I have created a server/client application. Both of them are written in C#. It uses TCP/IP communication with custom SSL implementation.
Currently the login procedure requires a username/password pair for logging in.

I was asked to implement the single sign on to eliminate the need of username/password.

So now when the client starts it determines the currently logged in user’s SID and sends it to the server which maps this connection to a user by the SID.

This solution works well but it is not a secured solution at all, I think.

The client has a strong name and it is obfuscated, of course.

I started thinking on how it is possible to hack this login and I think it is very easy from a hacker’s point of view:
– To find out a user’s SID on a network is not a problem
– Removing the strong name and changing the appropriate code to use a hard coded SID instead of the current one can be implemented easily

So what do you think?
Can you suggest me a better solution please?
Can you tell me please how to improve the security?

Or could you tell me please how Outlook handles the user authentication? (I guess/hope it is not so easy to cheat Outlook)

Thank you!