Discussion:
RPCsecure SSL RpcServerRegisterAuthInfo And RPC_C_AUTHN_GSS_SCHANNEL
(too old to reply)
Gianluca Braccini
2004-10-09 14:45:39 UTC
Permalink
I use visual c/c++ rel. 6.0, i use RPC secure im my client/server
application. Now I would like to do a secure rpc connection over internet
using SSL, but where can I find some samples? I cannot understand how to
set the parameters for RpcServerRegisterAuthInfo() when I specify
RPC_C_AUTHN_GSS_SCHANNEL. How can I set the SCHANNEL_CRED structure ? I was
looking for it in MSDN but I haven't found anything! Please help me
S R Tripathy
2004-10-11 09:11:58 UTC
Permalink
RPC over HTTP may be your answer

Shakti
Post by Gianluca Braccini
I use visual c/c++ rel. 6.0, i use RPC secure im my client/server
application. Now I would like to do a secure rpc connection over internet
using SSL, but where can I find some samples? I cannot understand how to
set the parameters for RpcServerRegisterAuthInfo() when I specify
RPC_C_AUTHN_GSS_SCHANNEL. How can I set the SCHANNEL_CRED structure ? I was
looking for it in MSDN but I haven't found anything! Please help me
Gianluca Braccini
2004-10-11 15:12:43 UTC
Permalink
thanks for your answer, rpc over http is very interesting but increase the
throughput. I want only implementing certificate authentication with SSL,
but unlikely i cannot find a sample for RPC_C_AUTHN_GSS_SCHANNEL.

Gianluca
Post by S R Tripathy
RPC over HTTP may be your answer
Shakti
Post by Gianluca Braccini
I use visual c/c++ rel. 6.0, i use RPC secure im my client/server
application. Now I would like to do a secure rpc connection over internet
using SSL, but where can I find some samples? I cannot understand how to
set the parameters for RpcServerRegisterAuthInfo() when I specify
RPC_C_AUTHN_GSS_SCHANNEL. How can I set the SCHANNEL_CRED structure ? I
was
Post by Gianluca Braccini
looking for it in MSDN but I haven't found anything! Please help me
Greg Kapoustin [MSFT]
2004-10-12 23:31:31 UTC
Permalink
To reiterate, RPC over HTTP is the best approach for making RPC calls over
the Internet. RPC over tcp/ip will almost certainly get blocked by the
firewalls and routers in some configurations. You will only be able to use
RPC over tcp/ip reliably over a LAN.

This having been said, if you insist on using tcp/ip, the documentation on
SSL support is very modest, so here's the rough outline of the steps:

On the client:

- Create a binding handle in the usual manner.
- Call CertOpenStore(), CertFindCertificateInStore() to load PCCERT_CONTEXT
you will use to authenticate the client.
- Initialize the SCHANNEL_CRED you will use for the client.
- Call RpcBindingSetAuthInfoEx() for your binding handle passing
RPC_C_AUTHN_GSS_SCHANNEL, and the SCHANNEL_CRED you created as the
AuthIdentity parameter.
- Make the call.
- Don't forget to cleanup by calling CertFreeCertificateContext() and
CertCloseStore().

On the server:

- Begin to initialize the server in the usual manner, but do not listen.
- Call CertOpenStore(), CertFindCertificateInStore() to load PCCERT_CONTEXT
you will use to authenticate the server.
- Initialize the SCHANNEL_CRED you will use for the server.
- Call RpcServerRegisterAuthInfo() passing RPC_C_AUTHN_GSS_SCHANNEL, and the
SCHANNEL_CRED you created as the Arg parameter.
- You may need to cleanup by calling CertFreeCertificateContext() and
CertCloseStore() if you unload your service from a running process.

You may want to consult the MSDN for additional RPC and SChannel info.

Greg
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Gianluca Braccini
thanks for your answer, rpc over http is very interesting but increase the
throughput. I want only implementing certificate authentication with SSL,
but unlikely i cannot find a sample for RPC_C_AUTHN_GSS_SCHANNEL.
Gianluca
Post by S R Tripathy
RPC over HTTP may be your answer
Shakti
Post by Gianluca Braccini
I use visual c/c++ rel. 6.0, i use RPC secure im my client/server
application. Now I would like to do a secure rpc connection over
internet
Post by S R Tripathy
Post by Gianluca Braccini
using SSL, but where can I find some samples? I cannot understand how
to
Post by S R Tripathy
Post by Gianluca Braccini
set the parameters for RpcServerRegisterAuthInfo() when I specify
RPC_C_AUTHN_GSS_SCHANNEL. How can I set the SCHANNEL_CRED structure ? I
was
Post by Gianluca Braccini
looking for it in MSDN but I haven't found anything! Please help me
Gianluca Braccini
2004-10-13 12:21:49 UTC
Permalink
Great Greg!!! Thanks for help.
I have another simple question for you, can i install the server application
on a machine with windows 2000 professional, or it's indispensable using an
operating system with certificate service, as windows 2003 server ?
At the moment we are using RPC secure over tcp/ip, over internet and it
works very well. We use for our local application RPC standard (without
secure), with XP SP2 we have found some problem, that we resolved setting
RestrictRemoteClients in the registry, do you think that in the next service
pack this opration will do ? I cannot use ncalrpc because it doesn't work
with big parameters in callbacks function.

Thanks,
Gianluca
Post by Greg Kapoustin [MSFT]
To reiterate, RPC over HTTP is the best approach for making RPC calls over
the Internet. RPC over tcp/ip will almost certainly get blocked by the
firewalls and routers in some configurations. You will only be able to use
RPC over tcp/ip reliably over a LAN.
This having been said, if you insist on using tcp/ip, the documentation on
- Create a binding handle in the usual manner.
- Call CertOpenStore(), CertFindCertificateInStore() to load
PCCERT_CONTEXT
Post by Greg Kapoustin [MSFT]
you will use to authenticate the client.
- Initialize the SCHANNEL_CRED you will use for the client.
- Call RpcBindingSetAuthInfoEx() for your binding handle passing
RPC_C_AUTHN_GSS_SCHANNEL, and the SCHANNEL_CRED you created as the
AuthIdentity parameter.
- Make the call.
- Don't forget to cleanup by calling CertFreeCertificateContext() and
CertCloseStore().
- Begin to initialize the server in the usual manner, but do not listen.
- Call CertOpenStore(), CertFindCertificateInStore() to load
PCCERT_CONTEXT
Post by Greg Kapoustin [MSFT]
you will use to authenticate the server.
- Initialize the SCHANNEL_CRED you will use for the server.
- Call RpcServerRegisterAuthInfo() passing RPC_C_AUTHN_GSS_SCHANNEL, and the
SCHANNEL_CRED you created as the Arg parameter.
- You may need to cleanup by calling CertFreeCertificateContext() and
CertCloseStore() if you unload your service from a running process.
You may want to consult the MSDN for additional RPC and SChannel info.
Greg
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Gianluca Braccini
thanks for your answer, rpc over http is very interesting but increase the
throughput. I want only implementing certificate authentication with SSL,
but unlikely i cannot find a sample for RPC_C_AUTHN_GSS_SCHANNEL.
Gianluca
Post by S R Tripathy
RPC over HTTP may be your answer
Shakti
Post by Gianluca Braccini
I use visual c/c++ rel. 6.0, i use RPC secure im my client/server
application. Now I would like to do a secure rpc connection over
internet
Post by S R Tripathy
Post by Gianluca Braccini
using SSL, but where can I find some samples? I cannot understand how
to
Post by S R Tripathy
Post by Gianluca Braccini
set the parameters for RpcServerRegisterAuthInfo() when I specify
RPC_C_AUTHN_GSS_SCHANNEL. How can I set the SCHANNEL_CRED structure ? I
was
Post by Gianluca Braccini
looking for it in MSDN but I haven't found anything! Please help me
Greg Kapoustin [MSFT]
2004-10-23 01:05:53 UTC
Permalink
Glad I could help. More answers inline:
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Gianluca Braccini
Great Greg!!! Thanks for help.
I have another simple question for you, can i install the server application
on a machine with windows 2000 professional, or it's indispensable using an
operating system with certificate service, as windows 2003 server ?
RPC over SSL should work on W2K also.
Post by Gianluca Braccini
At the moment we are using RPC secure over tcp/ip, over internet and it
works very well. We use for our local application RPC standard (without
secure),
If you use LRPC for your local calls, the traffic is secure by-definition,
since LRPC provides a secure channel.
Post by Gianluca Braccini
with XP SP2 we have found some problem, that we resolved setting
RestrictRemoteClients in the registry, do you think that in the next service
pack this opration will do ?
I am a little bit confused about this question? If you are asking whether
the settings will be obeyed in the subsequent SPs, the answer is: "they
should be".
Post by Gianluca Braccini
I cannot use ncalrpc because it doesn't work
with big parameters in callbacks function.
Can you please provide more details about your problem. Using RPC callbacks
is a very bad idea since they lack performance and make server vulnerable to
client attack. For more info:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/callbacks.asp.
You can usually achieve callback-like behavior with regular calls. If yo
have:

Client: Call([in] CallIn, [out] CallOut);
Server: Callback([in] BackIn, [out] BackOut);

You can re-write it as:

Client: Call([in] CallIn, [out] BackIn);
Client: Call([in] BackOut, [out] CallOut);

and just keep some state on the server between the two calls, for instance
using a context handle.

Greg
Post by Gianluca Braccini
Thanks,
Gianluca
Post by Greg Kapoustin [MSFT]
To reiterate, RPC over HTTP is the best approach for making RPC calls over
the Internet. RPC over tcp/ip will almost certainly get blocked by the
firewalls and routers in some configurations. You will only be able to
use
Post by Greg Kapoustin [MSFT]
RPC over tcp/ip reliably over a LAN.
This having been said, if you insist on using tcp/ip, the documentation on
- Create a binding handle in the usual manner.
- Call CertOpenStore(), CertFindCertificateInStore() to load
PCCERT_CONTEXT
Post by Greg Kapoustin [MSFT]
you will use to authenticate the client.
- Initialize the SCHANNEL_CRED you will use for the client.
- Call RpcBindingSetAuthInfoEx() for your binding handle passing
RPC_C_AUTHN_GSS_SCHANNEL, and the SCHANNEL_CRED you created as the
AuthIdentity parameter.
- Make the call.
- Don't forget to cleanup by calling CertFreeCertificateContext() and
CertCloseStore().
- Begin to initialize the server in the usual manner, but do not listen.
- Call CertOpenStore(), CertFindCertificateInStore() to load
PCCERT_CONTEXT
Post by Greg Kapoustin [MSFT]
you will use to authenticate the server.
- Initialize the SCHANNEL_CRED you will use for the server.
- Call RpcServerRegisterAuthInfo() passing RPC_C_AUTHN_GSS_SCHANNEL, and
the
Post by Greg Kapoustin [MSFT]
SCHANNEL_CRED you created as the Arg parameter.
- You may need to cleanup by calling CertFreeCertificateContext() and
CertCloseStore() if you unload your service from a running process.
You may want to consult the MSDN for additional RPC and SChannel info.
Greg
--
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Greg Kapoustin [MSFT]
Post by Gianluca Braccini
thanks for your answer, rpc over http is very interesting but increase
the
Post by Greg Kapoustin [MSFT]
Post by Gianluca Braccini
throughput. I want only implementing certificate authentication with
SSL,
Post by Greg Kapoustin [MSFT]
Post by Gianluca Braccini
but unlikely i cannot find a sample for RPC_C_AUTHN_GSS_SCHANNEL.
Gianluca
Post by S R Tripathy
RPC over HTTP may be your answer
Shakti
Post by Gianluca Braccini
I use visual c/c++ rel. 6.0, i use RPC secure im my client/server
application. Now I would like to do a secure rpc connection over
internet
Post by S R Tripathy
Post by Gianluca Braccini
using SSL, but where can I find some samples? I cannot understand
how
Post by Greg Kapoustin [MSFT]
Post by Gianluca Braccini
to
Post by S R Tripathy
Post by Gianluca Braccini
set the parameters for RpcServerRegisterAuthInfo() when I specify
RPC_C_AUTHN_GSS_SCHANNEL. How can I set the SCHANNEL_CRED structure
?
I
Post by Greg Kapoustin [MSFT]
Post by Gianluca Braccini
Post by S R Tripathy
was
Post by Gianluca Braccini
looking for it in MSDN but I haven't found anything! Please help me
Loading...