I want to be able to securely logon to a system without having to type in username password from a windows pc on active directory. The idea is that I (the client software, running on a logged on windows machine) have some sort of token that will prove to the server that I am who I say I am (the server talks to AD to verify the token and my identity identity). Is this possible with .net 3 ?
Language in use in c#.
If you access any network resources (file shares, SQL Servers, etc), the application will automatically perform them as the user that's currently running it. Do you want to do something more specific? If you're operating in a domain, the permissions should naturally follow you to any network resources you use.
You can use .NET to impersonate other users and perform tasks as them, but without taking any additional steps, you'll act on the user's behalf without making them log in again.
on windows machines each application thread is running under some security token, per default this is the token of current user, so if you want to read a file on machine or network your application will go there with your token, you can run aplications as some other user or service or you can impersonate your code to act as someone else. if you are using it as asp.net app, Internet explorer will exchange data in background with iis (in your intranet-area) so that the server will know who you are, but per default will not run under your credentials, this can be changed through web.config
Hi,
I think you should really look at claim based authentification.
Microsoft has done a lot recently. You have heared propably about Genevea Server (offically called ADFS 2.0 now) and Genevea Framework (offically called Windows Identity Foundation now). The idea is that authentification is done at a central point / server (the Geneva Server or a Security Token Server (STS) in general), the authentificated user is given a security token (SAML 2.0 based) which he / she presents to the resource he / she wants to access. The authentification can be done by various means including username / password, smart card, certificates, or - in your case - by translating a already present token like the Windows authentification (called Windows Integrated Authentification).
The token is SAML 2.0 based (industry standard which is important for good interoperability with other vendor's STS products). It contains claims about a person which are used in an application or ressource (also including web services) to do the authorization (granting rights). For that purpose it is of course essential that the application trustes the claims given by the STS. On the other hand the application does not need to do any authentification at all.
The Geneva Framework is a library (.NET) used to process tokens in an application. It is fairly simple to use.
For further information please have a look at the white papers which give a good introduction to this topic. The offical site is here.
Of course there is a lot more issues which are adressed with these concepts which rellay is the interesting part IMHO. This includes Single Sign On, federated Single Sign On (across multiple organization boundaries), Delegation (an application uses a web service wiht your user rights). Hope this info helps!
Cheers
PS: Of course this is not at all a Microsoft issue. There are other products (STS) as well like Sun OpenSSO or Ping Identity which just do the same. I just highlighted the Microsoft stuff because it's good interoperability with AD and the Windows authentification mentioned in the question.