LiveID support in WWSAPI on Win7

In Windows 7, LiveID can be used with WWSAPI in two scenarios:

1. SSPI over TCP (WS_TCP_SSPI_TRANSPORT_SECURITY_BINDING) with the default SPNEGO package: on both client and server

2. HTTP Negotiate header authentication (WS_HTTP_HEADER_AUTH_SECURITY_BINDING): on the client side only


When you install the latest LiveID SSP onto your Windows 7 machine and configure the machine and live site properly, you can use LiveID credential as the client credential. This client credential has to be represented as WS_OPAQUE_WINDOWS_INTEGRATED_AUTH_CREDENTIAL, whose opaqueAuthIdentity field can be obtained by calling the new Win7 API SspiPromptForCredentials. On the server side, you can add a Active Directory mapping to map the live ID’s unique ID to a domain account. When the authentication completes, the server will get a client token of the mapped domain account.


Since LiveID SSP does not support being called from kernel mode yet, this doesn’t work when Negotiate header authentication happens in HTTP.SYS, which is used by WWSAPI server. However, you can use this with server hosted in IIS by turning off kernel mode authentication.


The configuration is a little involved. If you are interested, send me an email and I’ll be happy to explain in details.