I've been asked to provide support for authenticating users against an Active Directory in our existing client server application.
At the moment a user supplies a user name and password from a client machine, passed over the wire (encrypted) to our server process and matched against a user name/password stored in a database.
Initially, I thought this would be a easy problem to solve, since I could simply authenticate the users' name/password against Active Directory from our server process. However it turns out that users shouldn't have to enter a password from our client application, instead taking it's credentials from the current Windows login session.
I'm now faced with a problem of how to authenticate using Active Directory without having a password? I'm sure there must be a way of somehow passing some sort of "token" from the client to our server process that could be used as an alternative authentication method, but my research so far has drawn a blank.
Our server is written in C++, so we'll be using the win32 API. I also intend to develop and debug this using a virtual machine running Windows 2008 AD LDS - I'm hoping this will be sufficient for what I'm trying to achieve.
Any help or advice is much appreciated.
AD authentication is a Windows-based system that authenticates and authorizes users, endpoints, and services to Active Directory. IT teams can use AD authentication to streamline user and rights management while achieving centralized control over devices and user configurations through the AD Group Policy feature.
AD supports multiple protocols through which authentication of the organization's users can be done. The two main of these are Kerberos and LDAP. Kerberos: It is a network layer security protocol used to authenticate trusted devices across a network.
Benefits of Active Directory. Active Directory simplifies life for administrators and end users while enhancing security for organizations. Administrators enjoy centralized user and rights management, as well as centralized control over computer and user configurations through the AD Group Policy feature.
You do an NTLM/Kerberos/Negotiate SSPI exchange loop. There is a a full sample on MSDN for both the client and the server. To be clear: you do not use any sort of LDAP access explictily. Is the LSA (Local Security Authority) that talks with LDAP and establishes the identity of the client. If you are succesful in doing the entire SSPI loop, the authentication has succeeded already and the client identity is alread authenticated against the LDAP. If your server needs to know the client identity (eg. to know the use rname) it retrieves it from the security context resulted in the SSPI loop using the QueryContextAttributes(..., SECPKG_ATTR_NAMES,...)
and retrieves the user name from the SecPkgContext_Names
structure.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With