Can I use the SAM to authenticate my users ?
We currently market a client server system which uses a text based dialogue over TCPIP. It authenticates itself using a locally implemented form of CHAP, to avoid passing the password over the network. This obviously requires that the our server maintains an account database holding login IDs and hashed passwords.
What we would like to be able to do away with our local database and authenticate our client login details against the SAM database on the machine that the server is running.
Is this possible?
It occurs to me that if the server needs to call local APIs to hash a password or use the password directly then it will need to be sent over the network - which does not sound too clever. Is this what MS FTP Server relies on ?
Do we need to call a client side API to convert our password into a compatible hashed form to be used by the server side. What API would the server and client use. If we did call a client side API how do we prevent someone evesdropping replaying?
*Any* feedback gratefully received.
