.NET Passport Authentication
Updated: August 22, 2005
Applies To: Windows Server 2003, Windows Server 2003 with SP1
Microsoft .NET Passport is a user-authentication service and a component of the Microsoft .NET Framework. The .NET Passport single sign-in service and express purchase service enable organizations to deliver a fast and convenient way for consumers to sign in and make transactions on a Web site. With the .NET Passport single sign-in service, you can map sign-in names to information in your databases, which enables you to offer .NET Passport members a personal Web experience through targeted content, advertisements, and promotions. The .NET Passport single sign-in service is similar to the forms-based authentication model that is commonly used on the Web today. The .NET Passport network extends this model in the following ways:
The sign-in, sign-out, and registration pages are centrally hosted rather than being specific to each individual site.
.NET Passport can be extensively co-branded to match the look and feel of your site. Co-branding material is served directly from your site and is included in the centrally hosted pages when those pages are displayed on a client browser.
Centrally hosted pages that require additional security to exchange credentials or other information are always served using SSL.
All .NET Passport sign-in and core profile cookies are strongly encrypted. Each participating Web site receives a unique encryption key that ensures information privacy.
The central .NET Passport servers return encrypted sign-in and profile information to your site, which can then be used to write local cookies and thus avoid redirects back to the central .NET Passport servers on subsequent page views.
Members do not need to retype their sign-in name and password when moving from site to site. .NET Passport–enabled sites issue a set of encrypted cookies in the .NET Passport central servers' domain to facilitate silent and seamless sign-in across sites. However, sites might still choose to always force members to be redirected to .NET Passport sign-in and to authenticate upon first viewing of their site.
Participating Web sites never receive a member's password. The authentication cookie is actually a pair of encrypted time stamps asserting when the member signed in. When members choose to sign out by clicking the .NET Passport sign-out link, they are redirected to a central page that enables deletion of all .NET Passport cookies from all of the sites that the member visited during the session.
There is no real-time, server-to-server communication between participating Web sites and the central .NET Passport servers. All information exchange occurs through the client's browser using HTTP redirects, encrypted information on the query string, and cookies. Server-to-server communication occurs only when a centrally hosted XML configuration file is periodically downloaded and cached locally by .NET Passport's server-side object (supplied in the .NET Passport SDK); this XML file contains current URLs for all the .NET Passport servers and the current profile schema.
Microsoft .NET Passport uses standard Web technologies, such as SSL, HTTP redirects, cookies, Microsoft® JScript® development software, and strong symmetric key encryption to deliver the single sign-in service. In addition, .NET Passport is compatible with Internet Explorer 4 and later, Netscape Navigator version 4.0 and later, and some versions of UNIX.
.NET Passport–enabled sites rely on the .NET Passport central server to authenticate users. However, the .NET Passport central server does not authorize or deny the access of a user to individual .NET Passport–enabled sites. It is the responsibility of the Web site to control user access rights.
After .NET Passport authentication is verified, a Windows Server 2003 Passport user can be mapped to a user of Active Directory through the users Windows Server 2003 Passport identification, if such a mapping exists. A token is created by the Local Security Authority (LSA) for the user, and is set by IIS for the HTTP request. Application developers and Web site administrators can use this security model for authorization based on users of Active Directory. You can also delegate these credentials through the constrained delegation feature supported by Windows Server 2003. For more information about constrained delegation, see Constrained Delegation for UNC File Content. When using Microsoft .NET Passport authentication, you can store account information and user credentials in Active Directory. If account information is not mapped in Active Directory, IIS automatically creates an Anonymous authentication session with anonymous user account credentials. In most cases, anonymous user account credentials equal IUSR_ComputerName.
The only difference between .NET Passport authentication IUSR credentials and standard Anonymous authentication IUSR credentials is that .NET Passport authentication creates an IIS authentication token for the anonymous account that contains a security identifier, known as the .NET Passport User ID (PUID). Active Directory returns a user authentication token if the account information is mapped in Active Directory, and the corresponding user is logged on to the local computer.
Users can register at a .NET Passport–enabled site, and their user information is then stored in encrypted profiles on .NET Passport servers. When.NET Passport users register at a participating site, their personal information can be shared with the site. This sharing can make the registration process faster. When the .NET Passport users sign in to that site again, their .NET Passport profiles can enable access to personalized accounts or services on that site.
For more information about .NET Passport authorization, see the Microsoft .NET Passport homepage.
Conforming to Passport Privacy Guidelines
When you implement .NET Passport for Web sites running on Windows Server 2003, you must ensure that you conform to the Passport privacy guidelines. Use one of the following configurations for your Web site:
Configure IIS 6.0 to use .NET Passport authentication and Anonymous authentication. Your Web site will exhibit typical Passport behavior, but this configuration requires that you store all Passport-enabled Web pages on the Web site itself.
Create a virtual directory for an IIS 6.0 Web site, and configure it for Anonymous authentication. Store a default Passport-enabled Web page in this virtual directory. This page should display the Passport sign-in logo, which results from the call to Manager.LogoTag(), and should also contain a return URL value that points to a second virtual directory on the same Web site.
Configure the second virtual directory to use .NET Passport authentication only. You can set the Passport Manager Administration Utility ForceSignin and TimeWindow values as you choose. Store the rest of your Passport-enabled Web pages in this second virtual directory.