Last post Nov 22, 2006 05:01 AM by sbyard
Nov 21, 2006 03:57 AM|olanorm|LINK
We have a webapp that uses forms authentication. All user accounts are stored in a sql server database. The system is a multi-customer system meaning that we have several customers using the same system and which have their own user accounts. Now some of
our customers wants to be able to log into the system with their existing active directory users. This means that one customer might authenticate against our local sql database, another against an active directory server and a third against another active
I have no experience with AD, so i was wondering how i'm going to solve this the best possible way. I'm not sure that I want to authenticate directly against AD, so I was thinking about synchronizing user accounts i.e. once pr hour, so that I also have a
local copy of all AD accounts. Or is this a bad idea?
My system authentication is role based, so I need to map local roles against AD roles. I was thinking about having one table defining mappings between local groups and AD groups. For example we have groups called admins, users and guests in our local system.
Then I could define a group in AD called ext_sys_admins which maps to admins. Or is it a better way to do this?
Nov 21, 2006 03:49 PM|sbyard|LINK
You cannot use AD and Forms in one web site.
Using AD to authenticate users is invisble to you, the developer. It is usual for the IT services dept to set up which AD user group has access to the site. You can also set up Windows Security Groups in AD for each role you need, and add in users to each
role. You can check a user is in a role within the application to provide finer grained access.
Don't get confused between AUTHENTICATION and AUTHORISATION. Authentication is handled by you (the developer) currently, using your SQL database. You then provide that user with memberships to roles, and this provides the Authorisation to perfrom activities
in that role. In AD, the user logging into Windows has authentication performed at that point. That users membership of groups (or rarely direct membership of web server folders) acts as the authorisation via roles.
Assuming your web site used AD for your company's users. Then, when a user opens their browser (e.g. IE) and navigates to a web page, IE passes the security context of the user, so on an intranet site for example, you can simply inspect the
User.Identity.Name property to get that users name - e.g. something like MYDOMAIN/FredBloggs. You can pick this up in your web pages, but I guess anyone could spoof this if they know their stuff. I.e. I could create a ddomain with the same properties
and connect to your site. You can get SID information of the user, which can be turned into something more recognisable.
If you want your customers to gain access using their AD users, often, your domain has have a trust relationship with their domain.
It is also possible to give customers VPN access to the site.
I hope this is useful. I don't have the direct answer you want alas. Here is an example of intranet/internet access
Nov 22, 2006 03:30 AM|olanorm|LINK
Nov 22, 2006 05:01 AM|sbyard|LINK
I assume that currently, when a user enters your site, you ask for credentials, then, you probably set their the role model in session, or maybe cookies. This means that you never use the security context passed by the browser - at the moment.
I have never tried this, but it would be a point of investigation
A user enters your site. in your start page (login page probably), get the security context passed using
Using a VPN link to your customers AD, log into the customers domain (they need to provide you with one) and check that the SID passed by the browser exists in that domain - you will know which customer to go for by getting the clients DOMAIN name from the
user identity from the above method. Should two or more customers have the same domain name, you will have to check them all for this user!
Having verified the user, log them in as the same named used on your system as their customer name/domain name (e.g. CustomerName/CustDomain/Fred), then you do not have to make any changes to your current system database. You shouuld consider using a customer
name too in case two customers have the same domain name.
Hope this helps