.NET client NTLM authentication

[Mårten Byström]

Hi,

Is it possible to use NTLM / Windows authentication with the RabbitMQ .NET client, the same way one can use "TrustedConnection" when working with SQL server?

I.e. I would like to seamlessly use the same credentials that the host process is using.

I know that it is possible to setup the backend to use users defined in Active Directory, but this question is about the client.

I can see no such property in the ConnectionFactory.

Example for ConnectionFactory setup from our code

new ConnectionFactory
{
      VirtualHost = _mqConnectionSettings.VirtualHost,
      HostName = _mqConnectionSettings.HostName,
      Port = _mqConnectionSettings.Port,
      UserName = _mqConnectionSettings.UserName,
      Password = _mqConnectionSettings.Password,
      AutomaticRecoveryEnabled = true,
      DispatchConsumersAsync = true
};

Regards,

Mårten

[Karl Nilsson]

Hi,

I am not familiar with the mechanics of NTLM authentication so I can't say much about whether it is viable or not but the RabbitMQ .NET client does not support this at this time.

Cheers

Karl

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mårten Byström]

Ok. 

I guess the same goes for Kerberos authentication? 

Cheers,

Mårten

[Yusuke Masuda]

Hi.

I think rabbitmq doesn't support windows authentication mechanism.

However it does LDAP authentication.

https://www.rabbitmq.com/ldap.html

Can the ldap authentication be an alternative solution?

Regards,

Yusuke.

2018年9月19日(水) 午後8:21 Mårten Byström <morten...@gmail.com>:

[Mårten Byström]

Hi Yusuke-san,

Thanks for your reply

Yes, the backend supports LDAP.

My question is really about the .NET client library.

BR,

Mårten

[Yusuke Masuda]

Mårten

Oh, sorry.

I thought you were talking about the authentication while a .net client connects to rabbitmq.

Does .NET client need to be authenticated besides rabbitmq authentication?

If so, what is the necessity?

Regards,

Yusuke.

[Mårten Byström]

We use RabbitMQ in a Windows service and we need to store the password to be used when connecting to RabbitMQ.

If the connection to RabbitMQ could use the same credentials as the the service process it would make the credentials management easier, and (at least in theory) more secure as no extra passwords would be needed to be stored.

/Mårten

[Luke Bakken]

Hi Mårten,

I'd like to clarify this statement:

We use RabbitMQ in a Windows service and we need to store the password to be used when connecting to RabbitMQ.

I'm assuming you meant to say "We use the RabbitMQ .NET client in an Windows service application". Is that correct?

 

If the connection to RabbitMQ could use the same credentials as the the service process it would make the credentials management easier, and (at least in theory) more secure as no extra passwords would be needed to be stored.

For this to work, RabbitMQ would have to support NTLM which it currently doesn't. An authentication backend could be developed to do it, however, with enough interest.

Finally, is this your cross-posted question? https://stackoverflow.com/questions/52419494/rabbitmq-authentication-with-ntlm-password-less

Thanks,

Luke

[Mårten Byström]

Hi Luke,

Yes, you are correct. That is what I mean. 

To me it feel a bit awkward that the back end has the possibility to integrate with LDAP authentication so it does not (I assume) know the passwords of users, but with the RabbitMQ NET client you need to provide passwords in clear text.

The stackoverflow post, however, is not mine.

Cheers,

Mårten

[Luke Bakken]

Hi Mårten -

Even with the LDAP backend client applications must provide usernames and passwords. That's not necessarily RabbitMQ-specific, either, LDAP uses usernames/passwords as the default mode of authentication. The LDAP backend then uses that information to bind and get that user's DN and other attributes.

Support for NTLM, Kerberos and other schemes is possible should enough people request (or pay, or code it themselves) for it.

Thanks,

Luke

[Mårten Byström]

Hi Luke,

So, I gather that work development needs to be done both in the RabbitMQ NET client and in the RabbitMQ back end if Kerberos or NTLM usage was to be enabled.

Cheers,

Mårten

[Luke Bakken]

Hi Mårten,

I don't know how NTLM is implemented, but I believe it's possible to get the Principal of the current running thread in .NET. If this information can be serialized, it can be sent to RabbitMQ in the connection request (username "NTLM", password - serialized data, for instance). RabbitMQ would then recognize it as NTLM data and perform whatever steps are necessary to validate it (contact a domain controller, for instance). This is how we have implemented OAuth2, for instance.

So there might be work necessary in the .NET client, and definitely work necessary in RabbitMQ.

Thanks,

Luke