Authentication Using SSPI
When authenticating against Active Directory, we can use a couple of techniques in order to validate a user's credentials using native Windows protocols rather than LDAP. One valid technique is to use the LogonUser API. This technique is fairly well understood, and resources like www.pinvoke.net have ready-made code snippets that demonstrate how to use the API successfully. We won't cover this technique, other than to say that for Windows 2000, this technique has some fairly significant limitations. This topic and more are covered in detail in The .NET Developer's Guide to Windows Security. While these limitations have been removed with subsequent Windows releases, we feel that an easier technique is available that addresses all NT-based versions of Windows.
SSPI authentication has become much easier with .NET 2.0, and it is a handy way to sidestep any security issues that crop up with LogonUser. While this technique really is not LDAP or ADSI related in any sense, it is certainly useful enough to merit coverage. Essentially, we will use the new NegotiateStream class in .NET 2.0 to harness the Negotiate protocol directly. The trick here is to execute a trusted handshake, acting as both the client and the server. Listing 12.6 shows a sample of how this might work.
Listing 12.6. Windows Authentication Using SSPI
using System;
using System.Net;
using System.Net.Security;
using System.Net.Sockets;
using System.Security.Principal;
using System.Threading;
class NTAuth
{
TcpListener listener;
int port;
public NTAuth(int port)
{
this.port = port;
this.listener = new TcpListener(
IPAddress.Loopback, this.port);
this.listener.Start();
}
private void CreateServer(object state)
{
try
{
NegotiateStream nsServer = new NegotiateStream(
this.listener.AcceptTcpClient().GetStream()
);
nsServer.AuthenticateAsServer(
CredentialCache.DefaultNetworkCredentials,
ProtectionLevel.None,
TokenImpersonationLevel.Impersonation
);
}
catch (AuthenticationException) {}
}
public bool Authenticate(NetworkCredential creds)
{
TcpClient client = new TcpClient(
"localhost",
this.port
);
ThreadPool.QueueUserWorkItem(
new WaitCallback(CreateServer)
);
NegotiateStream nsClient = new NegotiateStream(
client.GetStream(),
true
);
using (nsClient)
{
try
{
nsClient.AuthenticateAsClient(
creds,
creds.Domain + @"" + creds.UserName,
ProtectionLevel.None,
TokenImpersonationLevel.Impersonation
);
return nsClient.IsAuthenticated;
}
catch (AuthenticationException)
{
return false;
}
}
}
}
|
The SSPI authentication technique will not work with ADAM security principals. As such, this technique applies only to Active Directory installations.
Part I: Fundamentals
Introduction to LDAP and Active Directory
- Introduction to LDAP and Active Directory
- A Brief History of Directory Services
- Definition of LDAP
- Definition of Active Directory
- Definition of ADAM
- LDAP Basics
- Summary
Introduction to .NET Directory Services Programming
- Introduction to .NET Directory Services Programming
- .NET Directory Services Programming Landscape
- Native Directory Services Programming Landscape
- System.DirectoryServices Overview
- System.DirectoryServices.ActiveDirectory Overview
- System.DirectoryServices.Protocols Overview
- Selecting the Right Technology
- Summary
Binding and CRUD Operations with DirectoryEntry
- Binding and CRUD Operations with DirectoryEntry
- Property and Method Overview
- Binding to the Directory
- Directory CRUD Operations
- Summary
Searching with the DirectorySearcher
- Searching with the DirectorySearcher
- LDAP Searching Overview
- DirectorySearcher Overview
- The Basics of Searching
- Building LDAP Filters
- Controlling the Content of Search Results
- Executing the Query and Enumerating Results
- Returning Many Results with Paged Searches
- Sorting Search Results
- Summary
Advanced LDAP Searches
- Advanced LDAP Searches
- Administrative Limits Governing Active Directory and ADAM
- Understanding Searching Timeouts
- Optimizing Search Performance
- Searching the Global Catalog
- Chasing Referrals
- Virtual List View Searches
- Searching for Deleted Objects
- Directory Synchronization Queries
- Using Attribute Scope Query
- Extended DN Queries
- Reading Security Descriptors with Security Masks
- Asynchronous Searches
- Summary
Reading and Writing LDAP Attributes
- Reading and Writing LDAP Attributes
- Basics of Reading Attribute Values
- Collection Class Usage
- Understanding the ADSI Property Cache
- LDAP Data Types in .NET
- ADSI Schema Mapping Mechanism
- .NET Attribute Value Conversion
- Standard Data Types
- Binary Data Conversion
- COM Interop Data Types
- Syntactic versus Semantic Conversion
- Dealing with Attributes with Many Values
- Basics of Writing Attribute Values
- Writing COM Interop Types
- Summary
Active Directory and ADAM Schema
- Active Directory and ADAM Schema
- Schema Extension Best Practices
- Choosing an Object Class
- Choosing Attribute Syntaxes
- Modeling One-to-Many and Many-to-Many Relationships
- Search Flags and Indexing
- Techniques for Extending the Schema
- Discovering Schema Information at Runtime
- Summary
Security in Directory Services Programming
- Security in Directory Services Programming
- Binding and Delegation
- Directory Object Permissions in Active Directory and ADAM
- Code Access Security
- Summary
Introduction to the ActiveDirectory Namespace
- Introduction to the ActiveDirectory Namespace
- Working with the DirectoryContext Class
- Locating Domain Controllers
- Understanding the Active Directory RPC APIs
- Useful Shortcuts for Developers
- Summary
Part II: Practical Applications
User Management
- User Management
- Finding Users
- Creating Users
- Managing User Account Features
- Managing Passwords for Active Directory Users
- Managing Passwords for ADAM Users
- Determining User Group Membership in Active Directory and ADAM
- Summary
Group Management
- Group Management
- Creating Groups in Active Directory and ADAM
- Manipulating Group Membership
- Expanding Group Membership
- Primary Group Membership
- Foreign Security Principals
- Summary
Authentication
- Authentication
- Authentication Using SDS
- Authentication Using SDS.P
- Authentication Using SSPI
- Discovering the Cause of Authentication Failures
- Summary
Part III: Appendixes
Appendix A. Three Approaches to COM Interop with ADSI
- Appendix A. Three Approaches to COM Interop with ADSI
- The Standard Method
- The Reflection Method
- Handcrafted COM Interop Declarations
- Summary
Appendix B. LDAP Tools for Programmers
- Appendix B. LDAP Tools for Programmers
- LDP
- ADSI Edit
- Active Directory Users and Computers
- LDIFDE
- ADFind/ADMod
- BeaverTail LDAP Browser
- Softerra LDAP Browser
- Summary
Appendix C. Troubleshooting and Help
- Appendix C. Troubleshooting and Help
- Error 0x8007203A: "The server is not operational."
- Error 0x8007052E: "Login Failure: unknown user name or bad password."
- Error 0x80072020: "An operations error occurred."
- Error 0x80072030: "There is no such object on the server."
- Error 0x8007202F: A constraint violation occurred.
- Error 0x80072035: The server is unwilling to process the request.
- Error 0x80070005: General access denied error.
- InvalidOperationException from DirectorySearcher
- Summary
Index
EAN: 2147483647
Pages: 165
- Challenging the Unpredictable: Changeable Order Management Systems
- Context Management of ERP Processes in Virtual Communities
- Distributed Data Warehouse for Geo-spatial Services
- Healthcare Information: From Administrative to Practice Databases
- Development of Interactive Web Sites to Enhance Police/Community Relations
