Hello group

I'm developing an C# Windows Forms application that I would like to deploy
using ClickOnce.

One of the computers that the application is deployed on, is a computer that
is always loged on as a generic "controlroom" user. This is necessary for
some of the other applications running on the computer.

On my application, the user should always logon as himself or herself.
Therefore I need to present a login form to the user as the first thing.

I have been considering using RunAs, but I'm not sure that is possible along
with ClickOnce, at least nok using the GUI of RunAs.

I have looked at the Windows API LogonUser, but that seems to be requiring
unsafe code permissions and FullTrust, and I was hoping that I could avoid
giving those permissions to the application, especially when I'm deploying
it using ClickOnce.

Do you have any alternative suggestions?

Thank you for your answer.

Regards
Anders Olsen

Do you really need authenticate against local computer ?
If your application will use a remote server (Web service, DB or anything),
you can try to authenticate against this service to check if the user can
access to the application...

Steve

"Anders K. Olsen" <(E-Mail Removed)> a écrit dans le message de news:
%(E-Mail Removed)...
> Hello group
>
> I'm developing an C# Windows Forms application that I would like to deploy
> using ClickOnce.
>
> One of the computers that the application is deployed on, is a computer
> that is always loged on as a generic "controlroom" user. This is necessary
> for some of the other applications running on the computer.
>
> On my application, the user should always logon as himself or herself.
> Therefore I need to present a login form to the user as the first thing.
>
> I have been considering using RunAs, but I'm not sure that is possible
> along with ClickOnce, at least nok using the GUI of RunAs.
>
> I have looked at the Windows API LogonUser, but that seems to be requiring
> unsafe code permissions and FullTrust, and I was hoping that I could avoid
> giving those permissions to the application, especially when I'm deploying
> it using ClickOnce.
>
> Do you have any alternative suggestions?
>
> Thank you for your answer.
>
> Regards
> Anders Olsen
>

"Steve B." <(E-Mail Removed)_swap_msn_and_com> wrote in message
news:%23vHI$(E-Mail Removed)...
> Do you really need authenticate against local computer ?
> If your application will use a remote server (Web service, DB or
> anything), you can try to authenticate against this service to check if
> the user can access to the application...

Hello Steve

Thank you for your answer.

I have been thinking about this. My application will have a server, and I
could do the authentication on the server. However, I would like to run my
client application as the correct user, so I would like to impersonate this
user even though the actual windows user is the "controlroom" user.

My reason for this is that I would like to call my web service methods as
the correct windows user, and use Windows build in authentication and
authorization on both the server and the client.

I don't know that much about impersonation, so I don't know if this is even
possible. My idea was that the first thing that happends is that the user is
authenticated and then the I would set Thread.CurrentPrincipal to a
WindowsPrincipal corresponding to the correct user (not the "controlroom"
user). It was my hope that the rest of the application would then run as the
correct user. I'm not sure if this is correct, e.g. if new threads will also
run as the correct user, or if threadpool threads will also run as the
correct user.

Regards
Anders

Forcing your server to be apart of the same active directory
domain (your users would be authenticated against their
windows accounts)?

Are you sure that is a good long term configuration?

What happens when the system admin folks want
to isolate your production servers from windows
account holders altogether?

--
Robbe Morris - 2004-2006 Microsoft MVP C#
Earn money answering .NET questions
http://www.eggheadcafe.com/forums/merit.asp





"Anders K. Olsen" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Steve B." <(E-Mail Removed)_swap_msn_and_com> wrote in message
> news:%23vHI$(E-Mail Removed)...
>> Do you really need authenticate against local computer ?
>> If your application will use a remote server (Web service, DB or
>> anything), you can try to authenticate against this service to check if
>> the user can access to the application...
>
> Hello Steve
>
> Thank you for your answer.
>
> I have been thinking about this. My application will have a server, and I
> could do the authentication on the server. However, I would like to run my
> client application as the correct user, so I would like to impersonate
> this user even though the actual windows user is the "controlroom" user.
>
> My reason for this is that I would like to call my web service methods as
> the correct windows user, and use Windows build in authentication and
> authorization on both the server and the client.
>
> I don't know that much about impersonation, so I don't know if this is
> even possible. My idea was that the first thing that happends is that the
> user is authenticated and then the I would set Thread.CurrentPrincipal to
> a WindowsPrincipal corresponding to the correct user (not the
> "controlroom" user). It was my hope that the rest of the application would
> then run as the correct user. I'm not sure if this is correct, e.g. if new
> threads will also run as the correct user, or if threadpool threads will
> also run as the correct user.
>
> Regards
> Anders
>