How to interoperate between SSPI and the .NET NegotiateStream Class

Win32 Desktop Applications can take advantage of SSPI to authenticate Windows Users.  In .NET, Windows Authentication can be done using the NegotiateStream Class.

https://msdn.microsoft.com/en-us/library/system.net.security.negotiatestream(v=vs.110).aspx

We have had several questions in the past on how you can get a Win32 Desktop Client/Server Application using SSPI to authenticate with a .NET Client/Server using the NegotiateStream Class.

The key to getting these Frameworks to interoperate is that the NegotiateStream Class has implemented its own PROTOCOL which wraps SSPI.  This means that you need to modify your Win32 Application to implement the PROTOCOL before sending your SSPI Blobs to the NegotiateStream Client/Server.

Luckily, the NegotateStream Protocol is documented here.  (Referred to as [MS-NNS]: .NET NegotiateStream Protocol)

https://msdn.microsoft.com/en-us/library/cc236723.aspx

The key thing to review are the Message Syntaxes which are the following:

  • Handshake Message
  • Data Message

For the Handshake Message, the message is defined here:

https://msdn.microsoft.com/en-us/library/cc236739.aspx

This information should allow you to easily modify your desktop application using SSPI to interoperate with an .NET application using the NegotiateStream Class.

Follow us on Twitter, www.twitter.com/WindowsSDK