Francis Janssens of Dolmen came up to me after my talk (Identities and Principals) last wednesday and asked a very good question:
How can you get the identity of the caller on a method of a .NET remoted object?
As so often the case, it depends. When crossing a remoting boundary, you will not be authenticated if your hosting app is a “normal“ Win32 application, such as a console application (yuck) or a Windows service. Francis was using the latter. Unfornately, because .NET remoting itself is not security-aware, you will not be authenticated. Hence, identifying the calling user is impossible unless you pass the username as an argument into every methodcall.
But, there are other options. You can build your own remoting formatter and channel. Not trivial to say the least. Here and here are two excellent articles on how to do that. For your convenience an implementation is provided for you with the articles.
Or, you can take the easy route: host your remote objects inside IIS. Disable anonymous authentication and voilá: IIS does the authentication for you.