locked
Active Directory authentication from webapp RRS feed

  • Question

  • User1133278812 posted

    Hi

    We have a webapp that uses forms authentication. All user accounts are stored in a sql server database. The system is a multi-customer system meaning that we have several customers using the same system and which have their own user accounts. Now some of our customers wants to be able to log into the system with their existing active directory users. This means that one customer might authenticate against our local sql database, another against an active directory server and a third against another active directory server.

    I have no experience with AD, so i was wondering how i'm going to solve this the best possible way. I'm not sure that I want to authenticate directly against AD, so I was thinking about synchronizing user accounts i.e. once pr hour, so that I also have a local copy of all AD accounts. Or is this a bad idea?

    My system authentication is role based, so I need to map local roles against AD roles. I was thinking about having one table defining mappings between local groups and AD groups. For example we have groups called admins, users and guests in our local system. Then I could define a group in AD called ext_sys_admins which maps to admins. Or is it a better way to do this?

    Any thoughts?

    Tuesday, November 21, 2006 3:57 AM

All replies

  • User-1513591455 posted

    You cannot use AD and Forms in one web site.

    Using AD to authenticate users is invisble to you, the developer.  It is usual for the IT services dept to set up which AD user group has access to the site.  You can also set up Windows Security Groups in AD for each role you need, and add in users to each role.  You can check a user is in a role within the application to provide finer grained access.

    Don't get confused between AUTHENTICATION and AUTHORISATION.  Authentication is handled by you (the developer) currently, using your SQL database.  You then provide that user with memberships to roles, and this provides the Authorisation to perfrom activities in that role.  In AD, the user logging into Windows has authentication performed at that point.  That users membership of groups (or rarely direct membership of web server folders) acts as the authorisation via roles.

    Assuming your web site used AD for your company's users.  Then, when a user opens their browser (e.g. IE) and navigates to a web page, IE passes the security context of the user, so on an intranet site for example, you can simply inspect the User.Identity.Name property to get that users name - e.g. something like MYDOMAIN/FredBloggs.  You can pick this up in your web pages, but I guess anyone could spoof this if they know their stuff.  I.e. I could create a ddomain with the same properties and connect to your site.  You can get SID information of the user, which can be turned into something more recognisable.

    If you want your customers to gain access using their AD users, often, your domain has have a trust relationship with their domain.

    It is also possible to give customers VPN access to the site.

     I hope this is useful.  I don't have the direct answer you want alas.  Here is an example of intranet/internet access

    See http://www.15seconds.com/Issue/050203.htm

    Tuesday, November 21, 2006 3:49 PM
  • User1133278812 posted
    I'm not sure if this is what we need. I was probably not clear in my first post, but the webapp is not hosted on the AD server and the webserver is also not a member of the same domain as the AD server. We are hosting our own server providing one webapp for all our customers. All customers are hosted in the same database and webapp. I want to use a customer setting to specify if a customer's users should login using usernames and passwords stored in the local database, or if we must query a remote AD server.
    Wednesday, November 22, 2006 3:30 AM
  • User-1513591455 posted

    OK

    I assume that currently, when a user enters your site, you ask for credentials, then, you probably set their the role model in session, or maybe cookies.  This means that you never use the security context passed by the browser - at the moment.

    I have never tried this, but it would be a point of investigation

    A user enters your site.  in your start page (login page probably), get the security context passed using System.Security.Principal.WindowsIdentity.GetCurrent()

    Using a VPN link to your customers AD, log into the customers domain (they need to provide you with one) and check that the SID passed by the browser exists in that domain - you will know which customer to go for by getting the clients DOMAIN name from the user identity from the above method.  Should two or more customers have the same domain name, you will have to check them all for this user!

    Having verified the user, log them in as the same named used on your system as their customer name/domain name (e.g. CustomerName/CustDomain/Fred), then you do not have to make any changes to your current system database.  You shouuld consider using a customer name too in case two customers have the same domain name.

     Hope this helps

     

     

    Wednesday, November 22, 2006 5:01 AM