Willy Denoyette said:
Sorry got confusd by the NTLM database ;-)
Just to eliminate possible confusion, you have a NT4 domain and with a number of domain
members (servers/workstations) right?
You have WSE 3.0 clients connecting to WSE 3.0 services over a local network, and you want
to authenticate the client using NTLM, this because Kerberos is not an option (NT4 domain).
Now, WSE does not support NTLM network authentication , but you would like to authenticate
the clients (windows users). Well, network authentication is not possible at all, simply
there is no authentication handshake between the WSE server and client.
The only possibility you have to validate a user in such scenario is by passing the username
and password from the client to the server and let the server perform the "validation" of
the credentials supplied, but keep in mind that passing clear text secrets is insecure.
Validating the user at the webservice can be done by calling the Win32 API LogonUser(),
using the username, password and domain collected from the client as arguments. Note that
calling LogonUser has a serious drawback, it needs TCB privileges on W2K and lower. Note
also that the purpose of LogonUser is to authenticate and return an access token which can
be used to impersonate the caller, but I don't read this is a requirement.
You could also opt for a simple authentication scheme against a local identity store like
ADAM (sure this needs W2K3 or XP SP2), you could even authenticate against the NT4 DC over
NTLM using a ProxyUserObject in ADAM , but I seriously doubt this is all worth the trouble
you are not authenticating end to end anyway.
Willy.
Willy.