Storing users of a public web site in Active Directory

views:

answers:

Storing users of a public web site in Active Directory

I am working on a system architecture for a fund/pension manager. We are providing two ASP.NET MVC web applications; one to allow members of the pension fund to login and check their balances, manage their investment, etc and another to allow employers to make contributions to the fund on the employees (members) behalf. There are also internal applications delivered via the intranet.

We have been considering using Active Directory for storing, authentication/authorisation of not just the internal users (who are already using AD for logging into the domain and resource authorisation) but for the member and employer user accounts. The member and employer user accounts would be located in a different hierarchy (maybe even a different AD instance?) to the internal users.

However I am wondering if this is the best use-case for AD... given AD is such an 'internal' resource, should it be used to hold auth details for 'external' users (the alternative being a USERS table in a database)?

The benefits are: AD is designed and optimised for holding this sort of data, ASP.NET apps integrate with AD authorisation easily, there possibly are existing tools for working with the data (password resets, etc).

What are the risks?

+5 A:

I would recommend against a hybrid of internal and external users. Speaking from experience it opens a lot of security headaches. It might be better to create separate authentication systems, one that uses AD directly against the internal domain and another that uses an ADAM directory designed simply to hold external users. (i.e. - internal users should be authenticated using NTLM with the AD to ensure a kerberos encrypted login, while forms would be usable for the ADAM instance).

AD is very easy to integrate though, and if direct integration is undesirable due to the networking lumps, you can always attempt an LDAP:// to achieve the same authentication results.

Joel Etherton 2010-01-19 04:04:14

A few links that filled in some more gaps for me from the above answer:http://en.wikipedia.org/wiki/Active_Directory#ADAM.2FAD_LDShttp://www.devsource.com/c/a/Using-VS/Making-Sense-of-ADAM/

James Webster 2010-01-19 05:27:04

Oh, if you want links, I can dig up my documentation file at work and throw you a boatload. I actually have implemented a hybrid across 4 domains. I just wanted to put the idea out there. The actual implementation will be a little harder than the paragraph above was to type. As a footnote, the primary reason I recommend the NTLM authentication for internal domain users is that with a web authentication, passwords are stored in RAM in clear text, so a penetration of an external machine might lead to the discovery of internal user passwords. NTLM is kerberos so the hash is in RAM.

Joel Etherton 2010-01-19 11:59:50

I think your biggest risk is that AD would not scale to the amount of users you might have from an Internet app. I would use the Membership provider, unless you are trying to achieve SSO with internal and external accounts.

LWoodyiii 2010-01-19 11:40:10

ansaurus

tags:

views:

answers:

Storing users of a public web site in Active Directory

related questions