Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)

Let us now revisit the Passport authentication exchange of Figure 7.4 and look at which cookies are sent back and forth between the different Passport components. This exchange is illustrated in Figure 7.7.

An important component in the Passport authentication cookie exchanges is the Passport Manager COM object. It is a server-side automation object that is installed on all participating Web sites. The Passport Manager object provides encryption services to protect Passport user data and handles the Passport cookie setting, parsing, and expiration logic. It also silently communicates with the Passport Nexus servers to determine the current configuration of the Passport network. Besides cookies, it also uses the HTTP query string as an intermediary for querying the central user store at the Passport domain authority. The advantage of using cookies over the HTTP query string as a data storage intermediary is that the URL display in the user’s browser (the Internet Explorer “Address Bar”) does not become cluttered with cryptic information:

Figure 7.7: Passport authentication sequence including cookies: initial login (Windows XP and Windows Server 2003).

• During Step 5 the Passport domain authority redirects the user to the participating Web site. In the query string of the HTTP redirect message, the domain authority appends the ticket cookie and the specific profile cookie for the participating Web site.

• During Step 6 the Passport domain authority writes the ticket-granting cookie, the ticket cookie for the domain, the general profile cookie for the domain, and the visited sites cookie to the user’s machine.

• During Step 7 the Passport Manager COM object on the participating Web site decrypts the cookies it received from the domain authority, validates them, and then writes them to the user’s machine.

Note the different cookies that are stored in the user’s cookie store on the user’s machine. In Windows XP and Windows Server 2003, user-specific cookies are stored in the “cookies” folder of the user profile.

Figure 7.8 shows the Passport cookies that are exchanged when the user accesses another Web site (in the example “Starbucks.com” during the user’s Passport logon session0. In this case the Passport Authentication Sequence will be slightly shorter:

Figure 7.8: Passport authentication sequence including cookies: log in to second site (Windows XP and Windows Server 2003).

• Step 1: The authentication sequence starts when the user clicks the

“Sign In” icon on the Starbucks homepage.

• Step 2: Clicking the “Sign In” icon causes an HTTP redirect to the

Passport domain authority server’s login page.

• Step 3: The Passport domain authority server queries the user’s cookie cache and detects that the user has a valid ticket-granting cookie. As a consequence, the domain authority will not request the user’s operating system platform to display the Passport login dialog box.

• Step 4: The Passport domain authority redirects the user to the participating Web site. In the query string of the HTTP redirect message, the domain authority appends the ticket cookie and the specific profile cookie for the Starbucks Web site.

• Step 5: Because the user has a set of valid domain cookies, the Passport domain authority only updates the visited sites cookie to include a reference to Starbucks.com and writes it to the user’s machine.

• Step 6: The Passport Manager COM object on the Starbucks Web site decrypts the cookies it received from the domain authority, validates them, and then writes them to the user’s machine.