G
Guest
We have a need to prompt the user for their domain, username and password in
order to authenticate them against Active Directory. We have to support
Windows 2000, XP and 2003. I know that I can authenticate all of the
supported platforms using Directory Services/LDAPqueries but doing this
doesn't return a token (which I need) as in the case of LogonUser.
Unfortunately LogonUser requires "act as part of operating system" privliges
for Win 2000. Keith Brown has an SSPI work-around but I can't get it to work
in Beta2 of Whidbey. He basically uses the NegotiateStream class to perform a
handshake between client and server but I'm getting a "Authentication failed
because the remote party has closed the transport stream." error on the
AuthenticateAsClient method (code shown next).
MemoryStream couple = new MemoryStream();
using (NegotiateStream clientStream = new NegotiateStream(couple))
using (NegotiateStream serverStream = new NegotiateStream(couple))
{
string spn = WindowsIdentity.GetCurrent().Name;
NetworkCredential cred = new NetworkCredential(principal, password,
authority);
clientStream.AuthenticateAsClient(cred, spn, ProtectionLevel.None,
TokenImpersonationLevel.Impersonation);
serverStream.AuthenticateAsServer((NetworkCredential)CredentialCache.DefaultCredentials, ProtectionLevel.None, TokenImpersonationLevel.None);
return serverStream.IsAuthenticated ?
(WindowsIdentity)serverStream.RemoteIdentity : null;
}
I guess I'm wondering if anyone has been able to get his sample working or
has done something similar for Windows 2000 clients. I've found some samples
using the NegotiateStream class but they are opening sockets, etc and I don't
really want to do all that just to authenticate login credentials.
Also, can any of the experts on the board recommend best practices for
authenticating users in a client/server (winform) environment? Any comments
or suggestions would be greatly appreciated.
order to authenticate them against Active Directory. We have to support
Windows 2000, XP and 2003. I know that I can authenticate all of the
supported platforms using Directory Services/LDAPqueries but doing this
doesn't return a token (which I need) as in the case of LogonUser.
Unfortunately LogonUser requires "act as part of operating system" privliges
for Win 2000. Keith Brown has an SSPI work-around but I can't get it to work
in Beta2 of Whidbey. He basically uses the NegotiateStream class to perform a
handshake between client and server but I'm getting a "Authentication failed
because the remote party has closed the transport stream." error on the
AuthenticateAsClient method (code shown next).
MemoryStream couple = new MemoryStream();
using (NegotiateStream clientStream = new NegotiateStream(couple))
using (NegotiateStream serverStream = new NegotiateStream(couple))
{
string spn = WindowsIdentity.GetCurrent().Name;
NetworkCredential cred = new NetworkCredential(principal, password,
authority);
clientStream.AuthenticateAsClient(cred, spn, ProtectionLevel.None,
TokenImpersonationLevel.Impersonation);
serverStream.AuthenticateAsServer((NetworkCredential)CredentialCache.DefaultCredentials, ProtectionLevel.None, TokenImpersonationLevel.None);
return serverStream.IsAuthenticated ?
(WindowsIdentity)serverStream.RemoteIdentity : null;
}
I guess I'm wondering if anyone has been able to get his sample working or
has done something similar for Windows 2000 clients. I've found some samples
using the NegotiateStream class but they are opening sockets, etc and I don't
really want to do all that just to authenticate login credentials.
Also, can any of the experts on the board recommend best practices for
authenticating users in a client/server (winform) environment? Any comments
or suggestions would be greatly appreciated.