Nov 12

Win8 and Flowing Authentication Credentials

The Problem

A couple months back I was developing a demo Windows 8 application (HTML/JS) and needed to authenticate against a web service on the corporate network. The credentials needed are the same as the users domain account and I hoped to make use of some of the capabilities of Windows 8 applications such as Enterprise Authentication. As a sometimes hacky developer, I tried enabling this and poking around various objects and interfaces looking for username and password. I had strong feelings that it would not be this easy and I should file a bug report if so. I did eventually find how to get the user’s principal name (domain name / username, close enough…) by using Windows.System.UserProfile.UserInformation.getPrincipalNameAsync(). Poking around the UserInformation object I found ways to find generic information about the user with nothing close to the type of authentication object I believed the web service could understand and make use of. As a result the project had to settle for an authentication prompt on startup.

Defeated, I gave in and posted a question on Stackoverflow lamenting the fact that I knew my user was logged in, but I was still prompted for user credentials…

Light at the end of the Authentication Tunnel

Just this week I finally received a potential answer to the situation. I should try adding the site to the Local intranet under internet options. It wasn’t until I started thinking about the implications of what I wanted the application to do that it started to make a bit of sense as to why this additional step was deemed necessary. I was telling the application: hey I know my user is logged in and I want his authentication credentials sent here because he/she needs to use this web service. Nowhere in that statement do I instill trust or security in what my goal is. I gave it a try and with much success the authentication prompt is no longer needed.

Along with this change I also had the following application capabilities set in the app manifest:

  • Enterprise Authentication
  • Internet (Client & Server)
  • Private Networks (Client & Server)

From the Dev’s Corner

Thinking about this from the developer point of view I should be able to send their credentials with permission and as of yet I’m not sure what I can do inside of the application to raise a UAC kind of prompt informing the user that the application would like to user their credentials to authenticate. The current manual solution does two things: it requires user/installer intervention to setup and it hides the fact that a logged in user’s credentials are being used. I’ll have to think about this problem a bit to see if there is a more elegant solution.

224 comments , permalink