Authentication with the IPC Channel
This topic is specific to a legacy technology that is retained for backward compatibility with existing applications and is not recommended for new development. Distributed applications should now be developed using the Windows Communication Foundation (WCF).
The IPC channel directly supports authentication and impersonation. This topic describes how to configure the client and server channels.
The .NET Framework allows servers of remote objects to authenticate and impersonate callers by setting the properties of the associated IpcServerChannel and IpcClientChannel objects. Unlike the HTTP and TCP channels, the IPC channel performs authentication by default. When an IpcServerChannel is created, an Access Control List (ACL) is created for the channel. By default the ACL only contains the credentials the server application is running under. To communicate with the channel, the client (and therefore the IpcClientChannel) must run under the same credentials. You can, however, specify a Windows user or User group in the IPC server channel configuration that allows that user or group of users to access the channel.
Server Configuration
As previously stated, the IPC channel performs authentication by default. If you want the IPC channel to be accessible to users other than the user whose identity the server application is running under, you can specify a user or user group in the authorizedGroup property. The following configuration file allows all users in the Users group to access the IPC channel:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.runtime.remoting>
<application>
<service>
<wellknown mode="SingleCall" type="Server.MyRemoteObject, Server" objectUri="MyRemoteObject.rem" />
</service>
<channels>
<channel ref="ipc" portName="MyIpcChannel" authorizedGroup="Users"/>
</channels>
</application>
</system.runtime.remoting>
</configuration>
The IPC channel also supports impersonation. This is controlled on the server by the impersonate property. The following configuration turns impersonation on:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.runtime.remoting>
<application>
<service>
<wellknown mode="SingleCall" type="Microsoft.Samples.Implementation.ImplementationClass, Server" objectUri="server.rem" />
</service>
<channels>
<channel ref="ipc" portName="MyIpcChannel" secure="true" impersonate="true" authorizedGroup="Users"/>
</channels>
</application>
</system.runtime.remoting>
</configuration>
Note |
---|
Even though the IPC channel authenticates by default, you must set the secure property to true when setting the impersonate property to true. |
The identity of the authenticated client can be accessed by Identity. The identity of the impersonated client can be accessed by GetCurrent. You can then perform your own authorization if required.
The IPC channel always uses NTLM authentication. Kerberos is not supported because IPC is limited to calls within a single machine.
Client Configuration
To configure a client IPC channel to use impersonation, set the tokenImpersonationLevel property to "impersonation" as shown in the following configuration file:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.runtime.remoting>
<application>
<channels>
<channel ref="ipc" secure="true" tokenImpersonationLevel="impersonation" />
</channels>
</application>
</system.runtime.remoting>
</configuration>
Note |
---|
Even though the IPC channel authenticates by default, you must set the secure property to true when setting the tokenImpersonationLevel property to "impersonation". In order for impersonation to occur, the impersonate property on the server channel must be set true. Notice that on the server the property is called impersonate but on the client, you set tokenImpersonationLevel to impersonation. |
The tokenImpersonationLevel may be set to one of the following values:
tokenImpersonationLevel setting | Description |
---|---|
identification |
The server can obtain information about the client, such as security identifiers and privileges, but it cannot impersonate the client. |
impersonation |
The server can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems. |
delegation |
The server can impersonate the client on remote systems. |
Note |
---|
The IPC channel does not allow you to specify an alternate set of credentials programmatically or through configuration. Therefore the client always sends the credentials it is running under to the server. |
Note |
---|
The IPC channel only uses NTLM for authentication. |
See Also
Concepts
Authentication with the HTTP Channel
Authentication with the TCP Channel
Encryption and Message Integrity