Szymon Kobalczyk's Blog

A Developer's Notebook
  Home  |   Contact  |   Syndication    |   Login
  84 Posts | 5 Stories | 164 Comments | 380 Trackbacks

News

View Szymon Kobalczyk's profile on LinkedIn

Twitter












Article Categories

Archives

Post Categories

Image Galleries

Blogs I Read

Tools I Use

Problem using NegotiateStream to secure .NET Remoting

I hope someone here could help me understand whats wrong. I tried to use the NegotiateStream class available in .NET 2.0 to secure a remoting connection. It was configured as follows:

Hashtable channelSettings = new Hashtable();
channelSettings["protectionLevel"] = System.Net.Security.ProtectionLevel.EncryptAndSign;
channelSettings["secure"] = true;
TcpClientChannel channel = new TcpClientChannel(channelSettings, null);
ChannelServices.RegisterChannel(channel);

It all worked fine when the client and server were running on the same machine. It also worked when server process was running on Windows 2003 Server box (with AD but the client machines were not registered in that domain). But when we tried to connect from one workstation to another (both Windows XP Prof.) we got following exception:

The server has rejected the client credentials.

Server stack trace:
   at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)
   at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.CreateAuthenticatedStream(Stream netStream, String machinePortAndSid)
   at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.CreateSocketHandler(Socket socket, SocketCache socketCache, String machinePortAndSid)
   at System.Runtime.Remoting.Channels.SocketCache.CreateSocketHandler(Socket socket, String machineAndPort)
   at System.Runtime.Remoting.Channels.RemoteConnection.CreateNewSocket(EndPoint ipEndPoint)
   at System.Runtime.Remoting.Channels.RemoteConnection.CreateNewSocket()
   at System.Runtime.Remoting.Channels.SocketCache.GetSocket(String machinePortAndSid, Boolean openNew)
   at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.SendRequestWithRetry(IMessage msg, ITransportHeaders requestHeaders, Stream requestStream)
   at System.Runtime.Remoting.Channels.Tcp.TcpClientTransportSink.ProcessMessage(IMessage msg, ITransportHeaders requestHeaders, Stream requestStream, ITransportHeaders& responseHeaders, Stream& responseStream)
   at System.Runtime.Remoting.Channels.BinaryClientFormatterSink.SyncProcessMessage(IMessage msg)

I couldn't find any other differences between these two setups other that mentioned above so now I wonder what are the requirements to use the Negotiate protocol? As far as I know, it uses the NTLM or Kerberos to authenticate sessions. Therefore, can it run on independent systems or does it always require ActiveDirectory?

Also, can anyone suggest any less demanding alternative to secure a remoting connection?

posted on Monday, October 10, 2005 11:46 AM

Feedback

# re: Problem using NegotiateStream to secure .NET Remoting 2/20/2006 5:13 PM Frank
if you have any solution of this problem, please tell me about it... the same error occurs in my project :(

email to: frank.friebe [at] gmx [dot] net

# re: Problem using NegotiateStream to secure .NET Remoting 2/28/2006 8:31 PM William Moore
I'm having an almost identical problem. I have a set of about 30 machines I want to write a distributed app for (some on a domain and some not). From what I've experienced, remoting only works if everything is on the same domain. I'm not even using authentication and it's giving me credentials exceptions. If the client and server are on the same domain, I dont have problems at all. I'd like to pick at someone's brain about this one.

William Moore

# re: Problem using NegotiateStream to secure .NET Remoting 2/28/2006 8:57 PM William Moore
And my inability as a c# programmer shows itself again.........
I was setting the ensure security flag on both client and server to true when calling ChannelServices.RegisterChannel thinking it was something else.

# re: Problem using NegotiateStream to secure .NET Remoting 3/3/2006 2:11 PM Dani
Please tell me what you did in order to fix this problem...

Thanks,
Dani

# re: Problem using NegotiateStream to secure .NET Remoting 3/7/2006 2:23 PM Shardool Karnik
This almost gave me a heart attack .... we have a release in 2 weeks and we decided to switch to 2.0 .... anyway

I had misunderstood ChannelServices.RegisterChannel(IChannel chan, bool ensureSecurity);

the ensureSecurity should be set to false ....

keywords:
protection level, impersonate, authentication exception

# re: Problem using NegotiateStream to secure .NET Remoting 3/7/2006 2:26 PM Shardool Karnik
Actually ... I need to thank William Moore for the previous comment ..... which was the solution for this problem ...

# re: Problem using NegotiateStream to secure .NET Remoting 4/27/2006 1:09 PM Suwarna
Hi,

I too am facing the same problem.
But I dont understand why setting the ensureSecurity variable to 'false' to
'SOLVE" this problem.
Doesnt setting this variable to 'FALSE" mean that my client - server communication is insecure ???
What do I do if i need a secure communication ?

Any suggestions / solutions ???


# re: Problem using NegotiateStream to secure .NET Remoting 5/7/2006 6:31 AM dominick
lol - setting ensureSecurity to false uses the normal TCP channel - not NegotiateStream -

you are running in SSO problems here..

read more here:

http://www.leastprivilege.com/SecureRemotingConfigurationSettings.aspx
http://www.leastprivilege.com/NegotiateStreamAndNTLM.aspx

# re: Problem using NegotiateStream to secure .NET Remoting 12/12/2006 8:19 PM Bo
Yeah. Same thing with the .NET 3.0 WCF ... Im getting the SAME exception.

Post Feedback

Title:
Name:
Email: (never displayed)
Url:
Comments: 
Please add 2 and 8 and type the answer here: