Is it a bad practice to put external users in Active Directory?

Question

We have an existing Web application and we want to migrate from a custom authentication solution to Active Directory Federation Services so that our partner organizations can manage the authorization of their users on their side.

Right now the site is using custom database tables to manage users and custom logic to manage authentication and authorization.

In addition to the partner organizations that will authenticate their users and gain access through ADFS, we have internal users who are in our Active Directory domain. These users can also be authenticated through ADFS.

Our question revolves around our external users. This site also allows individuals to register. These individuals don't have any organization for whom they work, so we can't use ADFS to handle their authentication.

Since we need to support these individuals, we need to manage their user accounts.

ADFS can only connect to Active Directory or Active Directory Application Mode account stores.

Since ADFS only supports these account stores, it seems like the logical solution is to create accounts for external users in our Active Directory domain.

This would mean that we'd update our registration pages to create new user accounts in active Active Directory rather than creating new records in our custom database.

So, is this a bad practice? Should AD be used for users external to one's organization? How do others handle this type of situation when using ADFS?

Answer 1

Yes, it is bad practice to put external users in the same AD as your internal users. Keep external accounts separate and check out ADAM for external user authentication.

Answer 2

Create a new AD forest for your external users, you might need to set up some better security, but the two can be conencted for seamless authentication.

You'll need to tell them to use a different domain when logging on (eg your normal users use 'mycorp', externals use 'externalcorp') but otherwise it's totally transparent.

Answer 3

I think the question you need to ask is not if storing external accounts in active directory is bad, but if storing accounts in the same forest as your internal accounts is bad. It, can be done, but I would tend to agree with Fallen that I wouldn't put the external accounts in the same forest with the internal ones.

In the past when we used an AD store to place external account we created a new forest and placed the external users in there and then trusted the two domain. In my opinion this is the better option because the highest access users have to the internal network is limited by the trust and not a user's account. If the domain is comprised you can always shut it down and you'll know that nothing with external can access the internal networks. This also allows you to have different security policies between external and internal users.