From CRM 7 we have one single, common database user where password no longer stored reversibly. It is a plugin-based, open-ended authentication system. It's safe, password-free reauthentication tickets for web requests and identity transfer. We use industry-standard algorithms for encryption, hashing and signing and everything is NetServer-based
The old system stored passwords using a reversible encryption. This is inherently insecure (and obsolete); and code reflection makes it impossible to hide the method
Storing passwords in a reversible way is a no-no, but as long as you're using username+password to reauthenticate (think of the old NetServer Secret), you have no choice. That is one reason why the changes are so pervasive and breaking - it all hangs together.
The world used to be simple, each system its own user/password concept. No more - people expect and require integrations, policies, control, ...
Integration with Active Directory (Windows) is a feature of CRM 7, and we needed a way to actually implement it, in a first-class manner and not as a by-product of some ODBC setting
Federated security is not quite a reality, yet. The "Geneva" framework project at Microsoft, also known as Windows Identity Foundation, is not yet released. We have been tracking it closely and the concepts we use are in line with it.
Authentication and authorization are crucial, and separate, concepts
Authentication is about identity - who you are
We can delegate the identification of the user to anyone we trust to do so
How we know who the user is, does not matter (unless we had different levels of trust, like the Norwegian tax website does)
Authorization is about what you can do, once we know who you are
We cannot delegate authorization; that is our own domain
The importance of keeping authentication, identity and authorization clearly apart in your mind cannot be over-emphasized. Mix them up and bad things will happen, such as unpleasant dependencies creeping into your system.
One important characteristic of the new system is that it tries to separate these concepts completely.
||is a process that resolves credentials (evidence) into an identity, and nothing else
||defines who you are, and nothing else
||derives from identity, and defines what you can do, whoever you are