How to authenticate selected users over sspi RRS feed

  • Question

  • I have a client server application model, where communication happens over a tcp socket. I want to implement an authentication mechanism where server (who listens on tcp port) allows only selected windows user to allow communicating over tcp port. Looking at the SSPI it seems like it could be an option for me to use, however the part that I could not clearly understand is where in the SSPI model we tell the windows sub system that I only want to allow these 'n' users.

    Looking at the samples over msdn, it seems like SSPI API automatically generate the token for user that can be sent over network and server side can receive that and then call SSPI api AcceptSecurity*(). Then after negotiation SSPI api tells whether negotiation succeeded or failed. I don't understand at what point should I tell the SSPI api that hey I want only these n users to be allowed.

    Am I misunderstanding things here entirely? Or SSPI is not something that will help me in this scenario.

    Friday, August 14, 2015 6:29 AM

All replies

  • SSPI generates binary BLOBs that are exchanged between a client & server to communicate a security protocol.  SSPI doesn't care about how the binary BLOBs are exchanged between the client & server.  This is typically done via a socket but you could use a file or memory.

    Your question is more of a sockets question on whether you can setup a system to only allow certain users to communicate over a TCP port.


    Frank K [MSFT]

    Follow us on Twitter, www.twitter.com/WindowsSDK.

    Friday, August 14, 2015 9:39 PM
  • Perhaps I was not very clear in my question. I am not worried about how blobs are exchanged for SSPI.

    The requirement is that when SSPI handshake is done, and SSPI has established a security context, is there a way to know which user on the other side this security context belongs to? That way I can figure out who is at the other end and decide whether or not I want to communicate with that guy. 

    Friday, August 14, 2015 10:18 PM
  • If you are using the Negotiate Package (which will use either Kerberos or NTLM), the server can obtain the security context of the client by calling QuerySecurityContextToken() and then dumping the token with GetTokenInformation(). This doesn't really work for SCHANNEL.

    It really depends on what security package you are using on whether you can get this information from SSPI.


    Frank K [MSFT]

    Follow us on Twitter, www.twitter.com/WindowsSDK.

    Tuesday, August 18, 2015 8:58 AM