My application software is deployed across two tiers; a WinForms workstation
client and a Web Services layer. My application will require authentication,
however I'm not keen on building my own authentication services into the
application. Rather, I'd like to leverage Windows domain security. I can
think of three scenarios:

1. The user is logged in to the domain. In this case, I'm assuming that the
user's credentials will be used automatically when calling secured web
services.

2. The user is not logged in to the internal network. When accessing the
secured web service without credentials, will the user be automatically
prompted for credentials, or will I need to trap for access denied and
solicit credentials myself? I'm hoping that this will work transparently
since I'm not interested in getting involved with the solicitation and
validation of login credentials.

3. A kiosk scenario: A user is logged in to the domain and the software is
running under this session, however this session is merely used to host a
running instance of the Winforms Client. In actuality, the logged in user
will not have permissions to access the web services at all. In this
scenario, I need to facilitate temporary login and then subsequent logout
(i.e. application login/logout - the underlying windows session should
remain undisturbed) for every temporary user who steps up to the kiosk to
use the application. Are there any whitepapers or examples how this can be
done?

Thanks very much for any advice which you can provide.

Joseph Geretz