NegotiateStream Class
.NET Framework Class Library
NegotiateStream Class

Provides a stream that uses the Negotiate security protocol to authenticate the client, and optionally the server, in client-server communication.

Namespace:  System.Net.Security
Assembly:  System (in System.dll)
 Syntax
Visual Basic 
Public Class NegotiateStream _
    Inherits AuthenticatedStream
C# 
public class NegotiateStream : AuthenticatedStream
Visual C++ 
public ref class NegotiateStream : public AuthenticatedStream
F# 
type NegotiateStream =  
    class
        inherit AuthenticatedStream
    end
 Remarks

Use the NegotiateStream class for authentication and to help secure information transmitted between a client and a server. Using NegotiateStream, you can do the following.

  • Send the client's credentials to the server for Impersonation or Delegation.

  • Request server authentication.

  • Encrypt and/or sign data before transmitting it.

Authentication must be performed before transmitting information. Clients request authentication using the synchronous AuthenticateAsClient methods, which block until the authentication completes, or the asynchronous BeginAuthenticateAsClient methods, which do not block while waiting for the authentication to complete. Servers request authentication using the synchronous AuthenticateAsServer or asynchronous BeginAuthenticateAsServer methods. The client, and optionally the server, is authenticated using the Negotiate security protocol. On Windows 95/98 systems, Windows NT LAN Manager (NTLM) is the protocol used for authentication. On other platforms the Kerberos protocol is used for authentication if both client and server support it; otherwise NTLM is used. For detailed descriptions of these protocols, see the Platform SDK documentation on MSDN, at msdn.microsoft.com/library/. The NegotiateStream class performs the authentication using the Security Support Provider Interface (SSPI).

When authentication succeeds, you must check the IsEncrypted and IsSigned properties to determine what security services will be used by the NegotiateStream to help secure your data during transmission. Check the IsMutuallyAuthenticated property to determine whether mutual authentication occurred. You can get information about the remote client or server using the RemoteIdentity property.

If the authentication fails, you will receive an AuthenticationException or a InvalidCredentialException. In this case, you can retry the authentication with a different credential.

You send data using the synchronous Write or asynchronous BeginWrite methods. You receive data using the synchronous Read or asynchronous BeginRead methods. If security services such as encryption or signing are enabled, these are automatically applied to your data by the NegotiateStream.

The NegotiateStream transmits data using a stream that you supply when creating the NegotiateStream. When you supply this underlying stream, you have the option to specify whether closing the NegotiateStream also closes the underlying stream.
 Examples

The following code example demonstrates the client side of a client-server connection that uses the NegotiateStream. The client authenticates and sends a message to the server asynchronously.

C# 
using System;
using System.Net;
using System.Net.Security;
using System.Net.Sockets;
using System.Text;

namespace Examples.NegotiateStreamExample
{
    public class ASynchronousAuthenticatingTcpClient 
    {   
        static TcpClient client = null;

        public static void Main(String[] args)  
        {
            // Establish the remote endpoint for the socket.
            // For this example, use the local machine.
            IPHostEntry ipHostInfo = Dns.GetHostEntry("localhost");
            IPAddress ipAddress = ipHostInfo.AddressList[0];
            // Client and server use port 11000. 
            IPEndPoint remoteEP = new IPEndPoint(ipAddress, 11000);
            // Create a TCP/IP socket.
            client = new TcpClient();
            // Connect the socket to the remote endpoint.
            client.Connect(remoteEP);
            Console.WriteLine("Client connected to {0}.", remoteEP.ToString());
            // Ensure the client does not close when there is 
            // still data to be sent to the server.
            client.LingerState = (new LingerOption(true, 0));
            // Request authentication.
            NetworkStream clientStream = client.GetStream();
            NegotiateStream authStream = new NegotiateStream(clientStream, false); 
            // Pass the NegotiateStream as the AsyncState object 
            // so that it is available to the callback delegate.
            IAsyncResult ar = authStream.BeginAuthenticateAsClient(
                new AsyncCallback(EndAuthenticateCallback),
                authStream
                );
            Console.WriteLine("Client waiting for authentication...");
            // Wait until the result is available.
            ar.AsyncWaitHandle.WaitOne();
            // Display the properties of the authenticated stream.
            AuthenticatedStreamReporter.DisplayProperties(authStream);
            // Send a message to the server.
            // Encode the test data into a byte array.
            byte[] message = Encoding.UTF8.GetBytes("Hello from the client.");
            ar = authStream.BeginWrite(message, 0, message.Length,
                new AsyncCallback(EndWriteCallback),
                authStream);
            ar.AsyncWaitHandle.WaitOne();
            Console.WriteLine("Sent {0} bytes.", message.Length);
            // Close the client connection.
            authStream.Close();
            Console.WriteLine("Client closed.");
        }
        // The following method is called when the authentication completes.
        public static void EndAuthenticateCallback (IAsyncResult ar)
        {
            Console.WriteLine("Client ending authentication...");
            NegotiateStream authStream = (NegotiateStream) ar.AsyncState;
            Console.WriteLine("ImpersonationLevel: {0}", authStream.ImpersonationLevel);

            // End the asynchronous operation.
            authStream.EndAuthenticateAsClient(ar);
        }
        // The following method is called when the write operation completes.
        public static void EndWriteCallback (IAsyncResult ar)
        {
            Console.WriteLine("Client ending write operation...");
            NegotiateStream authStream = (NegotiateStream) ar.AsyncState;

            // End the asynchronous operation.
            authStream.EndWrite(ar);
        }
    }

    // The following class displays the properties of an authenticatedStream.
    public class AuthenticatedStreamReporter
{
    public static void DisplayProperties(AuthenticatedStream stream)
   {
        Console.WriteLine("IsAuthenticated: {0}", stream.IsAuthenticated);
        Console.WriteLine("IsMutuallyAuthenticated: {0}", stream.IsMutuallyAuthenticated);
        Console.WriteLine("IsEncrypted: {0}", stream.IsEncrypted);
        Console.WriteLine("IsSigned: {0}", stream.IsSigned);
        Console.WriteLine("IsServer: {0}", stream.IsServer);
    }
}
}
Visual C++ 
#using <System.dll>

using namespace System;
using namespace System::Net;
using namespace System::Net::Security;
using namespace System::Net::Sockets;
using namespace System::Text;

// The following class displays the properties of an authenticatedStream.
public ref class AuthenticatedStreamReporter
{
public:
   static void DisplayProperties( AuthenticatedStream^ stream )
   {
      Console::WriteLine( L"IsAuthenticated: {0}", stream->IsAuthenticated );
      Console::WriteLine( L"IsMutuallyAuthenticated: {0}", stream->IsMutuallyAuthenticated );
      Console::WriteLine( L"IsEncrypted: {0}", stream->IsEncrypted );
      Console::WriteLine( L"IsSigned: {0}", stream->IsSigned );
      Console::WriteLine( L"IsServer: {0}", stream->IsServer );
   }

};


public ref class ASynchronousAuthenticatingTcpClient
{
private:
   static TcpClient^ client = nullptr;

public:
   void Main()
   {

      // Establish the remote endpoint for the socket.
      // For this example, use the local machine.
      IPHostEntry^ ipHostInfo = Dns::GetHostEntry( Dns::GetHostName() );
      IPAddress^ ipAddress = ipHostInfo->AddressList[ 0 ];

      // Client and server use port 11000. 
      IPEndPoint^ remoteEP = gcnew IPEndPoint( ipAddress,11000 );

      // Create a TCP/IP socket.
      client = gcnew TcpClient;

      // Connect the socket to the remote endpoint.
      client->Connect( remoteEP );
      Console::WriteLine( L"Client connected to {0}.", remoteEP );

      // Ensure the client does not close when there is 
      // still data to be sent to the server.
      client->LingerState = (gcnew LingerOption( true,0 ));

      // Request authentication.
      NetworkStream^ clientStream = client->GetStream();
      NegotiateStream^ authStream = gcnew NegotiateStream( clientStream,false );

      // Pass the NegotiateStream as the AsyncState object 
      // so that it is available to the callback delegate.
      IAsyncResult^ ar = authStream->BeginAuthenticateAsClient( gcnew AsyncCallback( EndAuthenticateCallback ), authStream );

      Console::WriteLine( L"Client waiting for authentication..." );

      // Wait until the result is available.
      ar->AsyncWaitHandle->WaitOne();

      // Display the properties of the authenticated stream.
      AuthenticatedStreamReporter::DisplayProperties( authStream );

      // Send a message to the server.
      // Encode the test data into a byte array.
      array<Byte>^message = Encoding::UTF8->GetBytes( L"Hello from the client." );
      ar = authStream->BeginWrite( message, 0, message->Length, gcnew AsyncCallback( EndWriteCallback ), authStream );

      ar->AsyncWaitHandle->WaitOne();
      Console::WriteLine( L"Sent {0} bytes.", message->Length );

      // Close the client connection.
      authStream->Close();
      Console::WriteLine( L"Client closed." );
   }


   // The following method is called when the authentication completes.
   static void EndAuthenticateCallback( IAsyncResult^ ar )
   {
      Console::WriteLine( L"Client ending authentication..." );
      NegotiateStream^ authStream = dynamic_cast<NegotiateStream^>(ar->AsyncState);

      // End the asynchronous operation.
      authStream->EndAuthenticateAsClient( ar );

      //         Console.WriteLine("AllowedImpersonation: {0}", authStream.AllowedImpersonation);
   }


   // The following method is called when the write operation completes.
   static void EndWriteCallback( IAsyncResult^ ar )
   {
      Console::WriteLine( L"Client ending write operation..." );
      NegotiateStream^ authStream = dynamic_cast<NegotiateStream^>(ar->AsyncState);

      // End the asynchronous operation.
      authStream->EndWrite( ar );
   }

};

void main()
{
   ASynchronousAuthenticatingTcpClient^ aatc = gcnew ASynchronousAuthenticatingTcpClient;
   aatc->Main();
}

The following code example demonstrates the server side of a client-server connection that uses the NegotiateStream to authenticate the client and read a message sent by the client.

C# 
using System;
using System.Net;
using System.Net.Security;
using System.Net.Sockets;
using System.Security.Authentication;
using System.Security.Principal;
using System.Text;
using System.IO;
using System.Threading;

namespace Examples.NegotiateStreamExample
{
    public class AsynchronousAuthenticatingTcpListener 
    {
        public static void Main() 
        {   
            // Create an IPv4 TCP/IP socket. 
            TcpListener listener = new TcpListener(IPAddress.Any, 11000);
            // Listen for incoming connections.
            listener.Start();
            while (true) 
            {
                TcpClient clientRequest = null;
                // Application blocks while waiting for an incoming connection.
                // Type CNTL-C to terminate the server.
                clientRequest = listener.AcceptTcpClient();
                Console.WriteLine("Client connected.");
                // A client has connected. 
                try
                {
                    AuthenticateClient (clientRequest);
                }
                catch (Exception e)
                {
                    Console.WriteLine(e);
                    continue;
                }

            }

        }
        public static void AuthenticateClient(TcpClient clientRequest)
        {
            NetworkStream stream = clientRequest.GetStream(); 
            // Create the NegotiateStream.
            NegotiateStream authStream = new NegotiateStream(stream, false); 
            // Save the current client and NegotiateStream instance 
            // in a ClientState object.
            ClientState cState = new ClientState(authStream, clientRequest);
            // Listen for the client authentication request.
            authStream.BeginAuthenticateAsServer (
                new AsyncCallback(EndAuthenticateCallback),
                cState
                );
            // Wait until the authentication completes.
            cState.Waiter.WaitOne();
            cState.Waiter.Reset();
            authStream.BeginRead(cState.Buffer, 0, cState.Buffer.Length, 
                   new AsyncCallback(EndReadCallback), 
                   cState);
            cState.Waiter.WaitOne();
            // Finished with the current client.
            authStream.Close();
            clientRequest.Close();
        }
        // The following method is invoked by the
        // BeginAuthenticateAsServer callback delegate.

        public static void EndAuthenticateCallback (IAsyncResult ar)
        {
            // Get the saved data.
            ClientState cState = (ClientState) ar.AsyncState;
            TcpClient clientRequest = cState.Client;
            NegotiateStream authStream = (NegotiateStream) cState.AuthenticatedStream;
            Console.WriteLine("Ending authentication.");
            // Any exceptions that occurred during authentication are
            // thrown by the EndAuthenticateAsServer method.
            try 
            {
                // This call blocks until the authentication is complete.
                authStream.EndAuthenticateAsServer(ar);
            }
            catch (AuthenticationException e)
            {
                Console.WriteLine(e);
                Console.WriteLine("Authentication failed - closing connection.");
                cState.Waiter.Set();
                return;
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
                Console.WriteLine("Closing connection.");
                cState.Waiter.Set();
                return;
            }
            // Display properties of the authenticated client.
            IIdentity id = authStream.RemoteIdentity;
            Console.WriteLine("{0} was authenticated using {1}.", 
                id.Name, 
                id.AuthenticationType
                );
            cState.Waiter.Set();

    }
        public static void EndReadCallback(IAsyncResult ar)
        {
            // Get the saved data.
            ClientState cState = (ClientState) ar.AsyncState;
            TcpClient clientRequest = cState.Client;
            NegotiateStream authStream = (NegotiateStream) cState.AuthenticatedStream; 
            // Get the buffer that stores the message sent by the client.
            int bytes = -1;
            // Read the client message.
            try
            {
                    bytes = authStream.EndRead(ar);
                    cState.Message.Append(Encoding.UTF8.GetChars(cState.Buffer, 0, bytes));
                    if (bytes != 0)
                    {
                         authStream.BeginRead(cState.Buffer, 0, cState.Buffer.Length, 
                               new AsyncCallback(EndReadCallback), 
                               cState);
                               return;
                 }
            }
            catch (Exception e)
            {
                // A real application should do something
                // useful here, such as logging the failure.
                Console.WriteLine("Client message exception:");
                Console.WriteLine(e);
                cState.Waiter.Set();
                return;
            }
            IIdentity id = authStream.RemoteIdentity;
            Console.WriteLine("{0} says {1}", id.Name, cState.Message.ToString());
            cState.Waiter.Set();
        }
    }
    // ClientState is the AsyncState object.
    internal class ClientState
    {
        private AuthenticatedStream authStream = null;
        private  TcpClient client = null;
        byte[] buffer = new byte[2048];
        StringBuilder message = null;
        ManualResetEvent waiter = new ManualResetEvent(false);
        internal ClientState(AuthenticatedStream a, TcpClient theClient)
        {
            authStream = a;
            client = theClient;
        }
        internal TcpClient Client
        { 
            get { return client;}
        }
        internal AuthenticatedStream AuthenticatedStream
        {
            get { return authStream;}
        }
        internal byte[] Buffer
        {
              get { return buffer;}
        }
        internal StringBuilder Message
        {
            get 
            { 
                if (message == null)
                    message = new StringBuilder();
                return message;
             }
        }
        internal ManualResetEvent Waiter
        {
            get 
            { 
                return waiter;
             }
        }
    }
}
Visual C++ 
#using <System.dll>

using namespace System;
using namespace System::Net;
using namespace System::Net::Security;
using namespace System::Net::Sockets;
using namespace System::Security::Authentication;
using namespace System::Security::Principal;
using namespace System::Text;
using namespace System::IO;
using namespace System::Threading;

// ClientState is the AsyncState object.
private ref class ClientState
{
private:
   AuthenticatedStream^ authStream;
   TcpClient^ client;
   array<Byte>^buffer;
   StringBuilder^ message;
   ManualResetEvent^ waiter;

internal:
   ClientState( AuthenticatedStream^ a, TcpClient^ theClient )
   {
      authStream = a;
      client = theClient;
      message = nullptr;
      buffer = gcnew array<Byte>(2048);
      waiter = gcnew ManualResetEvent( false );
   }

internal:
   property TcpClient^ Client 
   {
      TcpClient^ get()
      {
         return client;
      }
   }

   property AuthenticatedStream^ AuthStream 
   {
      AuthenticatedStream^ get()
      {
         return authStream;
      }
  }

   property array<Byte>^ Buffer 
   {
      array<Byte>^ get()
      {
         return buffer;
      }

   }

   property StringBuilder^ Message 
   {
      StringBuilder^ get()
      {
         if ( message == nullptr )
                  message = gcnew StringBuilder;

         return message;
      }

   }

   property ManualResetEvent^ Waiter 
   {
      ManualResetEvent^ get()
      {
         return waiter;
      }

   }

};

public ref class AsynchronousAuthenticatingTcpListener
{
public:
   int Main()
   {

      // Create an IPv4 TCP/IP socket. 
      TcpListener^ listener = gcnew TcpListener( IPAddress::Any,11000 );

      // Listen for incoming connections.
      listener->Start();
      while ( true )
      {
         TcpClient^ clientRequest = nullptr;

         // Application blocks while waiting for an incoming connection.
         // Type CNTL-C to terminate the server.
         clientRequest = listener->AcceptTcpClient();
         Console::WriteLine( L"Client connected." );

         // A client has connected. 
         try
         {
            AuthenticateClient( clientRequest );
         }
         catch ( Exception^ e ) 
         {
            Console::WriteLine( e );
            continue;
         }

      }
   }


   static void AuthenticateClient( TcpClient^ clientRequest )
   {
      NetworkStream^ stream = clientRequest->GetStream();

      // Create the NegotiateStream.
      NegotiateStream^ authStream = gcnew NegotiateStream( stream,false );

      // Save the current client and NegotiateStream instance 
      // in a ClientState object.
      ClientState^ cState = gcnew ClientState( authStream,clientRequest );

      // Listen for the client authentication request.
      authStream->BeginAuthenticateAsServer( gcnew AsyncCallback( EndAuthenticateCallback ), cState );

      // Wait until the authentication completes.
      cState->Waiter->WaitOne();
      cState->Waiter->Reset();
      authStream->BeginRead( cState->Buffer, 0, cState->Buffer->Length, gcnew AsyncCallback( EndReadCallback ), cState );
      cState->Waiter->WaitOne();

      // Finished with the current client.
      authStream->Close();
      clientRequest->Close();
   }


   // The following method is invoked by the
   // BeginServerAuthenticate callback delegate.
   static void EndAuthenticateCallback( IAsyncResult^ ar )
   {

      // Get the saved data.
      ClientState^ cState = dynamic_cast<ClientState^>(ar->AsyncState);
      TcpClient^ clientRequest = cState->Client;
      NegotiateStream^ authStream = dynamic_cast<NegotiateStream^>(cState->AuthStream);
      Console::WriteLine( L"Ending authentication." );

      // Any exceptions that occurred during authentication are
      // thrown by the EndServerAuthenticate method.
      try
      {

         // This call blocks until the authentication is complete.
         authStream->EndAuthenticateAsServer( ar );
      }
      catch ( AuthenticationException^ e ) 
      {
         Console::WriteLine( e );
         Console::WriteLine( L"Authentication failed - closing connection." );
         cState->Waiter->Set();
         return;
      }
      catch ( Exception^ e ) 
      {
         Console::WriteLine( e );
         Console::WriteLine( L"Closing connection." );
         cState->Waiter->Set();
         return;
      }


      // Display properties of the authenticated client.
      IIdentity^ id = authStream->RemoteIdentity;
      Console::WriteLine( L"{0} was authenticated using {1}.", id->Name, id->AuthenticationType );
      cState->Waiter->Set();
   }


   static void EndReadCallback( IAsyncResult^ ar )
   {

      // Get the saved data.
      ClientState^ cState = dynamic_cast<ClientState^>(ar->AsyncState);
      TcpClient^ clientRequest = cState->Client;
      NegotiateStream^ authStream = dynamic_cast<NegotiateStream^>(cState->AuthStream);

      // Get the buffer that stores the message sent by the client.
      int bytes = -1;

      // Read the client message.
      try
      {
         bytes = authStream->EndRead( ar );
         cState->Message->Append( Encoding::UTF8->GetChars( cState->Buffer, 0, bytes ) );
         if ( bytes != 0 )
         {
            authStream->BeginRead( cState->Buffer, 0, cState->Buffer->Length, gcnew AsyncCallback( EndReadCallback ), cState );
            return;
         }
      }
      catch ( Exception^ e ) 
      {

         // A real application should do something
         // useful here, such as logging the failure.
         Console::WriteLine( L"Client message exception:" );
         Console::WriteLine( e );
         cState->Waiter->Set();
         return;
      }

      IIdentity^ id = authStream->RemoteIdentity;
      Console::WriteLine( L"{0} says {1}", id->Name, cState->Message );
      cState->Waiter->Set();
   }

};

void main()
{
   AsynchronousAuthenticatingTcpListener^ aatl = gcnew AsynchronousAuthenticatingTcpListener;
   aatl->Main();
}
 Inheritance Hierarchy
System..::.Object
  System..::.MarshalByRefObject
    System.IO..::.Stream
      System.Net.Security..::.AuthenticatedStream
        System.Net.Security..::.NegotiateStream
 Thread Safety
Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
 Platforms

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role not supported), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.
 Version Information

.NET Framework

Supported in: 4, 3.5, 3.0, 2.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1
 See Also

Reference

NegotiateStream Members
System.Net.Security Namespace

Other Resources

Changes to NTLM authentication for HttpWebRequest in Version 3.5 SP1
Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations

Page view tracker