Authenticating ASP.NET users against Active Directory: who manages users and groups?

Question

A project I'm working on supposed to authenticate users agains AD. I've never worked with AD before, neither did I work in organizations that use AD, so here's my stupid question: in case if AD involved, who manages roles, groups and users for application? Is it my responsibility to provide an UI for site admin to assign AD users to my app roles or AD admins should take care of creating appropriate groups expected by my app and assign existing AD users there?

What are the best practices in this department?

Answer 1

This really depends on who owns the AD, and who is going to be responsible for managing user accounts. If this AD is isolated from your coporate domain, and you want your support or sales, or other business person to manage the accounts then by all means create them an admin tool.

If your trying to tie into your existing AD, then you should work closely with your IT department, they will probally want to create the accounts their own way (especially if your using your existing credentials).

Essentially this boils down to how your IT operates, and what exactly the relationship btw the AD your using and the AD which runs the coporate site.

Edited

Based on your additional info, I think you need to offer an admin concsole. Especially if you want to target the smaller shops out there. Your solution should make it optional so if they want to use the admin UI they can but if the IT department wants to use Powershell for example they can do that as well.

Answer 2

Once thing to note -- this is not an in-house app, so it is supposed to work with an existing AD. The question is if my expects roles like "Teachers" and "Students" (just to illustrate the point), may I expect that IT people will create appropriate groups in AD and assign users to them?

Answer 3

If you're writing this app for another company, I think you could assume they'll be in charge of managing the AD users and groups. You'll just need to coordinate with the clients on what roles/groups your app will use.

Answer 4

I don't think you should supply a Gui for active directory. Most organization that use active directory manage it with the standard active directory tools.

If you want to handle the case of small shops. Then make the groups internal to the application DB. You will still be able to use the active directory users. But the group management and membership will be internal to your application. This will avoid most problem of dealing with the complex rules of active directory, and still benefit from single sign on.

One more thing to note. The group names should be customizable. Most places have naming convention for group names.