views:

29

answers:

1

Suppose I am writing a server for a particular network protocol. If I know that the client is running on a Windows machine, is it possible for my server to authenticate the Windows user that owns the client process that initiated the connection independently of the network protocol in question?

Rationale

I actually wish to write an FTP proxy server. Clients would connect to the proxy with their desired server user name and a bogus password. The proxy would then authenticate the Windows user that is running the FTP client (via some mechanism apart from the FTP protocol). After authenticating the Windows user, the proxy would then determine if that Windows user may connect to the real FTP server as the user name they provided via their FTP client.

Conditions

  • Both the clients and the proxy will be within the same firewall and no client will be hidden behind NAT (allowing the proxy to connect back to the client if necessary).
+1  A: 

Microsoft tries to make this difficult. They do not want programs to authenticate without credentials.

You have to plug into the authentication framework and convince the system that you really are a source of authentication. See the 'Lsa' functions.

See the source of an open source ssh server to get an idea of your options here.

Of course, if you really have credentials, you can be plugged into the framework legitimately.

If the other end of the connection is a Windows box, you can get credentials transferred across via Kerberos and use the SSPI API. I recommend this book.

bmargulies
Thanks for the answer! However, I suppose I wasn't terribly clear. I may be confused, so please bear with me... I assume that the owner of the process that opens a connection to the proxy has been authenticated on *their* computer. Therefore, I just want the proxy to know *which* user owns that process. I suppose I'm really looking for a way for the proxy to ask the client's computer, "Which user opened this connection?" in a trustworthy manner. I should have mentioned that these are non-local users (users are authenticated on their computers via Active Directory). Thanks again, though! :)
Adam Paynter
See addition to the answer.
bmargulies