BITS Authentication

Posted by arlene

Even though BITS supports secure connections over HTTPS, you will most likely want to provide additional security. You can do this by specifically setting the credentials that BITS uses to access the files on the server. BITS supports Basic, Challenge/Response, and Passport authentication schemes.

To execute the sample application, you need to create a virtual directory on your Web server from which the server files will be available. You can access directory security by executing the following steps:

1. Open Internet Information Services from Control Panel and Administrative Tools.
2. Right click the Default Web Site and click New… and Virtual Directory.
3. From the Virtual Directory Creation Wizard dialog, click Next.
4. Specify an alias name for your virtual directory and click Next.
5. Browse to the directory where the server files are located and click Next.
6. From the Access Permissions dialog, click Next.
7. Right-click the newly created virtual directory and click Properties.
8. From the Properties dialog, click the Directory Security tab and then click Edit.
9. From the Authentication Methods dialog, uncheck Anonymous access and make sure Integrated Windows Authentication is the only item checked.

Once security is configured for the virtual directory, we will need to explicitly declare credentials using the SetCredentials method. BITS uses the Crypto API to protect credentials. The Crypto API is part of the core cryptography functionality in Windows and, like BITS, is available to developers through the Platform SDK.

Unfortunately, the SetCredentials method is not included when the MIDL compiler compiles the BITS type library. To use this functionality, you have to perform an additional step. This involves writing a managed C++ wrapper to call the SetCredentials method from the native BITS library.

A C++ wrapper is included with the agent solution file on the book’s Web site. It is embedded in the BITSCredentials project. The code for the BITSSetCredentials method is seen as follows:

Void BITSWrapper::BITSSetCredentials(System::IntPtr ptr, String* _ userName, String* password)

HRESULT hr = S_OK;

Void* pv = ptr.ToPointer(); IBackgroundCopyJob2* job; BG_AUTH_CREDENTIALS creds;

Const wchar_t ___ pin* user = PtrToStringChars(userName);

const wchar_t pin* passwd = PtrToStringChars(password);

Creds.Scheme = BG_AUTH_SCHEME_NTLM;

Creds.Target = BG_AUTH_TARGET_SERVER; creds.Credentials.Basic.UserName = (LPWSTR)user; creds.Credentials.Basic.Password = (LPWSTR)passwd;

Hr = ((IUnknown*)pv)->QueryInterface_

( uuidof(IBackgroundCopyJob2),(void**)&job);

If (SUCCEEDED(hr))

Hr = job->SetCredentials(&creds);

If (FAILED(hr))

BITSCredentials::BITSWrapperException* e = _

New BITSCredentials::BITSWrapperException(hr); throw e;

In this code, the BITS SetCredentials method accepts the user name and password as input parameters. It also accepts a pointer to the BITS transfer job. The method defaults to use the Windows challenge/response scheme (BG_AUTH_SCHEME_NTLM). Alternatively, we could have specified that it use basic authentication with the BG_AUTH _SCHEME _BASIC value. The drawback of this authentication method is that the user name and password are sent as clear text and therefore authentication is not as secure.

Possibly related posts: (automatically generated)
BITS Authentication

• IP Addressing continue...
• Data Encryption Standard and Triple Data Encryption Standard
• BITS Code Register for Notification
• Secret Cryptosystems of Public Keys
• System Security Scanner
• The File Transfer Protocol (FTP)
• Bluetooth Device Modes continue...
• Wired Protected Access (WPA), WPA2, and 802.11i
• Internet Key Exchange (IKE)
• Network Access Control Databases