We have the following setup for authenticating users. A wcf authentication service that is hosted as a windows service on a server machine. The client is a C# CAB based application that communicates with the authentication service and other services (auditing,..) as needed.
We want to give an option of using Active directory to logon to the application.
The steps that were proposed are as shown below.
- Authentication service running on server
- user opens application on client
machine and chooses login by AD. - application, uses the userName and
password to authenticate user
against AD. - application sends some token from
the authenticated user to the
authentication service, to get back
information about sql server and sql
db name. - authentication service uses token against Active Directory
and verifies that user is logged on
and authenticated and returns back the required sql information.
Are steps 4 & 5 possible without the client app needing to send the username and password to the server for authenticating against AD? I want to avoid as much as possible sending passwords on the network.
You can’t do that with AD and a client only, you need to involve a service in the authentication mechanism. If I were you, I’d send the username and password to the authentication service, the client shouldn’t talk to the AD directly at all. And if you need some SSO, you can create a token in the authentication service. AD doesn’t issue tokens, only you can, or another, more sophisticated service, like ADFS.