Authentication for WinRT devices joined to a domain

Authentication for WinRT devices joined to a domain

Old forum URL:

TSF posted on Friday, June 13, 2014

We will have tablets running Win 8.1 Pro that will be joined to the domain, and users will sign in to those devices with their network credentials; however, I don't anticipate them connecting to the network via VPN while on the road. Instead, I expect the app to hit our remote DP on the DMZ, which in turn would talk to our internal app server behind the firewall. So it is a 4-tier deployment. In in this context, will I have access to their identify when sending requests to the remote DP?

In other words, can I utilize ApplicationContext.User in the domain-joined WinRT world? Or should I expect to require the user to enter his credentials in the app itself and pass them (over https) with every call to the remote DP for authentication on the server? Thanks.

RockfordLhotka replied on Friday, June 13, 2014

I don't know the answer for sure, but I am doubtful that the credentials will flow from the client to the server in your scenario.

In fact, given a 4-tier model, I'm quite certain they won't, because NTFS only flows credentials over one hop.

So you could almost certainly get them to flow from client to the initial web server by setting the data portal endpoint to require NTFS/Windows security, and setting the client's WCF proxy to pass the user's credentials. But the credentials won't flow past the web server because that was your one hop.

TSF replied on Friday, June 13, 2014

Thanks, Rocky. I had forgotten about the multiple network hops in this circumstance. I think our network folks might have enabled Kerberos, but even then I don't know if our web server (in the DMZ) is a part of the corporate domain.

Sounds like I might need to just plan on capturing the user's credentials within the app and pass that with each call. I assume I can do this using ApplicationContext.ClientContext.

Copyright (c) Marimer LLC