Can I use token based authentication with active directory?

Question

I want to be able to securely logon to a system without having to type in username password from a windows pc on active directory. The idea is that I (the client software, running on a logged on windows machine) have some sort of token that will prove to the server that I am who I say I am (the server talks to AD to verify the token and my identity identity). Is this possible with .net 3 ?

Language in use in c#.

Answer 1

I think you should really look at claim based authentification.

Microsoft has done a lot recently. You have probably heard of Geneva Server (officially called ADFS 2.0 now) and Geneva Framework (officially called Windows Identity Foundation now). The idea is that authentication is done at a central point / server (the Geneva Server or a Security Token Server (STS) in general), the authenticated user is given a security token (SAML 2.0 based) which he / she presents to the resource he / she wants to access. The authentication can be done by various means including username / password, smart card, certificates, or - in your case - by translating a already present token like the Windows authentication (called Windows Integrated Authentication).

The token is SAML 2.0 based (industry standard which is important for good interoperability with other vendor's STS products). It contains claims about a person which are used in an application or resource (also including web services) to do the authorization (granting rights). For that purpose it is of course essential that the application trusts the claims given by the STS. On the other hand, the application does not need to do any authentication at all.

The Geneva Framework is a library (.NET) used to process tokens in an application. It is fairly simple to use.

For further information please have a look at the white papers which give a good introduction to this topic. The official site is here.

Of course, there is are many more issues which are addressed with these concepts which really is the interesting part IMHO. This includes Single Sign On (SSO), federated Single Sign On (across multiple organization boundaries), Delegation (an application uses a web service with your user rights). Hope this info helps!

Cheers

PS: Of course this is not at all a Microsoft issue. There are other STS products like Sun OpenSSO, Ping Identity, and Thinktecture Identity Server which provide similar functionality. I just highlighted the Microsoft stuff because it's good interoperability with AD and the Windows authentication mentioned in the question.