I mean, authentication for desktop application, not web application.
To break this and your previous post down, you need to authenticate in
a WinForms application against:
1. Your own backend for storing user credentials.
2. Local Windows user accounts.
3. Domain Windows user accounts.
The latter two are really the same, since, if you use built-in Windows
functionality for that, it will transparently do the right thing (note
that for case #3, even if the machine is part of a domain, it can
still have some local accounts, and it will authenticate against them,
too).
The first one should be pretty obvious - keep a database of logins and
password hashes (don't forget about the salt!), have a form to input
those, validate against the database.
For Windows authentication, it depends on what you're actually trying
to do. Keep in mind that any Windows process is already running under
the account (and privileges) of the user who started it. Usually,
that's really all you need; i.e., if the user logged into the system
and ran your application, then he had the rights to do so.
Furthermore, since everything the application does will also be done
under that user's identity, you can just assign appropriate
permissions to all resources (files, databases etc) that the
application uses.
If you actually need to force your application (or some parts of it)
to run in the context of a different user account, then you'll need to
prompt for username/password, use WinAPI LogonUser function to log in
using the supplied credentials, and then impersonate the logged-in
user. Here is a blog post that explains how to do that:
http://mikehadlow.blogspot.com/2007/01/easy-impersonation.html
If you just need to validate whether the user is who he says he is or
not, without impersonating him (if you do, then you should really ask
yourself why you're doing that... security-wise this is a rather
suspicious thing), then you can still use LogonUser, but only to check
if it's successful or not, immediately disposing of the returned token
after the call.
