Windows and UPN Format Credentials

There are many different formats for representing an identity. Some of the popular styles are distinguished names (CN=Name,OU=Users,DC=Domain), Windows (Domain\Name), and user principals (Name@Domain.com). The style you choose when setting the ClientCredentials is not necessarily going to be the same style selected for presenting the identity in ServiceSecurityContext. For example, you may provide credentials on the client using user principal names and then check the identity on the service to find it's got a Windows name.

If you want to do something with the identity that requires a particular format, then you'll need to do some conversion to get the required format. Windows has a TranslateName function in secur32.dll that does this for you. Since you're probably using managed code, here's the imported function for TranslateName:

 enum EXTENDED_NAME_FORMAT
{
   NameUnknown = 0,
   NameFullyQualifiedDN = 1,
   NameSamCompatible = 2,
   NameDisplay = 3,
   NameUniqueId = 6,
   NameCanonical = 7,
   NameUserPrincipal = 8,
   NameCanonicalEx = 9,
   NameServicePrincipal = 10,
   NameDnsDomain = 12
}

[return: MarshalAs(UnmanagedType.U1)]
[DllImport("secur32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
static extern bool TranslateName(string lpAccountName, EXTENDED_NAME_FORMAT AccountNameFormat, EXTENDED_NAME_FORMAT DesiredNameFormat, StringBuilder lpTranslatedName, out uint nSize);

The return type is marshaled as U1 because the declaration uses the 1 byte BOOLEAN rather than the 4 byte BOOL.

Next time: Session Security