0

I have a Linux-served Web app and a C# Windows client. The web app currently allows AD credentials, which it authenticates.

Not all the users are Windows-based. I'm trying to implement a Single Sign-on solution for Windows users. I want to allow access to my application if the user has already been validated against AD at Windows log-in.

I know how to validate credentials against AD:

DirectoryEntry entry = new DirectoryEntry("LDAP://" + domain,
                userName, password);

But I won't have the userName or password. I know that Kerberos is being used by AD to store the Windows credentials but I don't know how to access the ticket.

My question is similar to 'How to determine if logged on windows account has been authenticated on domain' or 'Authenticating users using Active Directory in Client-Server Application' except for C#.

I am using LightTpd.

Community
  • 1
  • 1
Intra
  • 2,089
  • 3
  • 19
  • 23
  • 2
    All users that log on to an AD-connected windows box are already authenticated (otherwise they couldn't log on). Do you mean that you are trying to authorize users based on AD permissions? See authorization vs authentication http://www.duke.edu/~rob/kerberos/authvauth.html – Chris Shain Apr 20 '12 at 17:25
  • I want to access the authentication ticket. – Intra Apr 20 '12 at 17:43
  • Why? Enabling windows (AD) authentication in IIS is fairly trivial and ***extremely*** thoroughly documented: http://msdn.microsoft.com/en-us/library/ff647405.aspx – Chris Shain Apr 20 '12 at 17:55
  • My web app isn't hosted by IIS. It is a linux server. – Intra Apr 20 '12 at 17:57
  • If your web app is hosted on linux, then how is it running C#? Or are you trying to run some C# on the windows box to somehow pre-authenticate the user against the web application? – Chris Shain Apr 20 '12 at 18:00
  • 1
    Your question needs to be about how to enable integrated kerberos auth between and . – Brian Cauthon Apr 20 '12 at 18:00
  • @Chris Shain, The web app isn't running C#, I have a Windows app in C# that connects to the web app. – Intra Apr 20 '12 at 18:02
  • @BrianCauthon, that is the logical next step of my problem. I thought to use local Windows login ticket and somehow pass that to the web app. You are saying that is the wrong initial approach? – Intra Apr 20 '12 at 18:04
  • 2
    We can't tell what your initial approach is, because you haven't posted any code to show us what you are trying or pseudo code to demonstrate what you want to try. However, I get the feeling that what you want to try wont work or will make kerberos insecure. – Brian Cauthon Apr 20 '12 at 18:09
  • 1
    Of particular use would be the code that you use to connect to the web application. For instance, are you using the WebClient class? Something else? – Chris Shain Apr 20 '12 at 18:12

1 Answers1

0

Have a look at Providing Active Directory authentication via Kerberos protocol in Apache. If you're using the WebClient or WebRequest classes in the Windows app make sure that you set the UseDefaultCredentials property to true.

NOTE: Microsoft killed the original but the content can still be found in the Wayback Machine.

JamieSee
  • 12,696
  • 2
  • 31
  • 47