C# external verification of SSO on windows

Question

0.00/5 (No votes)

See more:

In short: Is it possible to use the Windows login (to a AD) information to confirm that a user is logged in to a AD from a WPF program.

Im thinking getting the user credentials to verify the user is logged in to the AD.

I dont want to use the password or anything, i can get the user id, i have the URL to the AD and are looking for somekind of Windows credential object, that i can use to verify.

Currently im using LDAP to access the AD.

The setup is that we have a external Webserver that wants to verify that the user is logged in correctly. The webserver have access to the AD, and the PC application also have access to the AD.

Now:
1. the user login to windows, via AD
2. my application shows a login screen, user enters user and password.
3. the user/pass is send to the webserver, the webserver uses LDAP to verify the user login, and accepts.

One customer dont want to type the login Again and wants this:
1. The user login to windows, via AD.
2. My application gets some credential object from Windows, that can be send to the AD to verify that the user is actually logged in to the AD.
3. My application calls the webserver by passing the login as "the user is already logged in to the ad" so it's ok.

Alternativly:
1. The user login to windows, via AD.
2. My application gets some credential object from Windows, that have some kind of an AD, identification id, I then send this to the webserver user+AD id.
3. The webserver verifies the user and AD id is correct, bu usign LDAP to query the AD if it's the correct ID (or something similar)

I have the example:

C#

// AD TESTS
var xxx = Environment.UserName;
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
if (Thread.CurrentPrincipal.Identity.AuthenticationType == "LiveSSP")
{

    if (!Thread.CurrentPrincipal.IsInRole("SomeDomain\\MyApplication-User"))
    {
        MessageBox.Show("Sorry, you do not have access to the application", "Access Denied");
        Application.Current.Shutdown();
    }
}

try
{
    SomeAdminFunction();
}
catch (Exception e)
{
}

The problem here is that anyone with a AD can then set the credential so it returns correct .isInRole, and therefore accepts the user, that then will be able to access the webserver (and the services).

I have searched the infomation in these classes, and cant find anything usefull to identify the AD, to it can be verified on the webserver or somekind of informtion to pass to the webserver to use for verification.

Posted 11-Nov-15 4:17am

JSN_DK

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)