C# - Implementing Single Sign On in WinForms (as Outlook does)
https://stackoverflow.com/questions/8085419
-
26-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have created a server/client application. Both of them are written in C#. It uses TCP/IP communication with custom SSL implementation. Currently the login procedure requires a username/password pair for logging in.
I was asked to implement the single sign on to eliminate the need of username/password.
So now when the client starts it determines the currently logged in user's SID and sends it to the server which maps this connection to a user by the SID.
This solution works well but it is not a secured solution at all, I think.
The client has a strong name and it is obfuscated, of course.
I started thinking on how it is possible to hack this login and I think it is very easy from a hacker's point of view: - To find out a user's SID on a network is not a problem - Removing the strong name and changing the appropriate code to use a hard coded SID instead of the current one can be implemented easily
So what do you think? Can you suggest me a better solution please? Can you tell me please how to improve the security?
Or could you tell me please how Outlook handles the user authentication? (I guess/hope it is not so easy to cheat Outlook)
Thank you!
Solution
To authenticate with Windows Authentication, you can use NegotiateStream.
MSDN provides a decent example that you can use to perform authentication:
http://msdn.microsoft.com/en-us/library/system.net.security.negotiatestream(v=vs.85).aspx
