Been playing around with NegotiateStream, this class allows you to wrap up any other type of stream typically a socket stream with a tunnel. As part of the tunnel setup you specify the source credentials and the destination identity. The source credentials are used by the server to validate who you are and the destination identity is used in order to confirm that the server is who it says it is. The first phase of setting up the tunnel is authentication, and Windows supports two types NTLM and Kerberos. NTLM is not capable of performing mutual authentication so only cares about the client credentials. Where as Kerberos does support both and will validate that the remote end is infact who you think it should be.</p><p>So great in environments where it is important to know what’s on the other end of the wire, you need to use Kerberos, but here\'s the rub you would think that if you made a call as below, that it would enforce the use of Kerberos
NegotiateStream s = new NegotiateStream
s.AuthenticateClient( CredentialCache.DefaultCredentials , “RemoteServiceUser” );
However if the RemoteServiceUser was unknown by Windows AD you would think that it would reject the call, but oh no it simply fails back to NTLM. The only way you know it’s not done mutual authentication is when you check the s.IsMutuallyAuthenticated flag. In my mind I think there needs to be an additional methods, one that specifies the remote identity and one that doesn't. That way it’s clear that I want or don\'t want mutual authentication...If I want it and it doesn't happen then an exception needs to be thrown, I shouldn't have to check a property on the stream after the fact, and worse still if I don't want it I shouldn't have to specify anything not even String.Empty.