D
DAXU
Hello,
I use NegotiateStream to test Kerberos and delegation in my windows
2003 test domain. My code is this:
I have setup spn and account properties etc.
My problem is that when my client uses:
clientSide.AuthenticateAsClient(new
NetworkCredential(userName, password, domain),
ProtectionLevel.EncryptAndSign, TokenImpersonationLevel.Delegation);
it will work. But if I use the defaultnetworkcredential,
serverSide.AuthenticateAsClient
(CredentialCache.DefaultNetworkCredentials,
ProtectionLevel.EncryptAndSign,
TokenImpersonationLevel.Delegation);
it fails and saying it can only achieve impersonation. I checked the
event viewer, it shows logon and logoff attempts from Jerry-DEV, which
is the machine's name, not the user that client was running on.
What I suspect is that maybe the AuthenticateAsClient didn't pass
current user, instead passed current machine's networkcredential? I
tried to impersonate current user before calling
defaultnetworkcredential, but it didn't make any differences.
Can someone help? the code snippet is at below:
private static WindowsIdentity LogonUserTCPListen(string userName,
string domain, string password)
{
// need a full duplex stream - loopback is easiest way to
get that
TcpListener tcpListener = new
TcpListener(IPAddress.Loopback, 0);
tcpListener.Start();
WindowsIdentity id = null;
tcpListener.BeginAcceptTcpClient(delegate(IAsyncResult
asyncResult)
{
try
{
using (NegotiateStream serverSide = new
NegotiateStream(
tcpListener.EndAcceptTcpClient(asyncResult).GetStream()))
{
serverSide.AuthenticateAsServer
(CredentialCache.DefaultNetworkCredentials,
ProtectionLevel.EncryptAndSign,
TokenImpersonationLevel.Delegation);
id =
(WindowsIdentity)serverSide.RemoteIdentity;
}
}
catch
{ id = null; }
}, null);
using (NegotiateStream clientSide = new
NegotiateStream(new TcpClient(Server,
((IPEndPoint)tcpListener.LocalEndpoint).Port).GetStream()))
{
clientSide.AuthenticateAsClient(new
NetworkCredential(userName, password, domain),
ProtectionLevel.EncryptAndSign, TokenImpersonationLevel.Delegation);
}
return id;
}
}
finally
{
impersonationContext.Undo();
}
}
Kerberos and delegation (which means that I have set SPN right). But
when I do impersonation, it can not access unc path "\
\10.10.10.7\home" which is on another machine. The error is access
denied. The most strangest thing is that if I put computer name there
instead of ip address in the UNC path, then it works.
Can someone give me some ideas?
Cheers,
Jerry
I use NegotiateStream to test Kerberos and delegation in my windows
2003 test domain. My code is this:
I have setup spn and account properties etc.
My problem is that when my client uses:
clientSide.AuthenticateAsClient(new
NetworkCredential(userName, password, domain),
ProtectionLevel.EncryptAndSign, TokenImpersonationLevel.Delegation);
it will work. But if I use the defaultnetworkcredential,
serverSide.AuthenticateAsClient
(CredentialCache.DefaultNetworkCredentials,
ProtectionLevel.EncryptAndSign,
TokenImpersonationLevel.Delegation);
it fails and saying it can only achieve impersonation. I checked the
event viewer, it shows logon and logoff attempts from Jerry-DEV, which
is the machine's name, not the user that client was running on.
What I suspect is that maybe the AuthenticateAsClient didn't pass
current user, instead passed current machine's networkcredential? I
tried to impersonate current user before calling
defaultnetworkcredential, but it didn't make any differences.
Can someone help? the code snippet is at below:
private static WindowsIdentity LogonUserTCPListen(string userName,
string domain, string password)
{
// need a full duplex stream - loopback is easiest way to
get that
TcpListener tcpListener = new
TcpListener(IPAddress.Loopback, 0);
tcpListener.Start();
WindowsIdentity id = null;
tcpListener.BeginAcceptTcpClient(delegate(IAsyncResult
asyncResult)
{
try
{
using (NegotiateStream serverSide = new
NegotiateStream(
tcpListener.EndAcceptTcpClient(asyncResult).GetStream()))
{
serverSide.AuthenticateAsServer
(CredentialCache.DefaultNetworkCredentials,
ProtectionLevel.EncryptAndSign,
TokenImpersonationLevel.Delegation);
id =
(WindowsIdentity)serverSide.RemoteIdentity;
}
}
catch
{ id = null; }
}, null);
using (NegotiateStream clientSide = new
NegotiateStream(new TcpClient(Server,
((IPEndPoint)tcpListener.LocalEndpoint).Port).GetStream()))
{
clientSide.AuthenticateAsClient(new
NetworkCredential(userName, password, domain),
ProtectionLevel.EncryptAndSign, TokenImpersonationLevel.Delegation);
}
return id;
}
}
finally
{
impersonationContext.Undo();
}
}
Kerberos and delegation (which means that I have set SPN right). But
when I do impersonation, it can not access unc path "\
\10.10.10.7\home" which is on another machine. The error is access
denied. The most strangest thing is that if I put computer name there
instead of ip address in the UNC path, then it works.
Can someone give me some ideas?
Cheers,
Jerry