NegotiateStream Class
.NET Framework 4
Provides a stream that uses the Negotiate security protocol to authenticate the client, and optionally the server, in client-server communication.
System.Object
System.MarshalByRefObject
System.IO.Stream
System.Net.Security.AuthenticatedStream
System.Net.Security.NegotiateStream
System.MarshalByRefObject
System.IO.Stream
System.Net.Security.AuthenticatedStream
System.Net.Security.NegotiateStream
Assembly: System (in System.dll)
The NegotiateStream type exposes the following members.
| Name | Description | |
|---|---|---|
|
NegotiateStream(Stream) | Initializes a new instance of the NegotiateStream class using the specified Stream. |
|
|
NegotiateStream(Stream, Boolean) | Initializes a new instance of the NegotiateStream class using the specified Stream and stream closure behavior. |
| Name | Description | |
|---|---|---|
|
CanRead | Gets a Boolean value that indicates whether the underlying stream is readable. (Overrides Stream.CanRead.) |
|
|
CanSeek | Gets a Boolean value that indicates whether the underlying stream is seekable. (Overrides Stream.CanSeek.) |
|
|
CanTimeout | Gets a Boolean value that indicates whether the underlying stream supports time-outs. (Overrides Stream.CanTimeout.) |
|
|
CanWrite | Gets a Boolean value that indicates whether the underlying stream is writable. (Overrides Stream.CanWrite.) |
|
|
ImpersonationLevel | Gets a value that indicates how the server can use the client's credentials. |
|
InnerStream | Gets the stream used by this AuthenticatedStream for sending and receiving data. (Inherited from AuthenticatedStream.) |
|
|
IsAuthenticated | Gets a Boolean value that indicates whether authentication was successful. (Overrides AuthenticatedStream.IsAuthenticated.) |
|
|
IsEncrypted | Gets a Boolean value that indicates whether this NegotiateStream uses data encryption. (Overrides AuthenticatedStream.IsEncrypted.) |
|
|
IsMutuallyAuthenticated | Gets a Boolean value that indicates whether both the server and the client have been authenticated. (Overrides AuthenticatedStream.IsMutuallyAuthenticated.) |
|
|
IsServer | Gets a Boolean value that indicates whether the local side of the connection used by this NegotiateStream was authenticated as the server. (Overrides AuthenticatedStream.IsServer.) |
|
|
IsSigned | Gets a Boolean value that indicates whether the data sent using this stream is signed. (Overrides AuthenticatedStream.IsSigned.) |
|
|
LeaveInnerStreamOpen | Gets whether the stream used by this AuthenticatedStream for sending and receiving data has been left open. (Inherited from AuthenticatedStream.) |
|
|
Length | Gets the length of the underlying stream. (Overrides Stream.Length.) |
|
|
Position | Gets or sets the current position in the underlying stream. (Overrides Stream.Position.) |
|
|
ReadTimeout | Gets or sets the amount of time a read operation blocks waiting for data. (Overrides Stream.ReadTimeout.) |
|
|
RemoteIdentity | Gets information about the identity of the remote party sharing this authenticated stream. |
|
|
WriteTimeout | Gets or sets the amount of time a write operation blocks waiting for data. (Overrides Stream.WriteTimeout.) |
| Name | Description | |
|---|---|---|
|
|
AuthenticateAsClient() | Called by clients to authenticate the client, and optionally the server, in a client-server connection. |
|
|
AuthenticateAsClient(NetworkCredential, String) | Called by clients to authenticate the client, and optionally the server, in a client-server connection. The authentication process uses the specified client credential. |
|
|
AuthenticateAsClient(NetworkCredential, ChannelBinding, String) | Called by clients to authenticate the client, and optionally the server, in a client-server connection. The authentication process uses the specified client credential and the channel binding. |
|
|
AuthenticateAsClient(NetworkCredential, String, ProtectionLevel, TokenImpersonationLevel) | Called by clients to authenticate the client, and optionally the server, in a client-server connection. The authentication process uses the specified credentials and authentication options. |
|
|
AuthenticateAsClient(NetworkCredential, ChannelBinding, String, ProtectionLevel, TokenImpersonationLevel) | Called by clients to authenticate the client, and optionally the server, in a client-server connection. The authentication process uses the specified credential, authentication options, and channel binding. |
|
|
AuthenticateAsServer() | Called by servers to authenticate the client, and optionally the server, in a client-server connection. |
|
|
AuthenticateAsServer(ExtendedProtectionPolicy) | Called by servers to authenticate the client, and optionally the server, in a client-server connection. The authentication process uses the specified extended protection policy. |
|
|
AuthenticateAsServer(NetworkCredential, ProtectionLevel, TokenImpersonationLevel) | Called by servers to authenticate the client, and optionally the server, in a client-server connection. The authentication process uses the specified server credentials and authentication options. |
|
|
AuthenticateAsServer(NetworkCredential, ExtendedProtectionPolicy, ProtectionLevel, TokenImpersonationLevel) | Called by servers to authenticate the client, and optionally the server, in a client-server connection. The authentication process uses the specified server credentials, authentication options, and extended protection policy. |
|
|
BeginAuthenticateAsClient(AsyncCallback, Object) | Called by clients to begin an asynchronous operation to authenticate the client, and optionally the server, in a client-server connection. This method does not block. |
|
|
BeginAuthenticateAsClient(NetworkCredential, String, AsyncCallback, Object) | Called by clients to begin an asynchronous operation to authenticate the client, and optionally the server, in a client-server connection. The authentication process uses the specified credentials. This method does not block. |
|
|
BeginAuthenticateAsClient(NetworkCredential, ChannelBinding, String, AsyncCallback, Object) | Called by clients to begin an asynchronous operation to authenticate the client, and optionally the server, in a client-server connection. The authentication process uses the specified credentials and channel binding. This method does not block. |
|
|
BeginAuthenticateAsClient(NetworkCredential, String, ProtectionLevel, TokenImpersonationLevel, AsyncCallback, Object) | Called by clients to begin an asynchronous operation to authenticate the client, and optionally the server, in a client-server connection. The authentication process uses the specified credentials and authentication options. This method does not block. |
|
|
BeginAuthenticateAsClient(NetworkCredential, ChannelBinding, String, ProtectionLevel, TokenImpersonationLevel, AsyncCallback, Object) | Called by clients to begin an asynchronous operation to authenticate the client, and optionally the server, in a client-server connection. The authentication process uses the specified credentials, authentication options, and channel binding. This method does not block. |
|
|
BeginAuthenticateAsServer(AsyncCallback, Object) | Called by servers to begin an asynchronous operation to authenticate the client, and optionally the server, in a client-server connection. This method does not block. |
|
|
BeginAuthenticateAsServer(ExtendedProtectionPolicy, AsyncCallback, Object) | Called by servers to begin an asynchronous operation to authenticate the client, and optionally the server, in a client-server connection. The authentication process uses the specified extended protection policy. This method does not block. |
|
|
BeginAuthenticateAsServer(NetworkCredential, ProtectionLevel, TokenImpersonationLevel, AsyncCallback, Object) | Called by servers to begin an asynchronous operation to authenticate the client, and optionally the server, in a client-server connection. The authentication process uses the specified server credentials and authentication options. This method does not block. |
|
|
BeginAuthenticateAsServer(NetworkCredential, ExtendedProtectionPolicy, ProtectionLevel, TokenImpersonationLevel, AsyncCallback, Object) | Called by servers to begin an asynchronous operation to authenticate the client, and optionally the server, in a client-server connection. The authentication process uses the specified server credentials, authentication options, and extended protection policy. This method does not block. |
|
|
BeginRead | Begins an asynchronous read operation that reads data from the stream and stores it in the specified array. (Overrides Stream.BeginRead(Byte[], Int32, Int32, AsyncCallback, Object).) |
|
|
BeginWrite | Begins an asynchronous write operation that writes Bytes from the specified buffer to the stream. (Overrides Stream.BeginWrite(Byte[], Int32, Int32, AsyncCallback, Object).) |
|
|
Close | Closes the current stream and releases any resources (such as sockets and file handles) associated with the current stream. (Inherited from Stream.) |
|
|
CopyTo(Stream) | Reads the bytes from the current stream and writes them to the destination stream. (Inherited from Stream.) |
|
|
CopyTo(Stream, Int32) | Reads all the bytes from the current stream and writes them to a destination stream, using a specified buffer size. (Inherited from Stream.) |
|
|
CreateObjRef | Creates an object that contains all the relevant information required to generate a proxy used to communicate with a remote object. (Inherited from MarshalByRefObject.) |
|
CreateWaitHandle | Obsolete. Allocates a WaitHandle object. (Inherited from Stream.) |
|
|
Dispose() | Releases all resources used by the Stream. (Inherited from Stream.) |
|
|
Dispose(Boolean) | Releases the unmanaged resources used by the NegotiateStream and optionally releases the managed resources. (Overrides AuthenticatedStream.Dispose(Boolean).) |
|
|
EndAuthenticateAsClient | Ends a pending asynchronous client authentication operation that was started with a call to BeginAuthenticateAsClient. |
|
|
EndAuthenticateAsServer | Ends a pending asynchronous client authentication operation that was started with a call to BeginAuthenticateAsServer. |
|
|
EndRead | Ends an asynchronous read operation that was started with a call to BeginRead. (Overrides Stream.EndRead(IAsyncResult).) |
|
|
EndWrite | Ends an asynchronous write operation that was started with a call to BeginWrite. (Overrides Stream.EndWrite(IAsyncResult).) |
|
|
Equals(Object) | Determines whether the specified Object is equal to the current Object. (Inherited from Object.) |
|
|
Finalize | Allows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection. (Inherited from Object.) |
|
|
Flush | Causes any buffered data to be written to the underlying device. (Overrides Stream.Flush().) |
|
|
GetHashCode | Serves as a hash function for a particular type. (Inherited from Object.) |
|
|
GetLifetimeService | Retrieves the current lifetime service object that controls the lifetime policy for this instance. (Inherited from MarshalByRefObject.) |
|
|
GetType | Gets the Type of the current instance. (Inherited from Object.) |
|
|
InitializeLifetimeService | Obtains a lifetime service object to control the lifetime policy for this instance. (Inherited from MarshalByRefObject.) |
|
|
MemberwiseClone() | Creates a shallow copy of the current Object. (Inherited from Object.) |
|
|
MemberwiseClone(Boolean) | Creates a shallow copy of the current MarshalByRefObject object. (Inherited from MarshalByRefObject.) |
|
|
ObjectInvariant | Infrastructure. Provides support for a Contract. (Inherited from Stream.) |
|
|
Read | Reads data from this stream and stores it in the specified array. (Overrides Stream.Read(Byte[], Int32, Int32).) |
|
|
ReadByte | Reads a byte from the stream and advances the position within the stream by one byte, or returns -1 if at the end of the stream. (Inherited from Stream.) |
|
|
Seek | Throws NotSupportedException. (Overrides Stream.Seek(Int64, SeekOrigin).) |
|
|
SetLength | Sets the length of the underlying stream. (Overrides Stream.SetLength(Int64).) |
|
|
ToString | Returns a string that represents the current object. (Inherited from Object.) |
|
|
Write | Write the specified number of Bytes to the underlying stream using the specified buffer and offset. (Overrides Stream.Write(Byte[], Int32, Int32).) |
|
|
WriteByte | Writes a byte to the current position in the stream and advances the position within the stream by one byte. (Inherited from Stream.) |
Use the NegotiateStream class for authentication and to help secure information transmitted between a client and a server. Using NegotiateStream, you can do the following.
-
Send the client's credentials to the server for Impersonation or Delegation.
-
Request server authentication.
-
Encrypt and/or sign data before transmitting it.
Authentication must be performed before transmitting information. Clients request authentication using the synchronous AuthenticateAsClient methods, which block until the authentication completes, or the asynchronous BeginAuthenticateAsClient methods, which do not block while waiting for the authentication to complete. Servers request authentication using the synchronous AuthenticateAsServer or asynchronous BeginAuthenticateAsServer methods. The client, and optionally the server, is authenticated using the Negotiate security protocol. On Windows 95/98 systems, Windows NT LAN Manager (NTLM) is the protocol used for authentication. On other platforms the Kerberos protocol is used for authentication if both client and server support it; otherwise NTLM is used. For detailed descriptions of these protocols, see the Platform SDK documentation on MSDN, at msdn.microsoft.com/library/. The NegotiateStream class performs the authentication using the Security Support Provider Interface (SSPI).
When authentication succeeds, you must check the IsEncrypted and IsSigned properties to determine what security services will be used by the NegotiateStream to help secure your data during transmission. Check the IsMutuallyAuthenticated property to determine whether mutual authentication occurred. You can get information about the remote client or server using the RemoteIdentity property.
If the authentication fails, you will receive an AuthenticationException or a InvalidCredentialException. In this case, you can retry the authentication with a different credential.
You send data using the synchronous Write or asynchronous BeginWrite methods. You receive data using the synchronous Read or asynchronous BeginRead methods. If security services such as encryption or signing are enabled, these are automatically applied to your data by the NegotiateStream.
The NegotiateStream transmits data using a stream that you supply when creating the NegotiateStream. When you supply this underlying stream, you have the option to specify whether closing the NegotiateStream also closes the underlying stream.
The following code example demonstrates the client side of a client-server connection that uses the NegotiateStream. The client authenticates and sends a message to the server asynchronously.
using System; using System.Net; using System.Net.Security; using System.Net.Sockets; using System.Text; namespace Examples.NegotiateStreamExample { public class ASynchronousAuthenticatingTcpClient { static TcpClient client = null; public static void Main(String[] args) { // Establish the remote endpoint for the socket. // For this example, use the local machine. IPHostEntry ipHostInfo = Dns.GetHostEntry("localhost"); IPAddress ipAddress = ipHostInfo.AddressList[0]; // Client and server use port 11000. IPEndPoint remoteEP = new IPEndPoint(ipAddress, 11000); // Create a TCP/IP socket. client = new TcpClient(); // Connect the socket to the remote endpoint. client.Connect(remoteEP); Console.WriteLine("Client connected to {0}.", remoteEP.ToString()); // Ensure the client does not close when there is // still data to be sent to the server. client.LingerState = (new LingerOption(true, 0)); // Request authentication. NetworkStream clientStream = client.GetStream(); NegotiateStream authStream = new NegotiateStream(clientStream, false); // Pass the NegotiateStream as the AsyncState object // so that it is available to the callback delegate. IAsyncResult ar = authStream.BeginAuthenticateAsClient( new AsyncCallback(EndAuthenticateCallback), authStream ); Console.WriteLine("Client waiting for authentication..."); // Wait until the result is available. ar.AsyncWaitHandle.WaitOne(); // Display the properties of the authenticated stream. AuthenticatedStreamReporter.DisplayProperties(authStream); // Send a message to the server. // Encode the test data into a byte array. byte[] message = Encoding.UTF8.GetBytes("Hello from the client."); ar = authStream.BeginWrite(message, 0, message.Length, new AsyncCallback(EndWriteCallback), authStream); ar.AsyncWaitHandle.WaitOne(); Console.WriteLine("Sent {0} bytes.", message.Length); // Close the client connection. authStream.Close(); Console.WriteLine("Client closed."); } // The following method is called when the authentication completes. public static void EndAuthenticateCallback (IAsyncResult ar) { Console.WriteLine("Client ending authentication..."); NegotiateStream authStream = (NegotiateStream) ar.AsyncState; Console.WriteLine("ImpersonationLevel: {0}", authStream.ImpersonationLevel); // End the asynchronous operation. authStream.EndAuthenticateAsClient(ar); } // The following method is called when the write operation completes. public static void EndWriteCallback (IAsyncResult ar) { Console.WriteLine("Client ending write operation..."); NegotiateStream authStream = (NegotiateStream) ar.AsyncState; // End the asynchronous operation. authStream.EndWrite(ar); } } // The following class displays the properties of an authenticatedStream. public class AuthenticatedStreamReporter { public static void DisplayProperties(AuthenticatedStream stream) { Console.WriteLine("IsAuthenticated: {0}", stream.IsAuthenticated); Console.WriteLine("IsMutuallyAuthenticated: {0}", stream.IsMutuallyAuthenticated); Console.WriteLine("IsEncrypted: {0}", stream.IsEncrypted); Console.WriteLine("IsSigned: {0}", stream.IsSigned); Console.WriteLine("IsServer: {0}", stream.IsServer); } } }
The following code example demonstrates the server side of a client-server connection that uses the NegotiateStream to authenticate the client and read a message sent by the client.
using System; using System.Net; using System.Net.Security; using System.Net.Sockets; using System.Security.Authentication; using System.Security.Principal; using System.Text; using System.IO; using System.Threading; namespace Examples.NegotiateStreamExample { public class AsynchronousAuthenticatingTcpListener { public static void Main() { // Create an IPv4 TCP/IP socket. TcpListener listener = new TcpListener(IPAddress.Any, 11000); // Listen for incoming connections. listener.Start(); while (true) { TcpClient clientRequest = null; // Application blocks while waiting for an incoming connection. // Type CNTL-C to terminate the server. clientRequest = listener.AcceptTcpClient(); Console.WriteLine("Client connected."); // A client has connected. try { AuthenticateClient (clientRequest); } catch (Exception e) { Console.WriteLine(e); continue; } } } public static void AuthenticateClient(TcpClient clientRequest) { NetworkStream stream = clientRequest.GetStream(); // Create the NegotiateStream. NegotiateStream authStream = new NegotiateStream(stream, false); // Save the current client and NegotiateStream instance // in a ClientState object. ClientState cState = new ClientState(authStream, clientRequest); // Listen for the client authentication request. authStream.BeginAuthenticateAsServer ( new AsyncCallback(EndAuthenticateCallback), cState ); // Wait until the authentication completes. cState.Waiter.WaitOne(); cState.Waiter.Reset(); authStream.BeginRead(cState.Buffer, 0, cState.Buffer.Length, new AsyncCallback(EndReadCallback), cState); cState.Waiter.WaitOne(); // Finished with the current client. authStream.Close(); clientRequest.Close(); } // The following method is invoked by the // BeginAuthenticateAsServer callback delegate. public static void EndAuthenticateCallback (IAsyncResult ar) { // Get the saved data. ClientState cState = (ClientState) ar.AsyncState; TcpClient clientRequest = cState.Client; NegotiateStream authStream = (NegotiateStream) cState.AuthenticatedStream; Console.WriteLine("Ending authentication."); // Any exceptions that occurred during authentication are // thrown by the EndAuthenticateAsServer method. try { // This call blocks until the authentication is complete. authStream.EndAuthenticateAsServer(ar); } catch (AuthenticationException e) { Console.WriteLine(e); Console.WriteLine("Authentication failed - closing connection."); cState.Waiter.Set(); return; } catch (Exception e) { Console.WriteLine(e); Console.WriteLine("Closing connection."); cState.Waiter.Set(); return; } // Display properties of the authenticated client. IIdentity id = authStream.RemoteIdentity; Console.WriteLine("{0} was authenticated using {1}.", id.Name, id.AuthenticationType ); cState.Waiter.Set(); } public static void EndReadCallback(IAsyncResult ar) { // Get the saved data. ClientState cState = (ClientState) ar.AsyncState; TcpClient clientRequest = cState.Client; NegotiateStream authStream = (NegotiateStream) cState.AuthenticatedStream; // Get the buffer that stores the message sent by the client. int bytes = -1; // Read the client message. try { bytes = authStream.EndRead(ar); cState.Message.Append(Encoding.UTF8.GetChars(cState.Buffer, 0, bytes)); if (bytes != 0) { authStream.BeginRead(cState.Buffer, 0, cState.Buffer.Length, new AsyncCallback(EndReadCallback), cState); return; } } catch (Exception e) { // A real application should do something // useful here, such as logging the failure. Console.WriteLine("Client message exception:"); Console.WriteLine(e); cState.Waiter.Set(); return; } IIdentity id = authStream.RemoteIdentity; Console.WriteLine("{0} says {1}", id.Name, cState.Message.ToString()); cState.Waiter.Set(); } } // ClientState is the AsyncState object. internal class ClientState { private AuthenticatedStream authStream = null; private TcpClient client = null; byte[] buffer = new byte[2048]; StringBuilder message = null; ManualResetEvent waiter = new ManualResetEvent(false); internal ClientState(AuthenticatedStream a, TcpClient theClient) { authStream = a; client = theClient; } internal TcpClient Client { get { return client;} } internal AuthenticatedStream AuthenticatedStream { get { return authStream;} } internal byte[] Buffer { get { return buffer;} } internal StringBuilder Message { get { if (message == null) message = new StringBuilder(); return message; } } internal ManualResetEvent Waiter { get { return waiter; } } } }
Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2
The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.
