How to authenticate a user with Active Directory from a client using Integrated Windows Security?

Question

In our client/server application, a user can log in using a username/password. The server then authenticate the user from its local user database or from the active directory if the user is not found in the local database.

For this scenario everythings is secure. But we want to implement an "Integrated Security" mode on the client to use the credential of the current windows user.

A solution could be to capture the WindowsIdentity.GetCurrent(), send that to the server and verify that a user exists in the active directory with the User SID from the WindowsIdentity.

However, that isn't secure because User SID's aren't private so a hacked client could send this information to the server without knowing the user password.

What is the secure way in .Net to have an Integrated Security mode in a Client/Server application?

Answer 1

The solution is to use NegotiateStream. This will establish a secure and authenticated communication with the server. The client can authenticate with integrated security by giving CredentialCache.DefaultNetworkCredentials to the NegotiateStream, the server can than act on the authenticated user with the NegotiateStream.RemoteIdentity.