开发者

Authenticating users for a intranet using smtp

I have a collection of about 400 users that use email here in our company and we're starting a intranet for them, I'm using .Net Framework (C#) for the application layer. We would like to authenticate these users using the same credentials they have for their email, our email provider has no such service therefore I had the idea of authenticating them using the SMTP server (which requires authentication).

I've searched for a Authenticate() method on the SmtpClient class but to no avail, there's no way to authenticate only. Has anyone had to solve this kind of problem before? I think I'll have to open a socket to the SMTP server and send开发者_如何学Python the commands myself, but maybe there's an easier way to to this.


Since, you have a SMTP server, I will assume you also have a POP3 server. I think I'm also safe by assuming the credentials for POP3 and SMTP are the same.

If my assumptions are correct (which is very likely), you can authenticate them by POP3, instead of SMTP.

So, you can use the Pop3Client class, which provides more than one authentication method:

  • AuthenticateClearText
  • AuthenticateNtlm

That way, your code will:

  1. Connect
  2. Authenticate (checking for exceptions)
  3. Disconnect

And you are all set!


Using the SmtpClient against your SMTP server you're soliciting a service. Your application should only specify whether to use Windows authentication (which will be Kerberos or NTLM depending on how your intranet is configured) or credential specification, and whether to use SSL.

As for application authentication, you can reference WindowsIdentity from System.Security.Principal.WindowsIdentity.GetCurrent(). More specifically, you can use the IsAuthenticated property.

Before you attempt any call to the SMTP server, if you want to use Windows authentication, try something like this:

SmtpClient client = new SmtpClient(server, port);
client.Credentials = CredentialCache.DefaultNetworkCredentials;

Then let the SMTP server authorize whether the user can actually perform the attempted action.

If you want to say, disable an action button because the SMTP server would reject the user attempted action and you're trying to be proactive and prevent he user from doing something he can't do, then that rejection must be deterministic prior to hitting the SMTP server (i.e. you would not simply rely on the SMTP server to tell you this; you would need some sort of business security layer in place).

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜