NegotiateStream Class (System.Net.Security)

Switch on low bandwidth view

Collapse All

Language Filter

This page is specific to

Microsoft Visual Studio 2008/.NET Framework 3.5

Other versions are also available for the following:

.NET Framework Class Library

NegotiateStream Class

Provides a stream that uses the Negotiate security protocol to authenticate the client, and optionally the server, in client-server communication.

Namespace: System.Net.Security
Assembly: System (in System.dll)

Syntax

Visual Basic (Declaration)

Public Class NegotiateStream _
    Inherits AuthenticatedStream

Visual Basic (Usage)

Dim instance As NegotiateStream

public class NegotiateStream : AuthenticatedStream

Visual C++

public ref class NegotiateStream : public AuthenticatedStream

JScript

public class NegotiateStream extends AuthenticatedStream

Remarks

Use the NegotiateStream class for authentication and to help secure information transmitted between a client and a server. Using NegotiateStream, you can do the following.

Send the client's credentials to the server for Impersonation or Delegation.
Request server authentication.
Encrypt and/or sign data before transmitting it.

Authentication must be performed before transmitting information. Clients request authentication using the synchronous AuthenticateAsClient methods, which block until the authentication completes, or the asynchronous BeginAuthenticateAsClient methods, which do not block while waiting for the authentication to complete. Servers request authentication using the synchronous AuthenticateAsServer or asynchronous BeginAuthenticateAsServer methods. The client, and optionally the server, is authenticated using the Negotiate security protocol. On Windows 95/98 systems, Windows NT LAN Manager (NTLM) is the protocol used for authentication. On other platforms the Kerberos protocol is used for authentication if both client and server support it; otherwise NTLM is used. For detailed descriptions of these protocols, see the Platform SDK documentation on MSDN, at msdn.microsoft.com/library/. The NegotiateStream class performs the authentication using the Security Support Provider Interface (SSPI).

When authentication succeeds, you must check the IsEncrypted and IsSigned properties to determine what security services will be used by the NegotiateStream to help secure your data during transmission. Check the IsMutuallyAuthenticated property to determine whether mutual authentication occurred. You can get information about the remote client or server using the RemoteIdentity property.

If the authentication fails, you will receive an AuthenticationException or a InvalidCredentialException. In this case, you can retry the authentication with a different credential.

You send data using the synchronous Write or asynchronous BeginWrite methods. You receive data using the synchronous Read or asynchronous BeginRead methods. If security services such as encryption or signing are enabled, these are automatically applied to your data by the NegotiateStream.

The NegotiateStream transmits data using a stream that you supply when creating the NegotiateStream. When you supply this underlying stream, you have the option to specify whether closing the NegotiateStream also closes the underlying stream.

Examples

The following code example demonstrates the client side of a client-server connection that uses the NegotiateStream. The client authenticates and sends a message to the server asynchronously.

using System;
using System.Net;
using System.Net.Security;
using System.Net.Sockets;
using System.Text;

namespace Examples.NegotiateStreamExample
{
    public class ASynchronousAuthenticatingTcpClient 
    {   
        static TcpClient client = null;

        public static void Main(String[] args)  
        {
            // Establish the remote endpoint for the socket.
            // For this example, use the local machine.
            IPHostEntry ipHostInfo = Dns.GetHostEntry("localhost");
            IPAddress ipAddress = ipHostInfo.AddressList[0];
            // Client and server use port 11000. 
            IPEndPoint remoteEP = new IPEndPoint(ipAddress, 11000);
            // Create a TCP/IP socket.
            client = new TcpClient();
            // Connect the socket to the remote endpoint.
            client.Connect(remoteEP);
            Console.WriteLine("Client connected to {0}.", remoteEP.ToString());
            // Ensure the client does not close when there is 
            // still data to be sent to the server.
            client.LingerState = (new LingerOption(true, 0));
            // Request authentication.
            NetworkStream clientStream = client.GetStream();
            NegotiateStream authStream = new NegotiateStream(clientStream, false); 
            // Pass the NegotiateStream as the AsyncState object 
            // so that it is available to the callback delegate.
            IAsyncResult ar = authStream.BeginAuthenticateAsClient(
                new AsyncCallback(EndAuthenticateCallback),
                authStream
                );
            Console.WriteLine("Client waiting for authentication...");
            // Wait until the result is available.
            ar.AsyncWaitHandle.WaitOne();
            // Display the properties of the authenticated stream.
            AuthenticatedStreamReporter.DisplayProperties(authStream);
            // Send a message to the server.
            // Encode the test data into a byte array.
            byte[] message = Encoding.UTF8.GetBytes("Hello from the client.");
            ar = authStream.BeginWrite(message, 0, message.Length,
                new AsyncCallback(EndWriteCallback),
                authStream);
            ar.AsyncWaitHandle.WaitOne();
            Console.WriteLine("Sent {0} bytes.", message.Length);
            // Close the client connection.
            authStream.Close();
            Console.WriteLine("Client closed.");
        }
        // The following method is called when the authentication completes.
        public static void EndAuthenticateCallback (IAsyncResult ar)
        {
            Console.WriteLine("Client ending authentication...");
            NegotiateStream authStream = (NegotiateStream) ar.AsyncState;
            Console.WriteLine("ImpersonationLevel: {0}", authStream.ImpersonationLevel);

            // End the asynchronous operation.
            authStream.EndAuthenticateAsClient(ar);
        }
        // The following method is called when the write operation completes.
        public static void EndWriteCallback (IAsyncResult ar)
        {
            Console.WriteLine("Client ending write operation...");
            NegotiateStream authStream = (NegotiateStream) ar.AsyncState;

            // End the asynchronous operation.
            authStream.EndWrite(ar);
        }
    }

    // The following class displays the properties of an authenticatedStream.
    public class AuthenticatedStreamReporter
{
    public static void DisplayProperties(AuthenticatedStream stream)
   {
        Console.WriteLine("IsAuthenticated: {0}", stream.IsAuthenticated);
        Console.WriteLine("IsMutuallyAuthenticated: {0}", stream.IsMutuallyAuthenticated);
        Console.WriteLine("IsEncrypted: {0}", stream.IsEncrypted);
        Console.WriteLine("IsSigned: {0}", stream.IsSigned);
        Console.WriteLine("IsServer: {0}", stream.IsServer);
    }
}
}

Visual C++

#using <System.dll>

using namespace System;
using namespace System::Net;
using namespace System::Net::Security;
using namespace System::Net::Sockets;
using namespace System::Text;

// The following class displays the properties of an authenticatedStream.
public ref class AuthenticatedStreamReporter
{
public:
   static void DisplayProperties( AuthenticatedStream^ stream )
   {
      Console::WriteLine( L"IsAuthenticated: {0}", stream->IsAuthenticated );
      Console::WriteLine( L"IsMutuallyAuthenticated: {0}", stream->IsMutuallyAuthenticated );
      Console::WriteLine( L"IsEncrypted: {0}", stream->IsEncrypted );
      Console::WriteLine( L"IsSigned: {0}", stream->IsSigned );
      Console::WriteLine( L"IsServer: {0}", stream->IsServer );
   }

};


public ref class ASynchronousAuthenticatingTcpClient
{
private:
   static TcpClient^ client = nullptr;

public:
   void Main()
   {

      // Establish the remote endpoint for the socket.
      // For this example, use the local machine.
      IPHostEntry^ ipHostInfo = Dns::GetHostEntry( Dns::GetHostName() );
      IPAddress^ ipAddress = ipHostInfo->AddressList[ 0 ];

      // Client and server use port 11000. 
      IPEndPoint^ remoteEP = gcnew IPEndPoint( ipAddress,11000 );

      // Create a TCP/IP socket.
      client = gcnew TcpClient;

      // Connect the socket to the remote endpoint.
      client->Connect( remoteEP );
      Console::WriteLine( L"Client connected to {0}.", remoteEP );

      // Ensure the client does not close when there is 
      // still data to be sent to the server.
      client->LingerState = (gcnew LingerOption( true,0 ));

      // Request authentication.
      NetworkStream^ clientStream = client->GetStream();
      NegotiateStream^ authStream = gcnew NegotiateStream( clientStream,false );

      // Pass the NegotiateStream as the AsyncState object 
      // so that it is available to the callback delegate.
      IAsyncResult^ ar = authStream->BeginAuthenticateAsClient( gcnew AsyncCallback( EndAuthenticateCallback ), authStream );

      Console::WriteLine( L"Client waiting for authentication..." );

      // Wait until the result is available.
      ar->AsyncWaitHandle->WaitOne();

      // Display the properties of the authenticated stream.
      AuthenticatedStreamReporter::DisplayProperties( authStream );

      // Send a message to the server.
      // Encode the test data into a byte array.
      array<Byte>^message = Encoding::UTF8->GetBytes( L"Hello from the client." );
      ar = authStream->BeginWrite( message, 0, message->Length, gcnew AsyncCallback( EndWriteCallback ), authStream );

      ar->AsyncWaitHandle->WaitOne();
      Console::WriteLine( L"Sent {0} bytes.", message->Length );

      // Close the client connection.
      authStream->Close();
      Console::WriteLine( L"Client closed." );
   }


   // The following method is called when the authentication completes.
   static void EndAuthenticateCallback( IAsyncResult^ ar )
   {
      Console::WriteLine( L"Client ending authentication..." );
      NegotiateStream^ authStream = dynamic_cast<NegotiateStream^>(ar->AsyncState);

      // End the asynchronous operation.
      authStream->EndAuthenticateAsClient( ar );

      //         Console.WriteLine("AllowedImpersonation: {0}", authStream.AllowedImpersonation);
   }


   // The following method is called when the write operation completes.
   static void EndWriteCallback( IAsyncResult^ ar )
   {
      Console::WriteLine( L"Client ending write operation..." );
      NegotiateStream^ authStream = dynamic_cast<NegotiateStream^>(ar->AsyncState);

      // End the asynchronous operation.
      authStream->EndWrite( ar );
   }

};

void main()
{
   ASynchronousAuthenticatingTcpClient^ aatc = gcnew ASynchronousAuthenticatingTcpClient;
   aatc->Main();
}

The following code example demonstrates the server side of a client-server connection that uses the NegotiateStream to authenticate the client and read a message sent by the client.

using System;
using System.Net;
using System.Net.Security;
using System.Net.Sockets;
using System.Security.Authentication;
using System.Security.Principal;
using System.Text;
using System.IO;
using System.Threading;

namespace Examples.NegotiateStreamExample
{
    public class AsynchronousAuthenticatingTcpListener 
    {
        public static void Main() 
        {   
            // Create an IPv4 TCP/IP socket. 
            TcpListener listener = new TcpListener(IPAddress.Any, 11000);
            // Listen for incoming connections.
            listener.Start();
            while (true) 
            {
                TcpClient clientRequest = null;
                // Application blocks while waiting for an incoming connection.
                // Type CNTL-C to terminate the server.
                clientRequest = listener.AcceptTcpClient();
                Console.WriteLine("Client connected.");
                // A client has connected. 
                try
                {
                    AuthenticateClient (clientRequest);
                }
                catch (Exception e)
                {
                    Console.WriteLine(e);
                    continue;
                }

            }

        }
        public static void AuthenticateClient(TcpClient clientRequest)
        {
            NetworkStream stream = clientRequest.GetStream(); 
            // Create the NegotiateStream.
            NegotiateStream authStream = new NegotiateStream(stream, false); 
            // Save the current client and NegotiateStream instance 
            // in a ClientState object.
            ClientState cState = new ClientState(authStream, clientRequest);
            // Listen for the client authentication request.
            authStream.BeginAuthenticateAsServer (
                new AsyncCallback(EndAuthenticateCallback),
                cState
                );
            // Wait until the authentication completes.
            cState.Waiter.WaitOne();
            cState.Waiter.Reset();
            authStream.BeginRead(cState.Buffer, 0, cState.Buffer.Length, 
                   new AsyncCallback(EndReadCallback), 
                   cState);
            cState.Waiter.WaitOne();
            // Finished with the current client.
            authStream.Close();
            clientRequest.Close();
        }
        // The following method is invoked by the
        // BeginAuthenticateAsServer callback delegate.

        public static void EndAuthenticateCallback (IAsyncResult ar)
        {
            // Get the saved data.
            ClientState cState = (ClientState) ar.AsyncState;
            TcpClient clientRequest = cState.Client;
            NegotiateStream authStream = (NegotiateStream) cState.AuthenticatedStream;
            Console.WriteLine("Ending authentication.");
            // Any exceptions that occurred during authentication are
            // thrown by the EndAuthenticateAsServer method.
            try 
            {
                // This call blocks until the authentication is complete.
                authStream.EndAuthenticateAsServer(ar);
            }
            catch (AuthenticationException e)
            {
                Console.WriteLine(e);
                Console.WriteLine("Authentication failed - closing connection.");
                cState.Waiter.Set();
                return;
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
                Console.WriteLine("Closing connection.");
                cState.Waiter.Set();
                return;
            }
            // Display properties of the authenticated client.
            IIdentity id = authStream.RemoteIdentity;
            Console.WriteLine("{0} was authenticated using {1}.", 
                id.Name, 
                id.AuthenticationType
                );
            cState.Waiter.Set();

    }
        public static void EndReadCallback(IAsyncResult ar)
        {
            // Get the saved data.
            ClientState cState = (ClientState) ar.AsyncState;
            TcpClient clientRequest = cState.Client;
            NegotiateStream authStream = (NegotiateStream) cState.AuthenticatedStream; 
            // Get the buffer that stores the message sent by the client.
            int bytes = -1;
            // Read the client message.
            try
            {
                    bytes = authStream.EndRead(ar);
                    cState.Message.Append(Encoding.UTF8.GetChars(cState.Buffer, 0, bytes));
                    if (bytes != 0)
                    {
                         authStream.BeginRead(cState.Buffer, 0, cState.Buffer.Length, 
                               new AsyncCallback(EndReadCallback), 
                               cState);
                               return;
                 }
            }
            catch (Exception e)
            {
                // A real application should do something
                // useful here, such as logging the failure.
                Console.WriteLine("Client message exception:");
                Console.WriteLine(e);
                cState.Waiter.Set();
                return;
            }
            IIdentity id = authStream.RemoteIdentity;
            Console.WriteLine("{0} says {1}", id.Name, cState.Message.ToString());
            cState.Waiter.Set();
        }
    }
    // ClientState is the AsyncState object.
    internal class ClientState
    {
        private AuthenticatedStream authStream = null;
        private  TcpClient client = null;
        byte[] buffer = new byte[2048];
        StringBuilder message = null;
        ManualResetEvent waiter = new ManualResetEvent(false);
        internal ClientState(AuthenticatedStream a, TcpClient theClient)
        {
            authStream = a;
            client = theClient;
        }
        internal TcpClient Client
        { 
            get { return client;}
        }
        internal AuthenticatedStream AuthenticatedStream
        {
            get { return authStream;}
        }
        internal byte[] Buffer
        {
              get { return buffer;}
        }
        internal StringBuilder Message
        {
            get 
            { 
                if (message == null)
                    message = new StringBuilder();
                return message;
             }
        }
        internal ManualResetEvent Waiter
        {
            get 
            { 
                return waiter;
             }
        }
    }
}

Visual C++

#using <System.dll>

using namespace System;
using namespace System::Net;
using namespace System::Net::Security;
using namespace System::Net::Sockets;
using namespace System::Security::Authentication;
using namespace System::Security::Principal;
using namespace System::Text;
using namespace System::IO;
using namespace System::Threading;

// ClientState is the AsyncState object.
private ref class ClientState
{
private:
   AuthenticatedStream^ authStream;
   TcpClient^ client;
   array<Byte>^buffer;
   StringBuilder^ message;
   ManualResetEvent^ waiter;

internal:
   ClientState( AuthenticatedStream^ a, TcpClient^ theClient )
   {
      authStream = a;
      client = theClient;
      message = nullptr;
      buffer = gcnew array<Byte>(2048);
      waiter = gcnew ManualResetEvent( false );
   }

internal:
   property TcpClient^ Client 
   {
      TcpClient^ get()
      {
         return client;
      }
   }

   property AuthenticatedStream^ AuthStream 
   {
      AuthenticatedStream^ get()
      {
         return authStream;
      }
  }

   property array<Byte>^ Buffer 
   {
      array<Byte>^ get()
      {
         return buffer;
      }

   }

   property StringBuilder^ Message 
   {
      StringBuilder^ get()
      {
         if ( message == nullptr )
                  message = gcnew StringBuilder;

         return message;
      }

   }

   property ManualResetEvent^ Waiter 
   {
      ManualResetEvent^ get()
      {
         return waiter;
      }

   }

};

public ref class AsynchronousAuthenticatingTcpListener
{
public:
   int Main()
   {

      // Create an IPv4 TCP/IP socket. 
      TcpListener^ listener = gcnew TcpListener( IPAddress::Any,11000 );

      // Listen for incoming connections.
      listener->Start();
      while ( true )
      {
         TcpClient^ clientRequest = nullptr;

         // Application blocks while waiting for an incoming connection.
         // Type CNTL-C to terminate the server.
         clientRequest = listener->AcceptTcpClient();
         Console::WriteLine( L"Client connected." );

         // A client has connected. 
         try
         {
            AuthenticateClient( clientRequest );
         }
         catch ( Exception^ e ) 
         {
            Console::WriteLine( e );
            continue;
         }

      }
   }


   static void AuthenticateClient( TcpClient^ clientRequest )
   {
      NetworkStream^ stream = clientRequest->GetStream();

      // Create the NegotiateStream.
      NegotiateStream^ authStream = gcnew NegotiateStream( stream,false );

      // Save the current client and NegotiateStream instance 
      // in a ClientState object.
      ClientState^ cState = gcnew ClientState( authStream,clientRequest );

      // Listen for the client authentication request.
      authStream->BeginAuthenticateAsServer( gcnew AsyncCallback( EndAuthenticateCallback ), cState );

      // Wait until the authentication completes.
      cState->Waiter->WaitOne();
      cState->Waiter->Reset();
      authStream->BeginRead( cState->Buffer, 0, cState->Buffer->Length, gcnew AsyncCallback( EndReadCallback ), cState );
      cState->Waiter->WaitOne();

      // Finished with the current client.
      authStream->Close();
      clientRequest->Close();
   }


   // The following method is invoked by the
   // BeginServerAuthenticate callback delegate.
   static void EndAuthenticateCallback( IAsyncResult^ ar )
   {

      // Get the saved data.
      ClientState^ cState = dynamic_cast<ClientState^>(ar->AsyncState);
      TcpClient^ clientRequest = cState->Client;
      NegotiateStream^ authStream = dynamic_cast<NegotiateStream^>(cState->AuthStream);
      Console::WriteLine( L"Ending authentication." );

      // Any exceptions that occurred during authentication are
      // thrown by the EndServerAuthenticate method.
      try
      {

         // This call blocks until the authentication is complete.
         authStream->EndAuthenticateAsServer( ar );
      }
      catch ( AuthenticationException^ e ) 
      {
         Console::WriteLine( e );
         Console::WriteLine( L"Authentication failed - closing connection." );
         cState->Waiter->Set();
         return;
      }
      catch ( Exception^ e ) 
      {
         Console::WriteLine( e );
         Console::WriteLine( L"Closing connection." );
         cState->Waiter->Set();
         return;
      }


      // Display properties of the authenticated client.
      IIdentity^ id = authStream->RemoteIdentity;
      Console::WriteLine( L"{0} was authenticated using {1}.", id->Name, id->AuthenticationType );
      cState->Waiter->Set();
   }


   static void EndReadCallback( IAsyncResult^ ar )
   {

      // Get the saved data.
      ClientState^ cState = dynamic_cast<ClientState^>(ar->AsyncState);
      TcpClient^ clientRequest = cState->Client;
      NegotiateStream^ authStream = dynamic_cast<NegotiateStream^>(cState->AuthStream);

      // Get the buffer that stores the message sent by the client.
      int bytes = -1;

      // Read the client message.
      try
      {
         bytes = authStream->EndRead( ar );
         cState->Message->Append( Encoding::UTF8->GetChars( cState->Buffer, 0, bytes ) );
         if ( bytes != 0 )
         {
            authStream->BeginRead( cState->Buffer, 0, cState->Buffer->Length, gcnew AsyncCallback( EndReadCallback ), cState );
            return;
         }
      }
      catch ( Exception^ e ) 
      {

         // A real application should do something
         // useful here, such as logging the failure.
         Console::WriteLine( L"Client message exception:" );
         Console::WriteLine( e );
         cState->Waiter->Set();
         return;
      }

      IIdentity^ id = authStream->RemoteIdentity;
      Console::WriteLine( L"{0} says {1}", id->Name, cState->Message );
      cState->Waiter->Set();
   }

};

void main()
{
   AsynchronousAuthenticatingTcpListener^ aatl = gcnew AsynchronousAuthenticatingTcpListener;
   aatl->Main();
}

Inheritance Hierarchy

System..::.Object
  System..::.MarshalByRefObject
    System.IO..::.Stream
      System.Net.Security..::.AuthenticatedStream
        System.Net.Security..::.NegotiateStream

Thread Safety

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Platforms

Windows 7, Windows Vista, Windows XP SP2, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP Starter Edition, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows Server 2000 SP4, Windows Millennium Edition, Windows 98

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Version Information

.NET Framework

Supported in: 3.5, 3.0, 2.0

Reference

NegotiateStream Members

System.Net.Security Namespace

Other Resources

Changes to NTLM authentication for HTTPWebRequest in Version 3.5 SP1