8

We have a server written in Delphi that uses RemObjects DataAbstract/SDK. We would like to use Windows authentication to authenticate users to allow them access to our server.

Currently we do the following:

1) Client application sends the Windows username and password in clear text to the server. 2) The server checks the credentials using the following function:

function ValidateUserLogonAPI(const UserName: string; const Domain: string;
  const PassWord: string) : boolean;
var
  Retvar: boolean;
  LHandle: THandle;
begin
  Retvar := LogonUser(PWideChar(UserName),
                                PWideChar(Domain),
                                PWideChar(PassWord),
                                LOGON32_LOGON_NETWORK,
                                LOGON32_PROVIDER_DEFAULT,
                                LHandle);

  if Retvar then
    CloseHandle(LHandle);

  Result := Retvar;
end;

Of course, this method has the disadvantage that the user credentials are passed over the network in clear text. We could encrypt them, but the encryption/decryption keys would have to be shipped within the application.

I'm sure there must be a better way of achieving our goal. I've read a bit about tokens, but don't really understand how they would work in this situation.

Note that she solution must work for both a Delphi Windows client and a Delphi Prism ASP.NET client.

Thanks for any help you can give.

norgepaul
  • 6,013
  • 4
  • 43
  • 76
  • Have you already considered using a Kerberos based solution? It requires a Kerberos instance running in the network, but is one of the de facto standard authentication protocols over a non-secure network. http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 – mjn Dec 16 '10 at 16:21
  • If he has an AD domain, he has Kerberos, although Windows has a mechanism to allow different authentication methods to work with the same interface –  Dec 16 '10 at 16:35
  • Is it a Intranet (or VPN) or Internet based application? For Intranet and Kerberos maybe this helps: http://stackoverflow.com/questions/1052369/how-can-i-get-a-kerberos-ticket-with-delphi – mjn Dec 16 '10 at 17:13
  • @mjn - No we haven't considered Kerberos. I really don't want to add too much additional complexity to the system though as it is designed to be installed and configured by our users without any assistance. I guess if there are no other options we can give it a look though. – norgepaul Dec 16 '10 at 17:58
  • @norgepaul: in a domain Windows authentication is automatically Kerberos-based, that's how a domain works. Anyway Windows has its own API that makes an abstract layer to whatever actual authentication method is used. It will work with NTLM or other supported method. –  Dec 16 '10 at 19:26
  • What kind of server is this? Is it an HTTP server? If so, can you setup windows auth on the HTTP server, and then have the user redirect to the actual application if the authentication succeeds? – feroze Jan 27 '11 at 20:12

1 Answers1

2

That's something DataAbstract should handle itself, and if it doesn't it's a half backed library as Datasnap is :) When it comes to remoting, authenticating/authorizing endpoints and protecting the data exchange is really critical.

Basically, you have to send not the user credentials, but exchange a "token" which both the client and the server know how to authenticate. A full explanation can be complex. You can start from MSDN (look for AcceptSecurityContext() and InitializeSecurityContext()). A possibile issue is if DataAbastract has the proper hooks to implement the authentication phase, which may require more than one roundtrip.

As a stopgap measure you can enable IPSec to protect the communication channel and don't let whole user account be "sniffed" easily.

  • DataAbstract is an excellent library, but certainly security is on of its weak points. That's why we wrote our own authentication code so the hooks shouldn't be an issue:) We don't really have time to re-invent the wheel, so it would be good if I could find some examples in Delphi. – norgepaul Dec 16 '10 at 18:00