kerberos v5 or something but no luck. I could set up my own challange response system using tokens, hashing, salt ect, but I feel that it would be much better to adopt a tried and tested solution. Any pointers or sugestions? Hi, .NET 2.0 supports Kerberos/NTLM for Remoting. In 1.1 you are out of luck. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Hi, > [quoted text clipped - 35 lines] > > Any pointers or sugestions? Thanks, I am unfamiliar with .NET 2.0 atm. Regarding the kerberos in the remoting for .net 2.0 can I use my own username/password list (prefered) or does it use the local machiene / domain server user/password list? I might be tempted to port the app too version 2.0 to solve this. (It's about 50,000 lines of code atm, so not rushing of to do this just yet...). I probably deserve a good rtfm for this, but I can't find anything on MSDN that talks about new kerbos stuff in .net 2.0. All I can find is stuff about Kerberos/NTLM in remoting via SSL via IIS in .Net v 1.1. Would you have a URL or book reverence where I can find out more? Also I have been reading Into System.Messaging (msmq) It seems to implement some form of authentication (windows user name based?) I think it looks like a possible solution to my problem, but I can't find .NET compact support. Also I think I can't attach BLOB's in the messages. Again I'm Jst hunting for Ideas / sugestion's. -dm Hi, > Regarding the kerberos in the remoting for .net 2.0 can I use my own > username/password list (prefered) or does it use the local machiene / > domain server user/password list? both. http://www.leastprivilege.com/SecureRemoting.aspx http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToAddCIAToDotNETRemo ting.html this is all based on the new NegotiateStream class in .NET 2.0 ms-help://MS.MSDNQTR.v80.en/MS.MSDN.v80/MS.NETDEVFX.v20.en/cpref10/html/T_System_Net_Security_NegotiateStream_Members.htm --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Thanks, > [quoted text clipped - 23 lines] > > -dm Ok Im no securty expert (as you could guess). But according to msdns page I just found NegotiateStream uses the SSPI interface to perform authentication. I am under the (possibly misguided) impression that SSPI needes IIS to be installed serverside to operate. Please say I'm wrong... Idealy I would like to remove microsoft from the equation at this point. I dream of a secured API for tcp/ip comunication that was available on varius platforms (win, mac, linux, winCE) which has inbuit kerberos support (or similar) and can maintain a user/ password file server side (that is still secure if stolen). Kinda like programatical ssh. Does such a thing exist. -dm Hi, no IIS needed - IIS also uses SSPI...that's where the confusion may come from.. sure - use SSH - there is a .net library for it (commercial - you have to google for it - haven't tried it) --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Ok Im no securty expert (as you could guess). > [quoted text clipped - 14 lines] > > -dm Hi, ah - and btw - if the server implements Kerberos V5 - NegotiateStream should work as a client, regardless of the server OS/vendor --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Ok Im no securty expert (as you could guess). > [quoted text clipped - 14 lines] > > -dm Just found 2 opensource c# ssh libraries... I'm a happy camper now. http://www.routrek.co.jp/en/product/varaterm/granados.html http://www.tamirgal.com/home/dev.aspx?Item=sharpSsh Thanks for the help mate. -dm Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.