Last post Nov 01, 2012 10:42 AM by BrockAllen
Nov 01, 2012 06:23 AM|fosbie|LINK
I am trying to work out the best way of authenticating users of a new website that it being built. All of the users are employees of the company and I want to restrict the use of this external website to employees only (or maybe a subset of employees).
Normally I would just use active directory and host the website internally using the normal Windows logins that the users have, but the users of this site will be out in the field using various mobile tablet devices, so the website will need to be hosted
on the servers in our DMZ.
My rather limited understanding of this issue suggests that because the DMZ is not in the same domain as the internal windows logins, it won't be easy to authenticate the users. Isn't this a common problem? Any suggestions on how to do this? I don't want
to have to setup serparate accounts for them that are specific to the external website if at all possible.
I did consider writing a web service that is hosted internally but available to the servers in the DMZ, with some sort of AuthenticateUser method on it, but I have a bad feeling about that being a bad idea and I'm not sure why.
Nov 01, 2012 10:35 AM|bbcompent1|LINK
Much is going to depend on whether you have this other domain hosted in-house or a service provider. This link might give you some clues on how to do this but I can assure you it isn't without its own level of pain. What you essentially want to do is make
the DMZ domain a part of your forest, then syncronize the accounts accordingly. You can use Organizational Level permissions to sort whether a user is internal or DMZ.
Nov 01, 2012 10:42 AM|BrockAllen|LINK
@bbcompent1 suggested one way. Let me propose another: federation using WS-Fed. From the website's perspective the AD is a 3rd party identity provider. Using standards like WS-Federation
you can establish trust with this 3rd party identity provider. Youd' use a framework like WIF in your web app, and then the 3rd party would put an ADFS server on top of AD to authenticatse users against AD.
Food for thought.