4

I am developing a TcpClient/TcpListener based client-server application. Now I have come to the point where I need to authenticate the user. I could use the PrincipalContext-Class on the server side and request username/password/domain from the client, but I don't want to send the credentials over the network. Additionally, I don't want to ask the user for their credentials again. So, I know the Citrix Receiver which supports pass-through authentication. It uses the current logged on user and does not request any credentials and authenticates the user against the server. It just works.

How can I do this in my application? I thought about some kind of token which can be sent to the server, but I could not find any solution.

nikeee
  • 10,248
  • 7
  • 40
  • 66
  • 1
    I don't know how Citrix affects this situation, but it otherwise sounds like a candidate for Windows impersonation. Wrapping your communication in a [NegotiateStream](http://msdn.microsoft.com/en-us/library/system.net.security.negotiatestream.aspx) and calling the appropriate `AuthenticateAs...` methods should let the client specify the impersonation level it wants to allow, with the server impersonating the client using the `RemoteIdentity` property on the stream. – anton.burger May 18 '12 at 10:43
  • That sounds great. You can post this as an answer. This is obviously the way to do this. It's that easy. Thank you! – nikeee May 18 '12 at 11:10

3 Answers3

2

Wrap the NetworkStream in a NegotiateStream, and call the appropriate NegotiateAs... methods on both client and server.

The client can specify what impersonation level to allow, and the server can specify what level it requires (minimally Identification in order to determine client identity, but if you need to access local or network resources as the client, you could also specify Impersonation or, with the right network configuration, Delegation).

Once authenticated, the server can determine the client's identity and/or impersonate using the NegotiateStream's RemoteIdentity property.

As I mentioned in my comment, I don't know how Citrix affects this setup (never having used it), but if it's basically completely transparent to the application and everything uses standard Windows credentials, then this should work.

anton.burger
  • 5,637
  • 32
  • 48
1

The .net Framework does have functions for Diffie-Hellman Key Exchange:

http://de.wikipedia.org/wiki/Diffie-Hellman-Schl%C3%BCsselaustausch

http://www.codeproject.com/Articles/24632/Shared-Key-Generation-using-Diffie-Hellman

Bruno Rohée
  • 3,436
  • 27
  • 32
Manawyrm
  • 241
  • 1
  • 13
  • If I want to implement an encrypted connection, I'd use the SSlStream Class. I'd just wrap it around the NetworkStream. http://msdn.microsoft.com/en-us/library/system.net.security.sslstream.aspx But that's not what I am looking for. – nikeee May 18 '12 at 10:34
0

If you are writing both the client and the server parts of the application, then you can encrypt the user's credentials for passing across the network and decrypt at the other end.

Working on the assumption that on the client machine, a malicious user could extract the encryption key from your application (using strings or similar) then symmetric encryption is not suitable. Therefore asymmetric (public-private) encryption seems suitable. Generate a pair of keys and the server's key should remain private (and only on the server) and the clients' key can be included in the application on the client machines. Then it doesn't matter if the key is extracted from the app as credentials can only be decrypted with the secret and secure private key on the server. This class has done most of the ground work for you.

Rich
  • 3,781
  • 5
  • 34
  • 56
  • I don't want to work with **any** credentials. I want my client application to get the current logged on user and pass the authentication through, so that the users is getting automatically logged in without prompting any credentials. It is possible, but I don't know how. – nikeee May 18 '12 at 10:31