We’ve completed our authentication bridge, known as SparkBridge, for Universal Windows Applications (UWP) for on-premise Active Directory so we can authenticate a HoloLens application against on-premise Active Directory.
The PC version of the UWP app, like RemoteSpark, can use Windows Hello for Business to authenticate to Active Directory (AD). But this doesn’t work for the HoloLens as a HoloLens can only use an Azure Active Directory Account (AAD), Microsoft Account (MSA), or a local account for authentication.
For on-premise Active Directory, you will need an authentication proxy/bridge/relay/code like the one we built for RemoteSpark. The HoloLens will require a local account and RemoteSpark can be configured so that it can only be used with a valid AD accounts.
SparkBridge was originally titled Kognitiv Spark Mixed Reality Authentication Bridge for the Enterprise but was changed as to not sound like a Microsoft product circa 2008. Example: Windows Server 2008 R2 Service Pack 3 for Data Center on I64.
This method mimics how a Microsoft cloud account is currently validated with RemoteSpark or any UWP application.
When the user moves to login into RemoteSpark with an AD account on the HoloLens, the RemoteSpark client will open a WebView with content from the configured AD Authentication Agent server. The WebView will collect the AD Username, AD Password, and Email Address from the user. If successfully authenticated, the AD Authentication Agent sets up a secure session.
Additional Security/Trust Factors:
Each day the security and development teams have a stand up which means security and product features/roadmap are discussed as a group every day. We’re continuously looking at ways to increase the security of our Mixed Reality applications and many of our ideas come from the collaboration between various disciplines present on our team.
The team is further exploring how to create low-level UWP libraries using SAML, LDAP, Kerberos, etc. to continuously look for additional mechanisms to authenticate and secure Mixed Reality apps like RemoteSpark to various authentication providers.
Currently, we’re looking at implementing Relying Party Trust with AD FS for UWP application authentication using AD. We’re looking at integrating this into our bridge which gives us additional options to support various versions of on-premise Active Directory installations.