Implement pass-through authentication in C #

Question

Implement pass-through authentication in C #

I am developing a TcpClient / TcpListener client server application. Now I come to the point where I need to authenticate the user. I could use PrincipalContext-Class on the server side and request the username / password / domain from the client, but I do not want to send credentials over the network. In addition, I do not want to ask the user for my credentials again . So, I know a Citrix receiver that supports end-to-end authentication. It uses the current registered user and does not request any credentials and does not authenticate the user on the server. It just works.

How can I do this in my application? I thought of some kind of token that can be sent to the server, but I did not find any solution.

+4

authentication c # windows .net pass-through

nikeee May 18 '12 at 9:59

source share

3 answers

The .net Framework has features for diffie-hellmann key exchange:

http://de.wikipedia.org/wiki/Diffie-Hellman-Schl%C3%BCsselaustausch

http://www.codeproject.com/Articles/24632/Shared-Key-Generation-using-Diffie-Hellman

+1

Tobias Mädel May 18 '12 at 10:31

source share

If you write the client and server parts of the application, you can encrypt the user credentials for transmission over the network and decrypt at the other end.

Based on the assumption that on the client machine, an attacker can extract the encryption key from your application (using strings or similar), then symmetric encryption is not suitable. Therefore, asymmetric (public-private) encryption seems appropriate. Create a key pair, and the server key should remain private (and only on the server), and the client key can be included in the application on client machines. Then it does not matter if the key is extracted from the application, since the credentials can only be decrypted with the secret and protected private key on the server. This class has done most of the work for you.

0

Richard May 18 '12 at 10:23

source share

shambulator · Accepted Answer · 2012-05-18T11:56:33+0000

Wrap NetworkStream in NegotiateStream and call the appropriate NegotiateAs... methods NegotiateAs... on both the client and server.

The client can specify what level of impersonation is allowed, and the server can specify what level it requires (minimum Identification to determine the client identifier, but if you need to access local or network resources as a client, you can also specify Impersonation or, with proper network configuration, Delegation ).

After authentication, the server can determine the client identifier and / or impersonate use using the NegotiateStream RemoteIdentity .

As I mentioned in my comment, I don’t know how Citrix affects this setting (never using it), but if it is mostly completely transparent to the application and everything uses standard Windows credentials, then this should work.

Implement pass-through authentication in C #

More articles: