Authenticating internal and external users RRS feed

  • Question

  • I have a requirement where we need to build a single UI that can be used by internal (on AD) and external users. I'm looking for ways to design the authentication process for this situation. There will be different roles like Clients, Manufacturers, Dealers etc (external) and Order specialists, employees (internal).

    Please suggest


    Tuesday, April 17, 2012 8:02 PM

All replies

  • What is this UI for? If you can move your resource to the cloud you can use Window Azure's access control service, which supports Active Directory as well as web authentication such as Windows Live ID, Google, Yahoo!, and Facebook. Depends on your traffic the cost of external access may or may not be cheaper than an external connector license.

    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
    Visual C++ MVP

    Tuesday, April 17, 2012 11:54 PM
  • You can make use of AD pluggins like SiteMinder to connect to AD for authentication. Define internal & external users on different OUs (Organization Units) inside AD.

    Also, make use of User Rights, Access token and Access Control List to manage various roles for users:

    User rights are assigned to groups (or users). User rights include both privileges (such as Back Up Files and Directories) and logon rights (such as Access this Computer from Network).

    Access control permissions (such as Read, Write, Full Control, or No Access) are attached to Windows 2000 objects. In the case of Active Directory objects, access control can be defined not only for each object in the directory but also for each property of each object. (For a list of all object types, see the section "Object Types, Managers, and Tools.")

    Access token. Each time a user logs on, Windows 2000 creates an access token. The access token is a representation of the user account and contains the following elements:

    • Individual SID. Security identifier (SID) representing the logged-on user
    • Group SIDs. SIDs representing the logged-on user's group memberships
    • User Rights. Privileges (associated with each SID) granted to the user or to groups to which the user belongs

    When the user tries to access an object, Windows 2000 compares each SID in the user's access token to entries in an object's discretionary access control list (DACL) to determine whether the user has permission to access the object and, if access is allowed, what type of access it is. In some cases, user rights in the user's token may override the permissions listed in the DACL and access may be granted that way.

    An access token is not updated until the next logon, which means that if you add a user to a group, the user must log off and log on before the access token is updated.

    Security identifier (SID). A SID is a code that uniquely identifies a specific user, group, or computer to the Windows 2000 security system. A user's own SID is always attached to the user's access token. When a user is made a member of a group, the SID for that group is also attached to the user's access token.

    Access Control List (ACL). Each Active Directory object (as well as each file, registry key, and so on) has two associated ACLs:

    • DACL. The discretionary access control list (DACL) is a list of user accounts, groups, and computers that are allowed (or denied) access to the object.
    • SACL. The System Access Control List (SACL) defines which events (such as file access) are audited for a user or group.

    Access Control Entry (ACE). A DACL or SACL consists of a list of Access Control Entries (ACEs), where each ACE lists the permissions granted or denied to the users, groups, or computers listed in the DACL or SACL. An ACE contains a SID with a permission, such as Read access or Write access. Windows 2000 combines access permissions—if you have Read access to an object because you are a member of Group A and if you have Write access because you are a member of Group B, you have both Read and Write access to the object. However, if you have No Access as a member of Group C, you will not have access to the object.

    Figure above shows how a user's access token and an object's DACL let the user (in this case) access the object. When the user, Adam, requests access to the payroll file object, Windows 2000 compares each SID in Adam's access token to each ACE in the DACL to see if access is explicitly denied to Adam or to any group to which Adam belongs. It then checks to see if the requested access is specifically permitted. Windows repeats these steps until it encounters a No Access or until it has collected all the necessary permissions to grant the requested access. If the DACL does not specifically allow permission for each requested access, access is denied.

    Thanks, AT

    Wednesday, April 18, 2012 9:06 AM
  • What technology you use to build UI? Is it Asp.Net?

    What data source you refer for authenticating external user? Database/AD?

    Roles are referred to Authorization and where are you planning to keep those roles?

    In asp.net you can enable mixed-mode authentication which will work for both internal user (Authenticate from AD) and external user (Form/Custom auth..)

    A simple workflow would look like,

    For details you can refer :



    Let me know if I misunderstood your question.

    Lingaraj Mishra

    Wednesday, April 18, 2012 12:20 PM