Simply said: Can I generate in C++ some kind of text information - user token, session token, access token (?) - of currently logged in Windows user and then verify this text information (authenticate the user) somewhere else (different computer in domain)?
I have two computers. On the first one user should be able to connect via client app to my server app running on the second computer. He has to use Windows Authentication so server will use his windows groups for some information - no username/password sending. My idea is (don't know if it is possible) that client computer/process knows the current user, so it will acquire the user's access token or something like that, pass that to server (as string parameter), server will verify that this token-string is valid and will get the name of that windows user and his groups for next operations, that's what I need.
Is this possible just with one information (this access token/session token or how to call that) sent from client to server? (http server, i just want to send that string token once with one login request which is currently used for other proprietary ways of authentications, no handshaking/negotiating or something like that if possible). I'm using C++.
I currently found two ways (probably ways how NOT to do it ;))
1) Functions like OpenProcessToken, GetTokenInformation - this gives me access to access token but it is just Handle and I can use it probably only in my process, not possible to send it somewhere else...
2) Functions like AcquireCredentialsHandle, InitializeSecurityContext, AcceptSecurityContext - today I have spent lot of time with this - I made some test app using these functions, just running in one process, I'm currently not absolutely sure how it should be made by "text" communication between two computers but that's not important - it seems that more rounds have to be made - client creates something (context, credentials, token,...), sends it to server, server does something, responds back to client, client takes the result, etc. Can I do it just by creating "session token" and sending it (for example with domain@username if necessary) without other informations going back and there again?
Any help appreciated, thanks!
EDIT: Based on the first comments below it seems I need to clarify this more: Imagine user running web browser and connecting to my server application somewhere else. He wants to send commands like "CONNECT" and "DO_STUFF". Server app will do_stuff only if this user can connect first. But this user can connect for example only if it is member of some windows group (windows authentication used, not some proprietary users and passwords). So the server has to check if this user is valid member of that group. But server can do it just based on the text information provided by user of course. Well, user can send his windows username and password to authenticate by server app (should be done by C++ function LogonUser or whatever else), but that's dangerous and I don't want user to input his username and password somewhere, I just want him to "click login button" and C++ will care about the rest, because it can check his current session data, he is already logged in. My idea is just to provide username and some kind of string user token (session token, access token, i don't know the exact terminology) which will be generated by user client side app (using Kerberos, NTLM, i don't know) and server will receive this string information, it will check this token to verify that "this is valid token of valid windows user and here are the groups to which he belongs"... something like that. Hope this explanation helps.
Functions like AcquireCredentialsHandle, InitializeSecurityContext, AcceptSecurityContext and similar are solution here.
Check http://msdn.microsoft.com/en-us/library/ms973911.aspx#remsspi_topic3
If you want just to authenticate user, NTLM is ok, but you need to exchange multiple messages, it can't be done just in one step as I required originally (needed: negotiate, challenge, response), so you are sending in fact 3 text messages and processing them by functions mentioned above.
If you want to delegate (server can act as client - impersonate - and even delegate the rights to the other process) you need to use Kerberos (Active Directory needed). Everything has to be done in one domain. This can be probably achieved by sending less messages from client to server based on the image below, because authority is much more involved, but I haven't tested this scenario.
(source: microsoft.com)
来源:https://stackoverflow.com/questions/9380220/windows-authentication-token-c