tags:

views:

29

answers:

1
Q: 

Remotely authenticating client Windows user on demand

Suppose I am writing a server for a particular network protocol. If I know that the client is running on a Windows machine, is it possible for my server to authenticate the Windows user that owns the client process that initiated the connection independently of the network protocol in question?

Rationale

I actually wish to write an FTP proxy server. Clients would connect to the proxy with their desired server user name and a bogus password. The proxy would then authenticate the Windows user that is running the FTP client (via some mechanism apart from the FTP protocol). After authenticating the Windows user, the proxy would then determine if that Windows user may connect to the real FTP server as the user name they provided via their FTP client.

Conditions

  • Both the clients and the proxy will be within the same firewall and no client will be hidden behind NAT (allowing the proxy to connect back to the client if necessary).
+1  A: 

Microsoft tries to make this difficult. They do not want programs to authenticate without credentials.

You have to plug into the authentication framework and convince the system that you really are a source of authentication. See the 'Lsa' functions.

See the source of an open source ssh server to get an idea of your options here.

Of course, if you really have credentials, you can be plugged into the framework legitimately.

If the other end of the connection is a Windows box, you can get credentials transferred across via Kerberos and use the SSPI API. I recommend this book.

bmargulies  2009-11-14 12:48:11
Thanks for the answer! However, I suppose I wasn't terribly clear. I may be confused, so please bear with me... I assume that the owner of the process that opens a connection to the proxy has been authenticated on *their* computer. Therefore, I just want the proxy to know *which* user owns that process. I suppose I'm really looking for a way for the proxy to ask the client's computer, "Which user opened this connection?" in a trustworthy manner. I should have mentioned that these are non-local users (users are authenticated on their computers via Active Directory). Thanks again, though! :)
Adam Paynter  2009-11-15 00:30:59
See addition to the answer.
bmargulies  2009-11-15 16:45:51

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication