Can I use token based authentication with active directory?

Question

I want to be able to securely logon to a system without having to type in username password from a windows pc on active directory. The idea is that I (the client software, running on a logged on windows machine) have some sort of token that will prove to the server that I am who I say I am (the server talks to AD to verify the token and my identity identity). Is this possible with .net 3 ?

Language in use in c#.

Have the application impersonate a Domain Principal created for that purpose. — Mitch Wheat, Sep 30 '09 at 14:58
Are u specifically looking for a programming answer, as Kerberos package can be specifically setup to enable this type of behaviour. — scope_creep, Sep 30 '09 at 16:33

score 10 · Answer 1 · edited Jun 07 '12 at 22:28

I think you should really look at claim based authentification.

Microsoft has done a lot recently. You have probably heard of Geneva Server (officially called ADFS 2.0 now) and Geneva Framework (officially called Windows Identity Foundation now). The idea is that authentication is done at a central point / server (the Geneva Server or a Security Token Server (STS) in general), the authenticated user is given a security token (SAML 2.0 based) which he / she presents to the resource he / she wants to access. The authentication can be done by various means including username / password, smart card, certificates, or - in your case - by translating a already present token like the Windows authentication (called Windows Integrated Authentication).

The token is SAML 2.0 based (industry standard which is important for good interoperability with other vendor's STS products). It contains claims about a person which are used in an application or resource (also including web services) to do the authorization (granting rights). For that purpose it is of course essential that the application trusts the claims given by the STS. On the other hand, the application does not need to do any authentication at all.

The Geneva Framework is a library (.NET) used to process tokens in an application. It is fairly simple to use.

For further information please have a look at the white papers which give a good introduction to this topic. The official site is here.

Of course, there is are many more issues which are addressed with these concepts which really is the interesting part IMHO. This includes Single Sign On (SSO), federated Single Sign On (across multiple organization boundaries), Delegation (an application uses a web service with your user rights). Hope this info helps!

Cheers

PS: Of course this is not at all a Microsoft issue. There are other STS products like Sun OpenSSO, Ping Identity, and Thinktecture Identity Server which provide similar functionality. I just highlighted the Microsoft stuff because it's good interoperability with AD and the Windows authentication mentioned in the question.

The whitepapers mentioned are: http://download.microsoft.com/download/7/D/0/7D0B5166-6A8A-418A-ADDD-95EE9B046994/Introducing_Geneva_Beta1_Whitepaper.pdf and http://download.microsoft.com/download/7/D/0/7D0B5166-6A8A-418A-ADDD-95EE9B046994/GenevaFramework-WhitepaperForDevelopers-Beta2.pdf — Macross, Oct 06 '09 at 09:49

score 3 · Answer 2 · answered Oct 01 '09 at 08:05

If I've understood the question correctly then it looks as if Kerberos might be exactly what you are looking for in this instance. Kerberos Authentication (if supported by your target environment) would allow this manner of ticketed authentication. For a broad overview of how Brokered authentication with Kerberos works I would recommend the MSDN reference on Brokered Authentication with Kerberos:

Brokered authentication with Kerberos http://i.msdn.microsoft.com/Aa480562.ch1_brokauthkerb_f02(en-us,MSDN.10).gif

As for the C# code supporting this, I would recommend this CodeProject article which is focuses on MS Web Services but might provide the basis for using it in other scenarios.

score 0 · Answer 3 · answered Oct 01 '09 at 04:18

If you access any network resources (file shares, SQL Servers, etc), the application will automatically perform them as the user that's currently running it. Do you want to do something more specific? If you're operating in a domain, the permissions should naturally follow you to any network resources you use.

You can use .NET to impersonate other users and perform tasks as them, but without taking any additional steps, you'll act on the user's behalf without making them log in again.

score 0 · Answer 4 · answered Oct 01 '09 at 04:52

on windows machines each application thread is running under some security token, per default this is the token of current user, so if you want to read a file on machine or network your application will go there with your token, you can run aplications as some other user or service or you can impersonate your code to act as someone else. if you are using it as asp.net app, Internet explorer will exchange data in background with iis (in your intranet-area) so that the server will know who you are, but per default will not run under your credentials, this can be changed through web.config

Can I use token based authentication with active directory?

4 Answers4