Andy's observations as he continues to attempt to know all that is .NET...

Monday, July 03, 2006

NegotiateStream or is that bend over and take what’s given

Been playing around with NegotiateStream, this class allows you to wrap up any other type of stream typically a socket stream with a tunnel. As part of the tunnel setup you specify the source credentials and the destination identity. The source credentials are used by the server to validate who you are and the destination identity is used in order to confirm that the server is who it says it is. The first phase of setting up the tunnel is authentication, and Windows supports two types NTLM and Kerberos. NTLM is not capable of performing mutual authentication so only cares about the client credentials. Where as Kerberos does support both and will validate that the remote end is infact who you think it should be.</p><p>So great in environments where it is important to know what’s on the other end of the wire, you need to use Kerberos, but here\'s the rub you would think that if you made a call as below, that it would enforce the use of Kerberos


 

NegotiateStream s = new NegotiateStream

s.AuthenticateClient( CredentialCache.DefaultCredentials , “RemoteServiceUser” );


 

However if the RemoteServiceUser was unknown by Windows AD you would think that it would reject the call, but oh no it simply fails back to NTLM. The only way you know it’s not done mutual authentication is when you check the s.IsMutuallyAuthenticated flag. In my mind I think there needs to be an additional methods, one that specifies the remote identity and one that doesn't. That way it’s clear that I want or don\'t want mutual authentication...If I want it and it doesn't happen then an exception needs to be thrown, I shouldn't have to check a property on the stream after the fact, and worse still if I don't want it I shouldn't have to specify anything not even String.Empty.

No comments:

About Me

My photo
Im a freelance consultant for .NET based technology. My last real job, was at Cisco System were I was a lead architect for Cisco's identity solutions. I arrived at Cisco via aquisition and prior to that worked in small startups. The startup culture is what appeals to me, and thats why I finally left Cisco after seven years.....I now filll my time through a combination of consultancy and teaching for Developmentor...and working on insane startups that nobody with an ounce of sense would look twice at...