More on authentication and authorization: .NET Remoting Security

Francis Janssens of Dolmen came up to me after my talk (Identities and Principals) last wednesday and asked a very good question:

How can you get the identity of the caller on a method of a .NET remoted object?

As so often the case, it depends. When crossing a remoting boundary, you will not be authenticated if your hosting app is a “normal“ Win32 application, such as a console application (yuck) or a Windows service. Francis was using the latter. Unfornately, because .NET remoting itself is not security-aware, you will not be authenticated. Hence, identifying the calling user is impossible unless you pass the username as an argument into every methodcall.

But, there are other options. You can build your own remoting formatter and channel. Not trivial to say the least. Here and here are two excellent articles on how to do that. For your convenience an implementation is provided for you with the articles.

Or, you can take the easy route: host your remote objects inside IIS. Disable anonymous authentication and voilá: IIS does the authentication for you.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s