Windows authentication token C++

Question

Simply said: Can I generate in C++ some kind of text information - user token, session token, access token (?) - of currently logged in Windows user and then verify this text information (authenticate the user) somewhere else (different computer in domain)?

passing string token

I have two computers. On the first one user should be able to connect via client app to my server app running on the second computer. He has to use Windows Authentication so server will use his windows groups for some information - no username/password sending. My idea is (don't know if it is possible) that client computer/process knows the current user, so it will acquire the user's access token or something like that, pass that to server (as string parameter), server will verify that this token-string is valid and will get the name of that windows user and his groups for next operations, that's what I need.

Is this possible just with one information (this access token/session token or how to call that) sent from client to server? (http server, i just want to send that string token once with one login request which is currently used for other proprietary ways of authentications, no handshaking/negotiating or something like that if possible). I'm using C++.

I currently found two ways (probably ways how NOT to do it ;))

1) Functions like OpenProcessToken, GetTokenInformation - this gives me access to access token but it is just Handle and I can use it probably only in my process, not possible to send it somewhere else...

2) Functions like AcquireCredentialsHandle, InitializeSecurityContext, AcceptSecurityContext - today I have spent lot of time with this - I made some test app using these functions, just running in one process, I'm currently not absolutely sure how it should be made by "text" communication between two computers but that's not important - it seems that more rounds have to be made - client creates something (context, credentials, token,...), sends it to server, server does something, responds back to client, client takes the result, etc. Can I do it just by creating "session token" and sending it (for example with domain@username if necessary) without other informations going back and there again?

Any help appreciated, thanks!

EDIT: Based on the first comments below it seems I need to clarify this more: Imagine user running web browser and connecting to my server application somewhere else. He wants to send commands like "CONNECT" and "DO_STUFF". Server app will do_stuff only if this user can connect first. But this user can connect for example only if it is member of some windows group (windows authentication used, not some proprietary users and passwords). So the server has to check if this user is valid member of that group. But server can do it just based on the text information provided by user of course. Well, user can send his windows username and password to authenticate by server app (should be done by C++ function LogonUser or whatever else), but that's dangerous and I don't want user to input his username and password somewhere, I just want him to "click login button" and C++ will care about the rest, because it can check his current session data, he is already logged in. My idea is just to provide username and some kind of string user token (session token, access token, i don't know the exact terminology) which will be generated by user client side app (using Kerberos, NTLM, i don't know) and server will receive this string information, it will check this token to verify that "this is valid token of valid windows user and here are the groups to which he belongs"... something like that. Hope this explanation helps.

I assume you've considered Remote Desktop/RDP and it didn't work? — Widor, Feb 21 '12 at 15:31
What do you mean by using Remote Desktop? This is C++ written application which will authenticate user based on the information provided by client app on different computer, where this user is logged in. I need to get some information from client app to allow login to server app (for example if user is in some special windows group to make it simple). I don't want to send win username and win password, i would like to send win username and win token. — user1173626, Feb 21 '12 at 15:46
OK, it's C# but this sounds like what you might be attempting: http://stackoverflow.com/questions/288796/how-to-use-terminal-services-programmatically — Widor, Feb 21 '12 at 16:06
I still think we don't understand each other. I have added new detailed information to the end of my initial question. — user1173626, Feb 22 '12 at 10:26
Simply: Can I generate in C++ some kind of text information - user token - of currently logged in Windows user and then verify this text information (authenticate the user) somewhere else (different computer in domain)? — user1173626, Feb 22 '12 at 10:31
OK, in C++ I'm out of my depth - in ASP.NET (C#) you can enable Windows auth on the server & application and combine it with the Active Directory [Membership Provider](http://msdn.microsoft.com/en-us/library/sx3h274z.aspx) which enables you to run commands under the context of that user. Sorry I can't provide a C++ example. — Widor, Feb 22 '12 at 10:35
Thanks, I will check it. No problem with C#, I can adapt it to C++, if this is what I need. One more picture to show what I need, token should be some text string:[link](http://support.sas.com/documentation/cdl/en/bisecag/61133/HTML/default/images/iwaauth.gif) — user1173626, Feb 22 '12 at 10:47
OK - I should add that I've only been able to do this on a networked machine within the same Windows Domain. Good luck! — Widor, Feb 22 '12 at 11:14

score 4 · Accepted Answer · edited Aug 17 '19 at 19:11

Functions like AcquireCredentialsHandle, InitializeSecurityContext, AcceptSecurityContext and similar are solution here.

Check http://msdn.microsoft.com/en-us/library/ms973911.aspx#remsspi_topic3

If you want just to authenticate user, NTLM is ok, but you need to exchange multiple messages, it can't be done just in one step as I required originally (needed: negotiate, challenge, response), so you are sending in fact 3 text messages and processing them by functions mentioned above.

If you want to delegate (server can act as client - impersonate - and even delegate the rights to the other process) you need to use Kerberos (Active Directory needed). Everything has to be done in one domain. This can be probably achieved by sending less messages from client to server based on the image below, because authority is much more involved, but I haven't tested this scenario.

_{(source: microsoft.com)}

Windows authentication token C++

1 Answers1

Linked