What I have done in the past was use a "public" and "private" token to pass
a user around from application to application.
When a user clicks on a link that leads to another web application, I first
create a private token (a guid if you will) and store it in some common
storage (SQL Server). Then I take the hash of the private token (along with
the username, referring page url) and pass it as an argument to the website.
The tokens have short lifespans and will timeout after say 10 seconds.
I use both AD and Custom Rolled Security accounts. NT Accounts would be
internal employees that are mainly managing content and providing minimal
data entry. Custom Security accounts (Simply a series of tables in a SQL
server) are B2B users and registered customers/affiliates. There is a
private web services sitting just inside the DMZ to manage both security
authentication modes and all data manipulation. The public web server(s)
is/are merely the interface and conduit.
In order for there to be acceptance of the "credentials", the hash must
match, the username must match that which is stored with the private token,
the referring page url must match the value that was passed along. If the
authentication fails, the user is challenged with the regular login screen.
Because of the NT accounts, their password is cached (encrypted) in a SQL
table so that they may request data from the private web service and provide
valid credentials.
It seems pretty solid to me and has been running since 2002 servicing 1,200
users, 150-300 concurrently during peak hours. It has passed every audit
and inspection thrown at us from the likes (at the time) Anderson
Consulting, Burbee, and over a dozen major pharmaceutical companies (I am
not allowed to devulge names).
The solution supports 23 distinct web applications (ASP and ASP.Net)
spanning 2 public web servers, 2 private web services servers, 4 Citrix
servers, IP*Switch's Webmail solution, Outlook Web Access. All of this
access is provided via a single login screen, a virtual desktop if you will.
Granted some customizations were made in Webmail and OWA to complete the
circle.
I only wish that VS'05 was out when I began the development using VS'02. At
least now I have a lot more experience to barrow from when I remodel it.
AJAX?, heck it used to be just an Div Tag wrapping an IFrame with some
javascript thrown in to make a progress bar and to wait for the response.
Web services used to be Http requests, then some elaborate SOAP, then DIME.
Man have we come far since 1995 IIS 2.0 and Navigator, let alone Prodigy's
rate increase marking the death of BBS's and gopher's text being replaced by
hyper text in '93.
I hope this helps.
