Pass current user credentials to remote server

I have an application server (webservice or remoting, not yet decided) on a remote machine and a client on the same domain. I want to authenticate the user as a domain user on the server.

I can ask the user to enter their Windows username/password and send those to the server and get the server to check them against Active Directory but I would rather not. Is there any way I can get the client to send some kind of token which the server can then use to identify which domain user is sending it a request? Obviously I want to protect the server against someone sending a fake user ID and impersonating another user.

Clarification

The client on computer A will communicate with the server on computer B. I think I will probably using .NET remoting for this communication. On the server I merely need to know the ID of the user on computer A; if the app on computer A must send the ID I need to be sure that it hasn't sent the ID of a different user.

I don't need to impersonate the other user, I merely need to know (for certain) who it is.

Are you saying that the client communicates against your server, and you need to use the client's privileges at a third server? That scenario describes The Double-Hop Problem. The blog most describes it in detail, and what can be done to circumvent it (domain modifications).

[...] you can get around the problem and use proper delegation if you set up your network to use Kerberos and set up the web server in question as trusted for delegation.

Added:

I know of no way you can identify the user on computer A. Would it be enough if it was just the user executing your program? You could use windows authentication in a domain scenario, but that would only give you the privileges used by the program to authenticate, which may differ from the actual evil user in front of the keyboard.

Added:

Your comments to this post indicates that windows authentication with impersonation would work for you. Check http://community.bartdesmet.net/blogs/bart/archive/2006/08/26/4277.aspx for code examples.

Just in case you choose to go the Kerberos route, see http://geeks.netindonesia.net/blogs/jimmy/archive/2008/02/29/service-principal-name-headache.aspx for tips on troubleshooting it. Trust me it's a freaking headache sometimes :).

Jimmy Chandra 2009-07-08 15:07:36

Hi SimonI just need to know the login of computer A, it's company policy to lock your PC when you are not sitting at it so if someone else uses it that is a different matter.What I don't want to do is to send a request to the server like thisISession StartSession(string userName)because anyone could write a simple app to send anything they like. What I want is something likeISession StartSession(SomeLoginToken user);Something I know cannot be faked - just wondered if that can be done or not? WPF does it I *think*, but this is remoting.

Peter Morris 2009-07-10 11:45:11

ansaurus

tags:

views:

answers:

Pass current user credentials to remote server

related questions