Share via


WIF's Claims to Windows Token Service

Windows authentication have been always fortified, which was for a good reason. Yet this fortification made some use cases impossible to happen here is one that sum it all:

You have a service bus (or just service interface) that abstracts all your backend systems to user. All message float in using certificate based authentication or just non A/D username & password. A couple of your backend systems work using windows authentication and all audit work against this authenticated identity.

You are left with one of two choices:

  •  Use trusted sub system model (all calls is using one user identity). And disregard the audit, or extended to have another field for the original caller.
  • (foolish choice) Use intermediate store, save all usernames & passwords. Use these credentials in each call.

This has been the only choices for us before. Until Enter WIF (Windows Identity Foundation), which provides Claims to Windows Token conversion, allowing you to convert claims to windows principals while employing proper security validations.

Here is how it works: https://msdn.microsoft.com/en-us/library/ee517278.aspx

Here is how you can proxy Exchange’s OWA authentication to ADFS using C2WT (Claims 2 Windows Token) https://www.theidentityguy.com/articles/2010/10/15/access-owa-with-adfs.html

Weather your federated identity is across web applications or services applications the problems you previously worked around can now be eliminated entirely.

Find me on Twitter: https://www.twitter.com/khnidk