X509CertificateCredential or some simple way to authenticate to azure active directory for windows service

Question

I am struggling with figuring out how to implement X509CertificateCredential with AuthenticationContext, or even if it is a good solution.

The sample http://code.msdn.microsoft.com/windowsazure/AAL-Server-to-Server-9aafccc1 looks like the the client code has the private keys and WAAD portal has the public cert. I maybe wrong.

The user story that I am looking for is, lots of clients (Windows Services) no UI that need to connect to single tenant WebAPI.

As the # of client is large we don't want to redeploy X509 Certificates on every Windows Service, the client IT department will kill us.

Thanks

Answer 1

Your scenario requires daemon services to securely communicate with a web API. For this, the services need to be given an identity that the web API understands. Further, the services need to be given a credential using which they can get a token that proves their identity to the web API. Azure AD is a good choice - it allows you to secure your own Web APIs and supports service principal identities. You're looking at the right documentation, the updates sample application that uses cert auth with AD Auth Library (what you refer to as Authentication Context I guess) is here: https://github.com/AzureADSamples/Daemon-CertificateCredential-DotNet. Azure AD supports two kinds of credentials for daemon services: certs and symmetric key client secret (valid for 1 or 2 years). In either case you can't escape having to provision the credential on every instance of the daemon service, and write automation to update this credential when the secret needs to be rolled. I believe this is your best bet.

Hope that helps.