LogonUserViaSSPI

I have a question regarding SSPI in general. Can SSPI be used to verify the client machine's identity? (not the user on the client machine, but the client machine itself).

Thanks,
Prasanna

Prasanna,

Not at the same time as you're identifying the user. You see, SSPI will validate the origin of the request. If it originated from a program running under the user's credentials, you're authenticating the user. You might know the machine's IP address, but there's no proof she's really coming from that machine unless you're using IPSEC under the covers or some other VPN technique.

On the other hand, if the request originates from a program running as SYSTEM or Network Service on the client's machine (and only if you're running in a domain), then it's actually running using the machine's domain credentials, not the user's credentials. When you use SSPI to validate the caller's creds at this point, you'll see the user's machine account.

Keith,

Thanks for the reply. So you are saying that having a process running as NETWORK SERVICE or SYSTEM on a machine (that is member of an AD Domain) be an SSPI client, is the indirect way of verifying the client machine identity. It makes sense to me thiking about it, because I suppose that how Windows (server) machines can get things such as Group Policy information from AD without a user ever logging on the machine.

Prasanna

That's correct.

ASP.NET 2.0 and Web Standards - SiteMap Security
Trimming [Via: jlynch ]
BizTalk Web Resources ...

I am trying to do some testing around detecting the usage of LM and NTLMv1 auth on a network. The idea is to see what is relying on these before attempting to disable the same.

In order to validate my setup, It would be really nice to be able to generate arbitrary auth traffic using LM, NTLMv1 and NTLMv2. Does SSPI Workbench do this? If so how can a person obtain a copy?

Alternateively, do you know of any classes in .Net that would allow the same? If so I could try to put something together using powershell.

Thanks.