Windows authentication over remoting... possible?

[ThunderMusic]

Hi,

I have to develop an application that will consist of a service and a
windows forms application... the service could be on a distant server but I
need to authenticate the user as being part of the same domain. so when the
application starts, I can send something to the remote service and query for
some objects and the service can give me the objects if I'm the right user
(part of the right group). I don't want to send username and password nor
password hash over the network so if there is a better way (just like SQL
server does or many other apps), I would like to know it (maybe if you have
a link)

Thanks

ThunderMusic

 

[Nicholas Paldino [.NET/C# MVP]]

ThunderMusic,

Not easily. You can host your remoted objects in IIS, and then it would
use the authentication mechanism that you have configured in IIS.

Also, I believe this will force you to design your objects in a certain
way (for stateless calls, since the mechanism for HTTP is stateless). I
could be wrong here.

I would honestly not use or recommend remoting as a distributed object
technology. If you have to develop your app now (meaning, get it out the
door tomorrow), then I would suggest using COM+/Enterprise Services.

If you have some time to spare, and don't mind developing with
pre-release software, I would look into Windows Communication Foundation.

Either way, remoting is a dead-end in my book.

Hope this helps.

 

[Tom Spink]

Hi,

I have to develop an application that will consist of a service and a
windows forms application... the service could be on a distant server but
I need to authenticate the user as being part of the same domain. so when
the application starts, I can send something to the remote service and
query for some objects and the service can give me the objects if I'm the
right user (part of the right group). I don't want to send username and
password nor password hash over the network so if there is a better way
(just like SQL server does or many other apps), I would like to know it
(maybe if you have a link)

Thanks

ThunderMusic

Hi ThunderMusic,

This may be of help:

<UrlWillWrap>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch11.asp
</UrlWillWrap>

 

[ThunderMusic]

Ok, I found the WindowsPrincipal class, and it's serializable. Does an
instance of this class guaranty the user is logged on a computer and has
been authenticated or is there a way to query the domain server if the user
is a rightful user? I mean, I must be sure the user making the request (or
query) is who he claims to be and is logged on the domain. My app does not
allow impersonnation, but I don't want anybody trying to impersonnate
someone on my network and claim being, let's say, the president of the
company and start making anything he wants with the remote objects... you
know what I mean? I need a way to secure things so only an authenticated
user or a user I can authenticate can have access to the objects the service
is providing. And I definitly need to know the domain groups this user
belongs to...

Thanks

ThunderMusic

 

[Nicholas Paldino [.NET/C# MVP]]

ThunderMusic,

Unfortunately, no, it does not allow that. All it is is a
representation of a user. Anyone could theoretically make one and send it
to you. It doesn't tell you if it is logged on or not.

 

[schneider]

Just check on the client, put a strong name on the client. You can event do
some link demands.

Schneider

 

[ThunderMusic]

ok, so is there a way I can get the token Windows send us when we log on and
send it to my service so the service can verify with the domain server if
this token is valid?

thanks

ThunderMusic

ThunderMusic,

Unfortunately, no, it does not allow that. All it is is a
representation of a user. Anyone could theoretically make one and send it
to you. It doesn't tell you if it is logged on or not.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Ok, I found the WindowsPrincipal class, and it's serializable. Does an
instance of this class guaranty the user is logged on a computer and has
been authenticated or is there a way to query the domain server if the
user is a rightful user? I mean, I must be sure the user making the
request (or query) is who he claims to be and is logged on the domain. My
app does not allow impersonnation, but I don't want anybody trying to
impersonnate someone on my network and claim being, let's say, the
president of the company and start making anything he wants with the
remote objects... you know what I mean? I need a way to secure things
so only an authenticated user or a user I can authenticate can have
access to the objects the service is providing. And I definitly need to
know the domain groups this user belongs to...

Thanks

ThunderMusic

 

[ThunderMusic]

ok, I answered a part of my question :
System.Security.Principal.WindowsIdentity.GetCurrent().Token.... So now is
there a way I can deal with this in my service? can I sen the Windows
Identity instance over remoting?

thanks

ThunderMusic

ok, so is there a way I can get the token Windows send us when we log on
and send it to my service so the service can verify with the domain server
if this token is valid?

thanks

ThunderMusic

ThunderMusic,

Unfortunately, no, it does not allow that. All it is is a
representation of a user. Anyone could theoretically make one and send
it to you. It doesn't tell you if it is logged on or not.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Ok, I found the WindowsPrincipal class, and it's serializable. Does an
instance of this class guaranty the user is logged on a computer and has
been authenticated or is there a way to query the domain server if the
user is a rightful user? I mean, I must be sure the user making the
request (or query) is who he claims to be and is logged on the domain.
My app does not allow impersonnation, but I don't want anybody trying to
impersonnate someone on my network and claim being, let's say, the
president of the company and start making anything he wants with the
remote objects... you know what I mean? I need a way to secure things
so only an authenticated user or a user I can authenticate can have
access to the objects the service is providing. And I definitly need to
know the domain groups this user belongs to...

Thanks

ThunderMusic

Hi,

I have to develop an application that will consist of a service and a
windows forms application... the service could be on a distant server
but I need to authenticate the user as being part of the same domain.
so when the application starts, I can send something to the remote
service and query for some objects and the service can give me the
objects if I'm the right user (part of the right group). I don't want
to send username and password nor password hash over the network so if
there is a better way (just like SQL server does or many other apps), I
would like to know it (maybe if you have a link)

Thanks

ThunderMusic

 

[Nicholas Paldino [.NET/C# MVP]]

ThunderMusic,

I have to ask, why not use one of the two solutions I posted earlier?
Trying to do this yourself will lead to a good number of holes in your
solution.

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

ok, I answered a part of my question :
System.Security.Principal.WindowsIdentity.GetCurrent().Token.... So now
is there a way I can deal with this in my service? can I sen the Windows
Identity instance over remoting?

thanks

ThunderMusic

ok, so is there a way I can get the token Windows send us when we log on
and send it to my service so the service can verify with the domain
server if this token is valid?

thanks

ThunderMusic

ThunderMusic,

Unfortunately, no, it does not allow that. All it is is a
representation of a user. Anyone could theoretically make one and send
it to you. It doesn't tell you if it is logged on or not.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Ok, I found the WindowsPrincipal class, and it's serializable. Does an
instance of this class guaranty the user is logged on a computer and
has been authenticated or is there a way to query the domain server if
the user is a rightful user? I mean, I must be sure the user making the
request (or query) is who he claims to be and is logged on the domain.
My app does not allow impersonnation, but I don't want anybody trying
to impersonnate someone on my network and claim being, let's say, the
president of the company and start making anything he wants with the
remote objects... you know what I mean? I need a way to secure things
so only an authenticated user or a user I can authenticate can have
access to the objects the service is providing. And I definitly need to
know the domain groups this user belongs to...

Thanks

ThunderMusic

message Hi,

I have to develop an application that will consist of a service and a
windows forms application... the service could be on a distant server
but I need to authenticate the user as being part of the same domain.
so when the application starts, I can send something to the remote
service and query for some objects and the service can give me the
objects if I'm the right user (part of the right group). I don't want
to send username and password nor password hash over the network so if
there is a better way (just like SQL server does or many other apps),
I would like to know it (maybe if you have a link)

Thanks

ThunderMusic

 

[Robert Ginsburg]

You may want to investigate the MSDN sample about using SSPI with remoting,
it should do exactly what you are wanting to do
http://msdn.microsoft.com/webservic...pull=/library/en-us/dndotnet/html/remsspi.asp

-Robert

 

[ThunderMusic]

because WCF is still beta and the enterprise I work for avoid using beta
versions because they had big problems with them in the past... and not
COM+ because noone knows anything about it here... the only thing we know
is remoting... even if it's "a dead technology" we can't afford using WCF
and have eventual problems. Our apps will stay local to the enterprise and
is not targeted to the public, but we just want to make sure that noone will
be able to clone one of our users from the domain... (well, at least, as
most as possible)

maybe if you have some link I can look at to start using COM+/Enterprise
Services.... Is it as easy as Remoting? I mean, providing the client app
with interfaces and then get a remote copy of the object and calling the
interfaces methods? (We would work by marshaling, not as WellKnownObjects)

thanks

ThunderMusic

ThunderMusic,

I have to ask, why not use one of the two solutions I posted earlier?
Trying to do this yourself will lead to a good number of holes in your
solution.

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

ok, I answered a part of my question :
System.Security.Principal.WindowsIdentity.GetCurrent().Token.... So now
is there a way I can deal with this in my service? can I sen the Windows
Identity instance over remoting?

thanks

ThunderMusic

ok, so is there a way I can get the token Windows send us when we log on
and send it to my service so the service can verify with the domain
server if this token is valid?

thanks

ThunderMusic

in message ThunderMusic,

Unfortunately, no, it does not allow that. All it is is a
representation of a user. Anyone could theoretically make one and send
it to you. It doesn't tell you if it is logged on or not.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

message Ok, I found the WindowsPrincipal class, and it's serializable. Does an
instance of this class guaranty the user is logged on a computer and
has been authenticated or is there a way to query the domain server if
the user is a rightful user? I mean, I must be sure the user making
the request (or query) is who he claims to be and is logged on the
domain. My app does not allow impersonnation, but I don't want anybody
trying to impersonnate someone on my network and claim being, let's
say, the president of the company and start making anything he wants
with the remote objects... you know what I mean? I need a way to
secure things so only an authenticated user or a user I can
authenticate can have access to the objects the service is providing.
And I definitly need to know the domain groups this user belongs to...

Thanks

ThunderMusic

message Hi,

I have to develop an application that will consist of a service and a
windows forms application... the service could be on a distant
server but I need to authenticate the user as being part of the same
domain. so when the application starts, I can send something to the
remote service and query for some objects and the service can give me
the objects if I'm the right user (part of the right group). I don't
want to send username and password nor password hash over the network
so if there is a better way (just like SQL server does or many other
apps), I would like to know it (maybe if you have a link)

Thanks

ThunderMusic

 

[ThunderMusic]

seems pretty interesting... I'll read it and give you feedback as if it
helped me, but I think it will.. thanks a lot

ThunderMusic

 

[Guest]

the only thing we know
is remoting... even if it's "a dead technology"

Remoting isn't really dead... in fact it's part of WCF

 

[ThunderMusic]

thanks for correcting, I didn't know... everywhere I went, people kept
saying "Remoting is deprecated"... so I started to believe it...

thanks

ThunderMusic

 

[Oisin]

I would honestly not use or recommend remoting as a distributed object
technology. If you have to develop your app now (meaning, get it out the
door tomorrow), then I would suggest using COM+/Enterprise Services.

Remoting isn't a distributed object technology; it's a communication
protocol. In fact for .net to .net comms on lan, the recommendation is
to use remoting AND com+/es.

- Oisin