tags:

views:

26

answers:

1
Q: 

Using NegotiateStream when domain is unavailable

I'm using a NegotiateStream to authenticate a client/server application. The server side code looks like this:

SecureStream = new NegotiateStream(Stream, true);

SecureStream.AuthenticateAsServer(
    CredentialCache.DefaultNetworkCredentials,
    ProtectionLevel.EncryptAndSign,
    TokenImpersonationLevel.Identification);

if (!SecureStream.IsAuthenticated)
{
    return false;
}
WindowsPrincipal principal = new WindowsPrincipal(
    (WindowsIdentity)SecureStream.RemoteIdentity);

// ExpectedRoles is a string[] of possible roles
foreach (string role in ExpectedRoles)
{
    if (principal.IsInRole(role))
        return true;
}

The client side code looks like this:

SecureStream = new NegotiateStream(Stream, true);
SecureStream.AuthenticateAsClient();
if (!SecureStream.IsAuthenticated)
{
    return false;
}

The client and server can be run on separate network segments of the same domain. So if they're on a different segment than the domain controller is, and the internet connection goes down, they should be able to operate in offline fashion. The problem is, some of the domains are configured so users can't authenticate in a domain disconnected mode (apparently turning that functionality off is a security measure).

So I'm trying to figure out an authentication model that will allow me to authenticate non-domain users as a fallback position when the domain is not available.

A: 

Kerberos (and to a lesser degree NTLM) is pretty tolerant of transient network outages between the server and the DC. Once the user has obtained a valid Kerb ticket for the server, the server will continue to authenticate the user even if the server (or the client) can't contact the DC. The default lifetime of such tickets is 10 hours, which usually covers folks for transient outages during a routine business day.

NTLM sessions are cached for more like 15 minutes (last I checked on this, which was 4-5 years ago), so the transient outages would have to be more transient than "an hour or three".

What is the expected outage timeframe between client (or server) and the DCs? [Aside: if it's really bad, why not investigate dropping a lower-powered DC (even a read-only copy, if you're running 2008 AD) on the near side of the lossy network segment?]

ParanoidMike  2010-10-30 20:38:42

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?