none
a web application design question RRS feed

  • Question

  •  

    First, thank you for your help. I am new to architecture, and I would prefer to make the right design decision.

     

    I have the following design requirements for a web application:

    1. This site would serve both internal users under Active Directory and external users (partners) who are not under Active Directory
    2. Users must be authenticated
    3. Exchanged data is sensitive
    4. There is a web services layer to connect the site to the different data stores
    5. the services layer is behind the firewall
    6. The data stores reside behind the firewall as well

    My dilemma is as follows:

    • Should I create two sites: one for internal users and another one for external users
    • Use AD for authentication for internal users, and use a separate identity store for external users
    • Use kerberos for internal users and X.509 for external users (for secure messaging and transport)

    OR

    • One single site that sits on the internet and is accessible by both internal and external users
    • Use one single identity store
    • use X.509 for secure communication

    Thank you for your input.

    Monday, December 1, 2008 10:10 PM

All replies

  • I would use option 1

    • Should I create two sites: one for internal users and another one for external users
    • Use AD for authentication for internal users, and use a separate identity store for external users
    • Use kerberos for internal users and X.509 for external users (for secure messaging and transport)

    And with additional comment...

    If your users are coming from another organizations like this is a B2B type website, you could consider "pass through sign on" for those external users.

    Tuesday, December 2, 2008 1:49 AM
  • Hi,

     I will prefer your second option

    • One single site that sits on the internet and is accessible by both internal and external users (Better Maintainability and storage)
    • Use one single identity store (For Domain users use the AD and non domain users use Form authentication how ?... it is explained below )
    • use X.509 for secure communication(Go ahead)
    You can achieve these solution by using Single Sign On Web security. It will support both windows authentication as well as authentication together.

    All your security related activities are also taken care in "Single Sign on".
    More information are provided on  http://msdn.microsoft.com/en-us/library/ms972971.aspx

    If it is resolves your problem please mark it as answer.

    Regards,
    Pramod.K.V.P

    Tuesday, December 2, 2008 10:05 AM
  • Hi,

    I’ve used something like your option 2, and its works very well, I think it’s the best join.

    Create artifacts for everything, your layers, the technologies that you want to use, etc, because with this visions you can make betters joins.

    Regards

    Pisani.

     

    Tuesday, December 2, 2008 1:02 PM
  • As you ,can see from above replies, both the approaches are right. However, for you to be able to decide which one to use you need to come up with your non-functional requirements.

     

    For example, what would be the performance requirements? What is the expected load from external users and internal users on the site? Is the combined value of peaks from both the kinds of users under acceptable range for you? This will help you decide on one option from perf perspective.

     

    Another example would be availability. Is the site required to be available internal users even if it goes down for external uses? Is availability three 9s for both types of users?

     

    Hope this helps

     

    --Pavan

     

    Tuesday, December 2, 2008 1:52 PM