tags:

views:

48

answers:

2
Q: 

.NET : Transmit user credentials over the transport layer

What is the best/simplest way to transmit the user credentials (Active Directory) over the transport layer.

I have two systems A and B connected with a 3rd party message layer C.

Is there any way (preferable in .NET) to somehow store/serialize the credentials of the authenticated user on the side A, transmit it over the C, then to de-serialize it on side B and then to make a call to the downstream system D using the de-serialized credentials?

A: 

That is called impersonation, but without any details on the underlying systems, I cannot really tell if that will be supported.

If the system is based on WCF, this is definitely possible. This MSDN page contains all the details.

Johann Blais  2010-09-27 05:50:24
the problem is that tranposr layer is not WCF. Is just a third party messaing layer and I was wondering if it would be possible to save some kind of authentication token in Windows as a array of bytes on a side A, transfer these bytes to B, then deserialize these to impersonate .NET client (system B) using the system A user's credentials ...
Andrew  2010-09-28 02:44:24
A: 

To "mule" credentials to another system that can be authenticated by one of AD's authentication front-ends, you need either an impersonation-friendly protocol (such as Kerberos), the raw credentials themselves (sometimes referred to as "basic" or "username/password", but could also under certain circumstances be something like an RSA keypair) and optionally a framework in which to wrap those credentials (e.g. WS-Sec, SAML).

The access token generated by Windows' LSA is only valid on the system on which the token was generated - if you serialized and deserialized a token from one system to another, the LSA wouldn't accept it as proof that the process had been authenticated by that target system and had any right to access any secured resource on the system. Otherwise you'd be talking about a system subject to replay attacks (taking the security context from one box and replaying it - maliciously or otherwise, the security threat model wouldn't care - on another).

So the "easiest" way to do this is for your code to prompt the user to type in their username and password. This is also the scenario most subject to security flaws, and any right-minded organization would choke if their applications did something this crude, but it is a theoretical option.

Better would be to find a way for the inter-system communication to include embedded support for an authentication protocol - see GSS-API for one cross-platform API that is often serviceable in these contexts.

ParanoidMike  2010-10-27 18:20:58

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?