7.4 XP and Windows Server 2003 changes

When the user is using a Windows XP or Windows Server 2003 operating system platform, the Passport authentication exchange can be slightly different. In XP and Windows Server 2003, part of the Passport authentication can be managed by the operating system instead of the browser. In XP and Windows Server 2003, Microsoft implemented a security feature called the credential manager. It is a single sign-on solution based on a secure client-side credential cache. Credential manager is explained in greater detail in Chapter 9.

In XP and Windows Server 2003 Passport can use a login dialog box that is generated by the operating system (illustrated in Figure 7.3) rather than the web-based dialog that is retrieved from the Passport domain authority server. You may have noticed in Figure 7.3 that the Passport login dialog box has a different layout depending on the participating Web site from which the Passport authentication process was started—this feature is known as “cobranding.”

Figure 7.3: Windows XP and Windows Server 2003 built-in MS Passport login dialog box:(a) MoneyCentral login and(b) bCentral login.

This aspect of Windows integration is optional. The participating site controls whether they want the OS-based or Web-based login dialog box based on the specific calls that are made to the Passport Manager COM object. Due to limitations in cobranding on the OS-based dialog, most participating sites opt for the web-based approach. Both approaches use the credential manager.

When using the OS-based Passport login dialog box, only Steps 3 and 4 of the Passport authentication exchange are different (Steps 1 and 2 and 5 through 7 remain identical; see Figure 7.2):

• Step 3: The Passport domain authority server requests the user’s operating system platform (Windows XP or Windows Server 2003) to display the Passport login dialog box rather than presenting the user with a Passport login page. (This is the case on pre-XP and Windows Server 2003 Passport platforms.)

• Step 4: The user enters his Passport credentials in the Passport login dialog box. The credentials are sent to the Passport domain authority server over an SSL connection. The domain authority server then validates the user credentials. With the exception of the use of the Passport “login dialog box,” this step is identical to the way it worked on pre-XP and Windows Server 2003 Passport platforms.

Passport credentials can be saved in the credential manager. Because the credential manager’s data are stored in the user profile, the credentials can be cached locally on the user’s machine or remotely on a server (in the case of a roaming profile). To store your Passport credentials in the credential manager cache, check the “Sign me in automatically” checkbox (as illustrated in Figure 7.3).

In Windows XP and Windows Server 2003, Passport registration also works differently: Instead of redirecting the user to a Passport registration page, XP and Windows Server 2003 start the .NET Passport wizard (illustrated in Figure 7.4). The wizard, which comes bundled with the Windows Server 2003 and XP OSs, will guide the user through the Passport registration process. Only the first page of the wizard is hard-coded in the OS, the remainder of the wizard is actually web-based content hosted by the Passport servers. The wizard can also be started manually at any time from the “User Accounts” Control Panel applet.

Figure 7.4: .NET Passport Wizard.

• If your computer is a member of a domain, click the “Advanced” tab in the account properties and then click the .NET Passport Wizard.

• If your computer is not in a domain and your account is an administrator account, click “Set up my account to use a .NET Passport” in the account properties.

• If your account is not an administrator account, click “Set up my account to use a .NET Passport” in the “Pick a task” bar.