authenticate user using active directory and get a token to be used elsewhere

We have the following setup for authenticating users. A wcf authentication service that is hosted as a windows service on a server machine. The client is a C# CAB based application that communicates with the authentication service and other services (auditing,..) as needed. We want to give an option of using Active directory to logon to the application. The steps that were proposed are as shown below.

1. Authentication service running on server
2. user opens application on client machine and chooses login by AD.
3. application, uses the userName and password to authenticate user against AD.
4. application sends some token from the authenticated user to the authentication servi开发者_StackOverflowce, to get back information about sql server and sql db name.
5. authentication service uses token against Active Directory and verifies that user is logged on and authenticated and returns back the required sql information.

Are steps 4 & 5 possible without the client app needing to send the username and password to the server for authenticating against AD? I want to avoid as much as possible sending passwords on the network.

You can't do that with AD and a client only, you need to involve a service in the authentication mechanism. If I were you, I'd send the username and password to the authentication service, the client shouldn't talk to the AD directly at all. And if you need some SSO, you can create a token in the authentication service. AD doesn't issue tokens, only you can, or another, more sophisticated service, like ADFS.