How can I authenticate a windows user over a REST API call without IIS/WCF?

Question

While developing an on-premise, intranet-only REST API server for my company, I managed to completely confuse myself regarding authentication issues.

I have :

• A REST web server implemented in C#, using self-hosted Nancy, running as a Windows Service
• AC# client that can query the server, run by a user in our company

I do not have:

• Any form of access to our Active Directory and/or domain controller, apart from what any application running under Windows normally has
• Any way to influence AD settings or configuration
• Active Directory Federation Services (ADFS) (I think . We use Windows 7 and Office 2010, just to give some perspective on the state of the software landscape)
• Azure Active Directory (AAD)

I want :

• A way for the server to authenticate that a request is made by a user of our company
  • It is perfectly fine if the client has to sent some additional authentication data with each request, as long as it does not contain the user's password in any form

I do not want to:

• Have to set up any additional software (my server must be minimum configuration and maintenance, so the average user can install and run it)
• Install / configure / maintain an IIS server (see above)
• Use ASP.net (way too big for my needs, plus see above point(s))
• Handle user passwords in any way (company policy and common sense)
• Impersonate the user (I only need to validate the authenticity of the request)
• Implement my own user account database. We already have half a dozen services that need their own username/password combinations, I do not want to add yet another one

I have read articles that show how to use Windows authentication with IIS , or how to use Azure Active Directory (AAD) with Nancy . Other questions here have already informed me how to authenticate username / password combinations against the Active Directory . However, none of these satisfy all of my requirements or have requirements of their own (like AAD/ADFS) that I cannot meet.

It seems that Kerberos/SSPI might be what I want, but it seems very involved and quite complicated to get working with C#. It is possible I will have to go this route, but I could really benefit from some minimal working example (the accepted answer provides a C# implementation/wrapper, including an example project, but I can't seem to be able to make heads or tails of it).

Maybe I am naive, but what I image the solution to be is something along the following lines:

1. The client queries a service (AD, Domain controller, ...?) for some form of authentication token, using the credentials of the currently logged in user
2. The token is then sent to the server together with the username, as part of the request that needs to be authenticated
3. The server extracts the token, and queries the same service (AD, Domain controller, ...) whether the token is authentic, valid and belongs to the user in question

Is this possible at all? Ideally, with some sort of ready made library that I can plug in to my projects (I'm reaching, I know)?

Answer 1

You can do this with stateless authentication and Jwt. Send a username and password to "/ auth" (example) and "/ auth" will search the AD (example) and validate if the user exists, then create a Jwt token with the name of the user on load. When you make a request, you will only send a Jwt token and Nancy validates the token.