centralizing users’ authentication at active directory level
DESCRIPTION
Nowadays, network structure of most companies is based on Active Directory. Developers can benefit from this advantage by developing applications compatible with Active Directory user management system and its authentication protocols. Consequently, a users’ single domain logon is enough to access your application securely. The resulting system causes reduction in significant development and administrative efforts.TRANSCRIPT
Centralizing users’ authentication at Active Directory level
Hossein SarsharSenior Web Developer
A Typical Authentication Scenario
1000 users
User DB of App 1 User DB of App 2 User DB of App 3 User DB of App n
A Typical Authentication Scenario
User DB of App 1 User DB of App 2 User DB of App 3 User DB of App n
Creation of 1000 * N Users
1000 users
What is the problem
Huge amount of administrative effort.Redundant data for user management systemRedundant development effort for creation of multiple user management system.Adding one user, needs redundant updates in all user databases....
A Typical Authentication Solution
1000 users
Centralized DB of Users
Web App 1 Win App 1 Web App 2 Win App 2
What is the problem of this solution?
Being doubtful about the authentication mechanism used there.Can all applications trust it?
It is only possible when all of apps are purchased from a single or trusted vendors.
Is a Microsoft implementation of directory service providing secured centralized
authentication and authorization over a non-secure network.
Important AD tasks
Contains secure methods of data storage and retrieval.Secured centralized authentication mechanism.Makes a Windows Domain.Controls access of users to any network resources in the defined domain(s).Secures users’ authentication.…
DEMOActive Directory Preview
Active Directory Solution
1000 local users
App 1 App 2 App 3 App 3
AD Server
Database of users,
groups, …
Active Directory Solution
Relying on basic authentication information and add separate profile database system for each application.
Benefits of this method
Centralize authentication on a trusted platform.Reduction of user management system.Reduction of huge amount administrative effort.Adds an effective option to your application.Possibility of applying single sign on solutionRemoval of redundant user information.…
Some of AD protocols
KerberosA secured protocol used to authenticate users against AD database.
Interactive LogonNetwork Authentication
LDAP (Lightweight Directory Access Protocol)This protocol is used to query AD for its objects. It is to communicate with AD.
We as developers should use LDAP to communicate with AD
Exploration of System.DirectoryServices
In order to communicate with AD by LDAP protocol in .Net:
Add System.DirectoryServices assembly to your project. “Add the following section to web.config”
<assemblies> <add assembly="System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/></assemblies>
Include System.DirectoryServices.ActiveDirectory and System.DirectoryServices name spaces.
Points of concerns:ASP.Net application must have appropriate permissions to communicate with AD.Make an impersonator class:
using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) ) {
... <code that executes under the new context> ... }
Exploration of System.DirectoryServices
It is strongly recommended that you do not use it unless necessary
Exploration of System.DirectoryServices
Points of concerns:Run queries code in a different thread from your application. (Use non-blocking calls such as web service or a new thread)Because of time-out issue use ASP pages only for view.
Terms before starting
1. friendlyDomainName: the non qualified domain name “FQDN” (contoso - NOT contoso.com)
2. ldapDomain: the fully qualified domain such as contoso.com or dc=contoso,dc=com
3. objectPath: the fully qualified path to the object: CN=user, CN=USERS, DC=contoso, DC=com(same as objectDn)
4. objectDn: the distinguishedName of the object: CN=group, CN=GROUPS, DC=contoso, DC=com
Terms before starting
5. userDn: the distinguishedName of the user: CN=user, OU=USERS, DC=contoso, DC=com
6. groupDn: the distinguishedName of the group: CN=group,OU=GROUPS,DC=contoso,DC=com
What is possible now!
Authenticate users against active directory:DirectoryEntry entry = new DirectoryEntry("LDAP://" + domain, userName, password);
Add/remove a user to/from a group:DirectoryEntry dirEntry = new DirectoryEntry("LDAP://" + groupDn); dirEntry.Properties["member"].Add(userDn);dirEntry.CommitChanges(); dirEntry.Close();
Some more feasibility
User creation:string oGUID = string.Empty;string connectionPrefix = "LDAP://" + ldapPath;DirectoryEntry dirEntry = new DirectoryEntry(connectionPrefix);DirectoryEntry newUser = dirEntry.Children.Add ("CN=" + userName, "user");newUser.Properties["samAccountName"].Value = userName;newUser.CommitChanges();oGUID = newUser.Guid.ToString();newUser.Invoke("SetPassword", new object[] { userPassword });newUser.CommitChanges();dirEntry.Close();newUser.Close();
Some more feasibility
Password issues:int val = (int) newUser.Properties["userAccountControl"].Value; //newUser is DirectoryEntry object newUser.Properties["userAccountControl"].Value = val | 0x80000; //ADS_UF_TRUSTED_FOR_DELEGATION
Some more feasibility
Enabling a user:DirectoryEntry user = new DirectoryEntry(userDn);int val = (int)user.Properties["userAccountControl"].Value;user.Properties["userAccountControl"].Value = val & ~0x2; //ADS_UF_NORMAL_ACCOUNT; user.CommitChanges();user.Close();
Some more feasibility
Disabling a user:DirectoryEntry user = new DirectoryEntry(userDn);int val = (int)user.Properties["userAccountControl"].Value;user.Properties["userAccountControl"].Value = val | 0x2; user.CommitChanges();user.Close();
Some more …
Create/Delete groups.Check for existence of an AD objectEnumerating all of AD objects such as Forests, Domain Controllers, Global Catalogs etc in a specific location such as a domain or OU.Add/Remove trust relationship.
Other applications of DirectoryService
Managing Local Security Database “Users and Groups”, just change LDAP to WinNT in query line.Managing IIS server.Add virtual directory to IIS, change settings and …
DEMO
Summary
Traditional Authentication system has some issues.Facilitating AD DS user database as centralized authentication system.Facilitating DirectoryServices namespace to communicate with AD
Q&AQuestions & Answers
Resources
Codeproject.com - thund3rstruck and Uwe Keim
Msdn.microsoft.com
http://directoryprogramming.net
Required slide
Win Cool Prizes!!!Required slide
Complete the Tech Insights contests and stand a chance to win many cool prizes…
Look in your conference bags NOW!!
We value your feedback!Required slide
Please remember to complete the overall conference evaluation form (in your bag) and return it to the Registration Counter on the last day in return for a Limited Edition Gift