|
dev
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Windows authentication over remoting... possible?Hi,
I have to develop an application that will consist of a service and a windows forms application... the service could be on a distant server but I need to authenticate the user as being part of the same domain. so when the application starts, I can send something to the remote service and query for some objects and the service can give me the objects if I'm the right user (part of the right group). I don't want to send username and password nor password hash over the network so if there is a better way (just like SQL server does or many other apps), I would like to know it (maybe if you have a link) Thanks ThunderMusic ThunderMusic,
Not easily. You can host your remoted objects in IIS, and then it would use the authentication mechanism that you have configured in IIS. Also, I believe this will force you to design your objects in a certain way (for stateless calls, since the mechanism for HTTP is stateless). I could be wrong here. I would honestly not use or recommend remoting as a distributed object technology. If you have to develop your app now (meaning, get it out the door tomorrow), then I would suggest using COM+/Enterprise Services. If you have some time to spare, and don't mind developing with pre-release software, I would look into Windows Communication Foundation. Either way, remoting is a dead-end in my book. Hope this helps. -- Show quote- Nicholas Paldino [.NET/C# MVP] - mvp@spam.guard.caspershouse.com "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message news:eREVPUToGHA.1204@TK2MSFTNGP04.phx.gbl... > Hi, > > I have to develop an application that will consist of a service and a > windows forms application... the service could be on a distant server but > I need to authenticate the user as being part of the same domain. so when > the application starts, I can send something to the remote service and > query for some objects and the service can give me the objects if I'm the > right user (part of the right group). I don't want to send username and > password nor password hash over the network so if there is a better way > (just like SQL server does or many other apps), I would like to know it > (maybe if you have a link) > > Thanks > > ThunderMusic > > I would honestly not use or recommend remoting as a distributed object Remoting isn't a distributed object technology; it's a communication> technology. If you have to develop your app now (meaning, get it out the > door tomorrow), then I would suggest using COM+/Enterprise Services. protocol. In fact for .net to .net comms on lan, the recommendation is to use remoting AND com+/es. - Oisin ThunderMusic wrote:
Show quote > Hi, Hi ThunderMusic,> > I have to develop an application that will consist of a service and a > windows forms application... the service could be on a distant server but > I need to authenticate the user as being part of the same domain. so when > the application starts, I can send something to the remote service and > query for some objects and the service can give me the objects if I'm the > right user (part of the right group). I don't want to send username and > password nor password hash over the network so if there is a better way > (just like SQL server does or many other apps), I would like to know it > (maybe if you have a link) > > Thanks > > ThunderMusic This may be of help: <UrlWillWrap> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch11.asp </UrlWillWrap> -- Hope this helps, Tom Spink Ok, I found the WindowsPrincipal class, and it's serializable. Does an
instance of this class guaranty the user is logged on a computer and has been authenticated or is there a way to query the domain server if the user is a rightful user? I mean, I must be sure the user making the request (or query) is who he claims to be and is logged on the domain. My app does not allow impersonnation, but I don't want anybody trying to impersonnate someone on my network and claim being, let's say, the president of the company and start making anything he wants with the remote objects... you know what I mean? I need a way to secure things so only an authenticated user or a user I can authenticate can have access to the objects the service is providing. And I definitly need to know the domain groups this user belongs to... Thanks ThunderMusic Show quote "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message news:eREVPUToGHA.1204@TK2MSFTNGP04.phx.gbl... > Hi, > > I have to develop an application that will consist of a service and a > windows forms application... the service could be on a distant server but > I need to authenticate the user as being part of the same domain. so when > the application starts, I can send something to the remote service and > query for some objects and the service can give me the objects if I'm the > right user (part of the right group). I don't want to send username and > password nor password hash over the network so if there is a better way > (just like SQL server does or many other apps), I would like to know it > (maybe if you have a link) > > Thanks > > ThunderMusic > ThunderMusic,
Unfortunately, no, it does not allow that. All it is is a representation of a user. Anyone could theoretically make one and send it to you. It doesn't tell you if it is logged on or not. -- Show quote- Nicholas Paldino [.NET/C# MVP] - mvp@spam.guard.caspershouse.com "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message news:uhQRdjToGHA.4176@TK2MSFTNGP05.phx.gbl... > Ok, I found the WindowsPrincipal class, and it's serializable. Does an > instance of this class guaranty the user is logged on a computer and has > been authenticated or is there a way to query the domain server if the > user is a rightful user? I mean, I must be sure the user making the > request (or query) is who he claims to be and is logged on the domain. My > app does not allow impersonnation, but I don't want anybody trying to > impersonnate someone on my network and claim being, let's say, the > president of the company and start making anything he wants with the > remote objects... you know what I mean? I need a way to secure things so > only an authenticated user or a user I can authenticate can have access to > the objects the service is providing. And I definitly need to know the > domain groups this user belongs to... > > Thanks > > ThunderMusic > > "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message > news:eREVPUToGHA.1204@TK2MSFTNGP04.phx.gbl... >> Hi, >> >> I have to develop an application that will consist of a service and a >> windows forms application... the service could be on a distant server >> but I need to authenticate the user as being part of the same domain. so >> when the application starts, I can send something to the remote service >> and query for some objects and the service can give me the objects if I'm >> the right user (part of the right group). I don't want to send username >> and password nor password hash over the network so if there is a better >> way (just like SQL server does or many other apps), I would like to know >> it (maybe if you have a link) >> >> Thanks >> >> ThunderMusic >> > > ok, so is there a way I can get the token Windows send us when we log on and
send it to my service so the service can verify with the domain server if this token is valid? thanks ThunderMusic Show quote "Nicholas Paldino [.NET/C# MVP]" <mvp@spam.guard.caspershouse.com> wrote in message news:OPBgFlToGHA.1244@TK2MSFTNGP05.phx.gbl... > ThunderMusic, > > Unfortunately, no, it does not allow that. All it is is a > representation of a user. Anyone could theoretically make one and send it > to you. It doesn't tell you if it is logged on or not. > > > -- > - Nicholas Paldino [.NET/C# MVP] > - mvp@spam.guard.caspershouse.com > > "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message > news:uhQRdjToGHA.4176@TK2MSFTNGP05.phx.gbl... >> Ok, I found the WindowsPrincipal class, and it's serializable. Does an >> instance of this class guaranty the user is logged on a computer and has >> been authenticated or is there a way to query the domain server if the >> user is a rightful user? I mean, I must be sure the user making the >> request (or query) is who he claims to be and is logged on the domain. My >> app does not allow impersonnation, but I don't want anybody trying to >> impersonnate someone on my network and claim being, let's say, the >> president of the company and start making anything he wants with the >> remote objects... you know what I mean? I need a way to secure things >> so only an authenticated user or a user I can authenticate can have >> access to the objects the service is providing. And I definitly need to >> know the domain groups this user belongs to... >> >> Thanks >> >> ThunderMusic >> >> "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message >> news:eREVPUToGHA.1204@TK2MSFTNGP04.phx.gbl... >>> Hi, >>> >>> I have to develop an application that will consist of a service and a >>> windows forms application... the service could be on a distant server >>> but I need to authenticate the user as being part of the same domain. so >>> when the application starts, I can send something to the remote service >>> and query for some objects and the service can give me the objects if >>> I'm the right user (part of the right group). I don't want to send >>> username and password nor password hash over the network so if there is >>> a better way (just like SQL server does or many other apps), I would >>> like to know it (maybe if you have a link) >>> >>> Thanks >>> >>> ThunderMusic >>> >> >> > > ok, I answered a part of my question :
System.Security.Principal.WindowsIdentity.GetCurrent().Token.... So now is there a way I can deal with this in my service? can I sen the Windows Identity instance over remoting? thanks ThunderMusic Show quote "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message news:OAuk53ToGHA.4784@TK2MSFTNGP04.phx.gbl... > ok, so is there a way I can get the token Windows send us when we log on > and send it to my service so the service can verify with the domain server > if this token is valid? > > thanks > > ThunderMusic > > "Nicholas Paldino [.NET/C# MVP]" <mvp@spam.guard.caspershouse.com> wrote > in message news:OPBgFlToGHA.1244@TK2MSFTNGP05.phx.gbl... >> ThunderMusic, >> >> Unfortunately, no, it does not allow that. All it is is a >> representation of a user. Anyone could theoretically make one and send >> it to you. It doesn't tell you if it is logged on or not. >> >> >> -- >> - Nicholas Paldino [.NET/C# MVP] >> - mvp@spam.guard.caspershouse.com >> >> "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message >> news:uhQRdjToGHA.4176@TK2MSFTNGP05.phx.gbl... >>> Ok, I found the WindowsPrincipal class, and it's serializable. Does an >>> instance of this class guaranty the user is logged on a computer and has >>> been authenticated or is there a way to query the domain server if the >>> user is a rightful user? I mean, I must be sure the user making the >>> request (or query) is who he claims to be and is logged on the domain. >>> My app does not allow impersonnation, but I don't want anybody trying to >>> impersonnate someone on my network and claim being, let's say, the >>> president of the company and start making anything he wants with the >>> remote objects... you know what I mean? I need a way to secure things >>> so only an authenticated user or a user I can authenticate can have >>> access to the objects the service is providing. And I definitly need to >>> know the domain groups this user belongs to... >>> >>> Thanks >>> >>> ThunderMusic >>> >>> "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message >>> news:eREVPUToGHA.1204@TK2MSFTNGP04.phx.gbl... >>>> Hi, >>>> >>>> I have to develop an application that will consist of a service and a >>>> windows forms application... the service could be on a distant server >>>> but I need to authenticate the user as being part of the same domain. >>>> so when the application starts, I can send something to the remote >>>> service and query for some objects and the service can give me the >>>> objects if I'm the right user (part of the right group). I don't want >>>> to send username and password nor password hash over the network so if >>>> there is a better way (just like SQL server does or many other apps), I >>>> would like to know it (maybe if you have a link) >>>> >>>> Thanks >>>> >>>> ThunderMusic >>>> >>> >>> >> >> > > ThunderMusic,
I have to ask, why not use one of the two solutions I posted earlier? Trying to do this yourself will lead to a good number of holes in your solution. -- Show quote- Nicholas Paldino [.NET/C# MVP] - mvp@spam.guard.caspershouse.com "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message news:O1t%23y6ToGHA.4616@TK2MSFTNGP05.phx.gbl... > ok, I answered a part of my question : > System.Security.Principal.WindowsIdentity.GetCurrent().Token.... So now > is there a way I can deal with this in my service? can I sen the Windows > Identity instance over remoting? > > thanks > > ThunderMusic > > "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message > news:OAuk53ToGHA.4784@TK2MSFTNGP04.phx.gbl... >> ok, so is there a way I can get the token Windows send us when we log on >> and send it to my service so the service can verify with the domain >> server if this token is valid? >> >> thanks >> >> ThunderMusic >> >> "Nicholas Paldino [.NET/C# MVP]" <mvp@spam.guard.caspershouse.com> wrote >> in message news:OPBgFlToGHA.1244@TK2MSFTNGP05.phx.gbl... >>> ThunderMusic, >>> >>> Unfortunately, no, it does not allow that. All it is is a >>> representation of a user. Anyone could theoretically make one and send >>> it to you. It doesn't tell you if it is logged on or not. >>> >>> >>> -- >>> - Nicholas Paldino [.NET/C# MVP] >>> - mvp@spam.guard.caspershouse.com >>> >>> "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message >>> news:uhQRdjToGHA.4176@TK2MSFTNGP05.phx.gbl... >>>> Ok, I found the WindowsPrincipal class, and it's serializable. Does an >>>> instance of this class guaranty the user is logged on a computer and >>>> has been authenticated or is there a way to query the domain server if >>>> the user is a rightful user? I mean, I must be sure the user making the >>>> request (or query) is who he claims to be and is logged on the domain. >>>> My app does not allow impersonnation, but I don't want anybody trying >>>> to impersonnate someone on my network and claim being, let's say, the >>>> president of the company and start making anything he wants with the >>>> remote objects... you know what I mean? I need a way to secure things >>>> so only an authenticated user or a user I can authenticate can have >>>> access to the objects the service is providing. And I definitly need to >>>> know the domain groups this user belongs to... >>>> >>>> Thanks >>>> >>>> ThunderMusic >>>> >>>> "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in >>>> message news:eREVPUToGHA.1204@TK2MSFTNGP04.phx.gbl... >>>>> Hi, >>>>> >>>>> I have to develop an application that will consist of a service and a >>>>> windows forms application... the service could be on a distant server >>>>> but I need to authenticate the user as being part of the same domain. >>>>> so when the application starts, I can send something to the remote >>>>> service and query for some objects and the service can give me the >>>>> objects if I'm the right user (part of the right group). I don't want >>>>> to send username and password nor password hash over the network so if >>>>> there is a better way (just like SQL server does or many other apps), >>>>> I would like to know it (maybe if you have a link) >>>>> >>>>> Thanks >>>>> >>>>> ThunderMusic >>>>> >>>> >>>> >>> >>> >> >> > > because WCF is still beta and the enterprise I work for avoid using beta
versions because they had big problems with them in the past... and not COM+ because noone knows anything about it here... the only thing we know is remoting... even if it's "a dead technology" we can't afford using WCF and have eventual problems. Our apps will stay local to the enterprise and is not targeted to the public, but we just want to make sure that noone will be able to clone one of our users from the domain... (well, at least, as most as possible) maybe if you have some link I can look at to start using COM+/Enterprise Services.... Is it as easy as Remoting? I mean, providing the client app with interfaces and then get a remote copy of the object and calling the interfaces methods? (We would work by marshaling, not as WellKnownObjects) thanks ThunderMusic Show quote "Nicholas Paldino [.NET/C# MVP]" <mvp@spam.guard.caspershouse.com> wrote in message news:OumtSOUoGHA.4784@TK2MSFTNGP04.phx.gbl... > ThunderMusic, > > I have to ask, why not use one of the two solutions I posted earlier? > Trying to do this yourself will lead to a good number of holes in your > solution. > > -- > - Nicholas Paldino [.NET/C# MVP] > - mvp@spam.guard.caspershouse.com > > "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message > news:O1t%23y6ToGHA.4616@TK2MSFTNGP05.phx.gbl... >> ok, I answered a part of my question : >> System.Security.Principal.WindowsIdentity.GetCurrent().Token.... So now >> is there a way I can deal with this in my service? can I sen the Windows >> Identity instance over remoting? >> >> thanks >> >> ThunderMusic >> >> "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message >> news:OAuk53ToGHA.4784@TK2MSFTNGP04.phx.gbl... >>> ok, so is there a way I can get the token Windows send us when we log on >>> and send it to my service so the service can verify with the domain >>> server if this token is valid? >>> >>> thanks >>> >>> ThunderMusic >>> >>> "Nicholas Paldino [.NET/C# MVP]" <mvp@spam.guard.caspershouse.com> wrote >>> in message news:OPBgFlToGHA.1244@TK2MSFTNGP05.phx.gbl... >>>> ThunderMusic, >>>> >>>> Unfortunately, no, it does not allow that. All it is is a >>>> representation of a user. Anyone could theoretically make one and send >>>> it to you. It doesn't tell you if it is logged on or not. >>>> >>>> >>>> -- >>>> - Nicholas Paldino [.NET/C# MVP] >>>> - mvp@spam.guard.caspershouse.com >>>> >>>> "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in >>>> message news:uhQRdjToGHA.4176@TK2MSFTNGP05.phx.gbl... >>>>> Ok, I found the WindowsPrincipal class, and it's serializable. Does an >>>>> instance of this class guaranty the user is logged on a computer and >>>>> has been authenticated or is there a way to query the domain server if >>>>> the user is a rightful user? I mean, I must be sure the user making >>>>> the request (or query) is who he claims to be and is logged on the >>>>> domain. My app does not allow impersonnation, but I don't want anybody >>>>> trying to impersonnate someone on my network and claim being, let's >>>>> say, the president of the company and start making anything he wants >>>>> with the remote objects... you know what I mean? I need a way to >>>>> secure things so only an authenticated user or a user I can >>>>> authenticate can have access to the objects the service is providing. >>>>> And I definitly need to know the domain groups this user belongs to... >>>>> >>>>> Thanks >>>>> >>>>> ThunderMusic >>>>> >>>>> "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in >>>>> message news:eREVPUToGHA.1204@TK2MSFTNGP04.phx.gbl... >>>>>> Hi, >>>>>> >>>>>> I have to develop an application that will consist of a service and a >>>>>> windows forms application... the service could be on a distant >>>>>> server but I need to authenticate the user as being part of the same >>>>>> domain. so when the application starts, I can send something to the >>>>>> remote service and query for some objects and the service can give me >>>>>> the objects if I'm the right user (part of the right group). I don't >>>>>> want to send username and password nor password hash over the network >>>>>> so if there is a better way (just like SQL server does or many other >>>>>> apps), I would like to know it (maybe if you have a link) >>>>>> >>>>>> Thanks >>>>>> >>>>>> ThunderMusic >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > > "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in Remoting isn't really dead... in fact it's part of WCF :)news:uCIizHcoGHA.3636@TK2MSFTNGP03.phx.gbl: > the only thing we know > is remoting... even if it's "a dead technology" thanks for correcting, I didn't know... everywhere I went, people kept
saying "Remoting is deprecated"... so I started to believe it... thanks ThunderMusic Show quote "Spam Catcher" <spamhoneypot@rogers.com> wrote in message news:Xns97F98E3C98822usenethoneypotrogers@127.0.0.1... > "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in > news:uCIizHcoGHA.3636@TK2MSFTNGP03.phx.gbl: > >> the only thing we know >> is remoting... even if it's "a dead technology" > > Remoting isn't really dead... in fact it's part of WCF :) Just check on the client, put a strong name on the client. You can event do
some link demands. Schneider Show quote "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message news:eREVPUToGHA.1204@TK2MSFTNGP04.phx.gbl... > Hi, > > I have to develop an application that will consist of a service and a > windows forms application... the service could be on a distant server but I > need to authenticate the user as being part of the same domain. so when the > application starts, I can send something to the remote service and query for > some objects and the service can give me the objects if I'm the right user > (part of the right group). I don't want to send username and password nor > password hash over the network so if there is a better way (just like SQL > server does or many other apps), I would like to know it (maybe if you have > a link) > > Thanks > > ThunderMusic > > You may want to investigate the MSDN sample about using SSPI with remoting,
it should do exactly what you are wanting to do http://msdn.microsoft.com/webservices/remoting/default.aspx?pull=/library/en-us/dndotnet/html/remsspi.asp -Robert Show quote "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message news:eREVPUToGHA.1204@TK2MSFTNGP04.phx.gbl... > Hi, > > I have to develop an application that will consist of a service and a > windows forms application... the service could be on a distant server but > I need to authenticate the user as being part of the same domain. so when > the application starts, I can send something to the remote service and > query for some objects and the service can give me the objects if I'm the > right user (part of the right group). I don't want to send username and > password nor password hash over the network so if there is a better way > (just like SQL server does or many other apps), I would like to know it > (maybe if you have a link) > > Thanks > > ThunderMusic > seems pretty interesting... I'll read it and give you feedback as if it
helped me, but I think it will.. ;) thanks a lot ThunderMusic Show quote "Robert Ginsburg" <robert.ginsb***@ver3.com> wrote in message news:ewLtsgUoGHA.4728@TK2MSFTNGP03.phx.gbl... > You may want to investigate the MSDN sample about using SSPI with > remoting, it should do exactly what you are wanting to do > http://msdn.microsoft.com/webservices/remoting/default.aspx?pull=/library/en-us/dndotnet/html/remsspi.asp > > -Robert > "ThunderMusic" <NoSpAmdanlatathotmaildotcom@NoSpAm.com> wrote in message > news:eREVPUToGHA.1204@TK2MSFTNGP04.phx.gbl... >> Hi, >> >> I have to develop an application that will consist of a service and a >> windows forms application... the service could be on a distant server >> but I need to authenticate the user as being part of the same domain. so >> when the application starts, I can send something to the remote service >> and query for some objects and the service can give me the objects if I'm >> the right user (part of the right group). I don't want to send username >> and password nor password hash over the network so if there is a better >> way (just like SQL server does or many other apps), I would like to know >> it (maybe if you have a link) >> >> Thanks >> >> ThunderMusic >> > >  |
|||||||||||||||||||||||
Other interesting topics