6

Possible Duplicate:
Authenticating users using Active Directory in Client-Server Application

I'm attempting a single sign-on approach in my program using unmanaged C++, and need to determine if the current windows user is authenticated in my domain. If I can find a way to know that the user has been authenticated, I'll allow him into my desktop application without requiring a password (usernames are the same in my app and on domain).

I can authenticate directly against Active Directory using ADsOpenObject(), but that requires username, password and privileges, I need to do it only with a username, and no input from the user himself.

With .net I could use something from System.DirectoryServices, like in this thread.

As far as I've found out, this task may involve analyzing Windows security kerberos tokens to do properly. This was thoroughly discussed in this thread and touched upon for Java in this thread. Though I do not need strict SSO, since my app does not try to access anything related to domain.

Is the SSPI ticket way the only way, or can I exploit some property of ADSI/WinLogon/CredentialsCache to make it work?

Community
  • 1
  • 1
petrobrush
  • 85
  • 1
  • 8
  • Presumably the application has to connect to a server, either a remote system or a service on the local system? The mechanism by which this connection is made is probably the most important factor in determining how best to implement single-sign-on. – Harry Johnston Oct 05 '11 at 21:01
  • Correct, it connects to a remote web-server, written by us. Part of the trick will be relaying to this server that my desktop application has been accessed by a validated user. And the web-server may not have access to AD. – petrobrush Oct 07 '11 at 07:51
  • To clarify, then: do you expect the desktop application to *prove* to the remote web service that the user has been validated? The way the question is worded it sounds as if you expect the remote web service to take the application's word for it. – Harry Johnston Oct 07 '11 at 21:20
  • Yes, I do. But not by simply setting a bool during login, of course. I just wanted an easier API than SSPI to send some AD-server signed access key that would do the trick, and now I realize there isn't. – petrobrush Oct 10 '11 at 07:33
  • I think [this](http://stackoverflow.com/questions/1337923/authenticating-users-using-active-directory-in-client-server-application/1337959#1337959) stack overflow post answers my question as well. Since I seem forced to use the SSPI exchange loop. – petrobrush Oct 10 '11 at 07:38

2 Answers2

2

This is a very simple way, but if you check the environment variables for the user :

On a Workgroup :

COMPUTERNAME=JPBHPP2
LOGONSERVER=\\JPBHPP2
USERDOMAIN=JPBHPP2

On a Domain

COMPUTERNAME=WM2008R2ENT
LOGONSERVER=\\WM2008R2ENT
USERDNSDOMAIN=DOM.FR
USERDOMAIN=DOM

Here it's not so evident because the user is loged on the server but the USERDOMAIN is different from COMPUTERNAME

There is also GetUserNameEx API that can do the job

BOOLEAN WINAPI GetUserNameEx(
  __in     EXTENDED_NAME_FORMAT NameFormat,
  __out    LPTSTR lpNameBuffer,
  __inout  PULONG lpnSize
);
JPBlanc
  • 70,406
  • 17
  • 130
  • 175
  • 1
    whatever, who is speaking of security here, **determining** does not mean verifying. But clear it's a very basic answer, as far detecting is concern, I think it can do the job. – JPBlanc Oct 05 '11 at 16:36
  • I apologize for using vague terminology, I will in fact need to authenticate the user. – petrobrush Oct 07 '11 at 08:00
0

You could use ADsGetObject function - if you want to bind with current credentials - and check if the user is authenticated in a specific domain.

0xbadf00d
  • 17,405
  • 15
  • 67
  • 107
  • Funny, I thought calling [ADsOpenObject()](http://msdn.microsoft.com/en-us/library/aa772238) with blank username and password was supposed to work the same way as ADsGetObject(), and it didn't. But while this works for me right now, it may not work for our other users because one needs read rights in active directory. This flaw was addressed [here](http://stackoverflow.com/questions/7111618/win32-how-to-validate-credentials-against-active-directory). While this may in some cases solve one part of the problem, I will also need to relay to my server that this user is in fact validated. – petrobrush Oct 07 '11 at 07:58
  • @petrobrush - Did you read the recommendation from the Microsoft Support: http://support.microsoft.com/kb/180548/en-us – 0xbadf00d Oct 07 '11 at 16:17
  • Yes, I have. Hence: "Is the SSPI ticket way the only way.. ?" And I guess it is, so I'll have to run with it. – petrobrush Oct 10 '11 at 07:23