Question

Suppose I am writing a server for a particular network protocol. If I know that the client is running on a Windows machine, is it possible for my server to authenticate the Windows user that owns the client process that initiated the connection independently of the network protocol in question?

Rationale

I actually wish to write an FTP proxy server. Clients would connect to the proxy with their desired server user name and a bogus password. The proxy would then authenticate the Windows user that is running the FTP client (via some mechanism apart from the FTP protocol). After authenticating the Windows user, the proxy would then determine if that Windows user may connect to the real FTP server as the user name they provided via their FTP client.

Conditions

Both the clients and the proxy will be within the same firewall and no client will be hidden behind NAT (allowing the proxy to connect back to the client if necessary).

Answer 1

Microsoft tries to make this difficult. They do not want programs to authenticate without credentials.

You have to plug into the authentication framework and convince the system that you really are a source of authentication. See the Lsa functions.

See the source of an open source ssh server to get an idea of your options here.

Of course, if you really have credentials, you can be plugged into the framework legitimately.

If the other end of the connection is a Windows box, you can get credentials transferred across via Kerberos and use the SSPI API. I recommend this book.

友情链接