Alan Alan - 3 months ago 12
C++ Question

Authenticating users using Active Directory in Client-Server Application

I've been asked to provide support for authenticating users against an Active Directory in our existing client server application.

At the moment a user supplies a user name and password from a client machine, passed over the wire (encrypted) to our server process and matched against a user name/password stored in a database.

Initially, I thought this would be a easy problem to solve, since I could simply authenticate the users' name/password against Active Directory from our server process. However it turns out that users shouldn't have to enter a password from our client application, instead taking it's credentials from the current Windows login session.

I'm now faced with a problem of how to authenticate using Active Directory without having a password? I'm sure there must be a way of somehow passing some sort of "token" from the client to our server process that could be used as an alternative authentication method, but my research so far has drawn a blank.

Our server is written in C++, so we'll be using the win32 API. I also intend to develop and debug this using a virtual machine running Windows 2008 AD LDS - I'm hoping this will be sufficient for what I'm trying to achieve.

Any help or advice is much appreciated.

Answer

You do an NTLM/Kerberos/Negotiate SSPI exchange loop. There is a a full sample on MSDN for both the client and the server. To be clear: you do not use any sort of LDAP access explictily. Is the LSA (Local Security Authority) that talks with LDAP and establishes the identity of the client. If you are succesful in doing the entire SSPI loop, the authentication has succeeded already and the client identity is alread authenticated against the LDAP. If your server needs to know the client identity (eg. to know the use rname) it retrieves it from the security context resulted in the SSPI loop using the QueryContextAttributes(..., SECPKG_ATTR_NAMES,...) and retrieves the user name from the SecPkgContext_Names structure.