的 AcquireCredentialsHandle
- 获取一个句柄某种形式的凭据(例如,当前用户登录)。由服务器和客户端使用。
典型的工作流程是,每一方将使用AcquireCredentialsHandle初始化其凭据。验证周期,然后开始和进展如下:
The typical workflow is that each side will initialize their credentials using AcquireCredentialsHandle. The authentication cycle then starts and progresses as follows:
- 客户端调用的InitializeSecurityContext,提供没有输入记号,这在的形式返回输出令牌一个字节数组。 ISC返回ContinueNeeded,以表明身份验证周期是不完整的。
- 客户端发送的令牌通过任何手段意欲服务器。
- 服务器喂收到的令牌作为输入AcceptSecurityContext并产生自己的输出令牌。 ASC还返回'ContinueNeeded'以指示认证
周期是不完整的。
- 然后,服务器将其输出发送令牌给客户端。
- 客户端提供了服务器令牌作为输入的InitializeSecurityContext,返回新的输出令牌。
- 客户端发送了新的输出令牌到服务器。
- ...
- The client invokes InitializeSecurityContext, providing no input tokens, which returns output tokens in the form of a byte array. ISC returns 'ContinueNeeded' to indicate that the authentication cycle is not complete.
- The client sends the tokens to the server by whichever means it desires.
- The server feeds the received tokens as input to AcceptSecurityContext and produces its own output tokens. ASC also returns 'ContinueNeeded' to indicate that the authentication
cycle is not complete.
- The server then sends its output tokens to the client.
- The client provides the servers tokens as input to InitializeSecurityContext, which returns new output tokens.
- The client sends his new output tokens to the server.
- ...
这循环下去,直到客户端看到的InitializeSecurityContext返回'OK'和服务器看到AcceptSecurityContext返回'OK'。每个功能可以返回OK,并仍然提供输出标记(由非空返回所指示的),以表明它仍具有将数据发送到另一侧。这是客户如何知道它的一半完成,但服务器的仍然是不完整的;反之,如果在服务器客户端之前完成。哪一方完成第一(返回'OK')依赖于特定的安全包被SSPI引擎盖下使用,任何SSPI消费者应该意识到这一点。
This cycle continues until the client sees InitializeSecurityContext return 'OK' and the server sees AcceptSecurityContext return 'OK'. Each function may return 'OK' and still provide an output token (as indicated by a non-null return), to indicate that it still has to send data to the other side. This is how the client knows that its half is done but the server's is still incomplete; and vice versa if the server completes before the client. Which side completes first (returns 'OK') depends on the specific security package being used under the hood by SSPI, and any SSPI consumer should be aware of this.
以上信息应该对任何人足以成为要想在他们的应用程序提供了Windows集成身份验证并复制我的结果与SSPI系统连接。
The information above should be enough for anybody to being interfacing with the SSPI system in order to provide 'Windows Integrated Authentication' in their application and replicate my results.
下面是我早先回答,因为我学会了如何调用SSPI API。
Below is my earlier answer as I learned how to invoke the SSPI API.
我已经忘记了这个问题,并不约而同地回到了这个问题前几天一时兴起。我确实需要解决,虽然在一两年内这个问题:)
I had forgotten about this question, and coincidentally returned to this problem a few days ago on a whim. I do need to solve this problem in a year or two though :)
这是.NET中可能的,我目前正在开发一个.net SSPI包装,我打算发布。
It is possible in .Net, and I am currently developing a .Net SSPI wrapper that I intend to publish.
我立足我的工作了一些的SSPI样本微软中我发现了。
I'm basing my work off of some SSPI samples from Microsoft I found.
该示例包含一个C ++ / CLI管理组件实现SSPI API的必要组成部分(文件夹 Microsoft\Samples\Security\SSPI\SSPI 从REMSSPI.exe文件中提取)。然后,他们有两个用户界面,客户端应用程序和服务器应用程序,无论是用C#编写的利用这个API来执行SSPI认证。
The sample contains a C++/CLI managed assembly that implements the necessary parts of the SSPI API (in the folder Microsoft\Samples\Security\SSPI\SSPI
extracted from the REMSSPI.exe file). They then have two UIs, a client application and a server application, both written in C# that make use of this API to perform SSPI authentication.
的用户界面使用的.NET远程处理设施,以配合到一起,但如果我理解正确的SSPI API,唯一的信息在客户端和服务器需要交换包含的byte [] S含有安全上下文令牌数据,这些数据可以很容易地集成到任何通信基础设施你想; 。在我的情况,我自己设计的二进制协议
The UIs make use of the .Net remoting facility to tie it all together, but if I understand the SSPI API correctly, the only information that the client and server need to exchange consists of byte[]s containing security context token data, which can easily be integrated into whatever communications infrastructure you want; in my case, a binary protocol of my own design.
在获取样本的一些注意事项的工作 - 他们有'SSPI'库源,VS下最好的编译2005年,虽然我已经得到了它在2008年的工作;因为它们使用了不提倡使用的语言结构2010或以上需要一些返工。您可能还需要修改是你的平台SDK的一部分的头文件,因为它们使用const的指针赋值给unconst变量,我不知道一个更好的方法,使编译器高兴(我从来没有使用C ++ / CLI之前)。
Some notes on getting the sample to work - they have the 'SSPI' library source, which best compiles under VS 2005, though I've gotten it to work under 2008; 2010 or above would require some rework since they use language constructs that were deprecated. You may also need to modify header files that are part of your platform SDK, because they make use of const pointer assignments to unconst variables, and I don't know a better way to make the compiler happy (I've never used C++/CLI before).
他们确实包括在Microsoft\Samples\Security\SSPI\bin文件夹编译SSPI DLL。为了获取客户端/服务器二进制工作,你必须在该DLL复制到自己的bin目录下,否则失败大会决议
They do include a compiled SSPI dll in the Microsoft\Samples\Security\SSPI\bin folder. To get the client/server binaries to work, you have to copy that dll to their bin directory, else the fail assembly resolution.
总结一下:
- 下载REMSSPI.exe样品自行解压。
- 提取REMSSPI.exe文件(两次..)
- Microsoft\Samples\Security\SSPI\
-
bin\
- 包含编译的dll Microsoft.Samples.Security.SSPI.dll
-
SSPI\
- 包含源对DLL
-
Sample\
- 包含UI代码
-
bin\
- 包含构建UI样品。复制文件SSPI.dll这里并运行 ControlPanel.Client.exe
和 ControlPanel.Server.exe
- Go here to download the REMSSPI.exe sample self-extracting zip.
- Extract the REMSSPI.exe file (twice..)
- Microsoft\Samples\Security\SSPI\
-
bin\
- contains compiled dll Microsoft.Samples.Security.SSPI.dll
-
SSPI\
- contains source to dll
-
Sample\
- contains UI source code
-
bin\
- Contains build UI samples. Copy the SSPI.dll file here and run ControlPanel.Client.exe
and ControlPanel.Server.exe