• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Centralizing users’ authentication at Active Directory level 
 

Centralizing users’ authentication at Active Directory level 

on

  • 1,982 views

Nowadays, network structure of most companies is based on Active Directory. Developers can benefit from this advantage by developing applications compatible with Active Directory user management ...

Nowadays, network structure of most companies is based on Active Directory. Developers can benefit from this advantage by developing applications compatible with Active Directory user management system and its authentication protocols. Consequently, a users’ single domain logon is enough to access your application securely. The resulting system causes reduction in significant development and administrative efforts.

Statistics

Views

Total Views
1,982
Views on SlideShare
892
Embed Views
1,090

Actions

Likes
0
Downloads
22
Comments
0

4 Embeds 1,090

http://myminepapers.wordpress.com 1083
https://myminepapers.wordpress.com 5
http://prlog.ru 1
http://www.365dailyjournal.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Presenters please use this slide to direct participants to websites, books, trials, product pages etc as a follow through to your presentation

Centralizing users’ authentication at Active Directory level  Centralizing users’ authentication at Active Directory level  Presentation Transcript

  • Centralizing users’ authenticationat Active Directory level Hossein Sarshar Senior Web Developer
  • A Typical Authentication Scenario 1000 usersUser DB of App 1 User DB of App 2 User DB of App 3 User DB of App n
  • A Typical Authentication Scenario Creation of 1000 * N Users 1000 usersUser DB of App 1 User DB of App 2 User DB of App 3 User DB of App n
  • What is the problem Huge amount of administrative effort. Redundant data for user management system Redundant development effort for creation of multiple user management system. Adding one user, needs redundant updates in all user databases. ...
  • A Typical Authentication Solution 1000 users Centralized DB of Users Web App 1 Win App 1 Web App 2 Win App 2
  • What is the problem of this solution? Being doubtful about the authentication mechanism used there. Can all applications trust it? It is only possible when all of apps are purchased from a single or trusted vendors.
  • Important AD tasks Contains secure methods of data storage and retrieval. Secured centralized authentication mechanism. Makes a Windows Domain. Controls access of users to any network resources in the defined domain(s). Secures users’ authentication. …
  • Active Directory Preview
  • Active Directory Solution Database 1000 local users of users, grou ps, … App 1 App 2 App 3 App 3
  • Active Directory Solution Relying on basic authentication information and add separate profile database system for each application.
  • Benefits of this method Centralize authentication on a trusted platform. Reduction of user management system. Reduction of huge amount administrative effort. Adds an effective option to your application. Possibility of applying single sign on solution Removal of redundant user information. …
  • Some of AD protocols Kerberos A secured protocol used to authenticate users against AD database. Interactive Logon Network Authentication LDAP (Lightweight Directory Access Protocol) This protocol is used to query AD for its objects. It is to communicate with AD. We as developers should use LDAP to communicate with AD
  • Exploration of System.DirectoryServicesIn order to communicate with AD by LDAP protocol in.Net: Add System.DirectoryServices assembly to your project. “Add the following section to web.config”<assemblies> <add assembly="System.DirectoryServices,Version=4.0.0.0, Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"/></assemblies> Include System.DirectoryServices.ActiveDirectory and System.DirectoryServices name spaces.
  • Exploration of System.DirectoryServices Points of concerns: ASP.Net application must have appropriate permissions to communicate with AD. Make an impersonator class: using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) ) { ... <code that executes under the new context> ... } It is strongly recommended that you do not use it unless necessary
  • Exploration of System.DirectoryServices Points of concerns: Run queries code in a different thread from your application. (Use non-blocking calls such as web service or a new thread) Because of time-out issue use ASP pages only for view.
  • Terms before starting1. friendlyDomainName: the non qualified domain name “FQDN” (contoso - NOT contoso.com)2. ldapDomain: the fully qualified domain such as contoso.com or dc=contoso,dc=com3. objectPath: the fully qualified path to the object: CN=user, CN=USERS, DC=contoso, DC=c om(same as objectDn)4. objectDn: the distinguishedName of the object: CN=group, CN=GROUPS, DC=contoso, D C=com
  • Terms before starting5. userDn: the distinguishedName of the user: CN=user, OU=USERS, DC=contoso, DC=com6. groupDn: the distinguishedName of the group: CN=group,OU=GROUPS,DC=contoso,DC =com
  • What is possible now! Authenticate users against active directory: DirectoryEntry entry = new DirectoryEntry("LDAP://" + domain, userName, password); Add/remove a user to/from a group: DirectoryEntry dirEntry = new DirectoryEntry("LDAP://" + groupDn); dirEntry.Properties["member"].Add(userDn); dirEntry.CommitChanges(); dirEntry.Close();
  • Some more feasibility User creation:string oGUID = string.Empty;string connectionPrefix = "LDAP://" + ldapPath;DirectoryEntry dirEntry = newDirectoryEntry(connectionPrefix);DirectoryEntry newUser = dirEntry.Children.Add ("CN=" +userName, "user");newUser.Properties["samAccountName"].Value = userName;newUser.CommitChanges();oGUID = newUser.Guid.ToString();newUser.Invoke("SetPassword", new object[] { userPassword });newUser.CommitChanges();dirEntry.Close();newUser.Close();
  • Some more feasibility Password issues:int val = (int)newUser.Properties["userAccountControl"].Value;//newUser is DirectoryEntry object newUser.Properties["userAccountControl"].Value = val |0x80000; //ADS_UF_TRUSTED_FOR_DELEGATION
  • Some more feasibility Enabling a user:DirectoryEntry user = new DirectoryEntry(userDn);int val = (int)user.Properties["userAccountControl"].Value;user.Properties["userAccountControl"].Value = val & ~0x2;//ADS_UF_NORMAL_ACCOUNT;user.CommitChanges();user.Close();
  • Some more feasibility Disabling a user:DirectoryEntry user = new DirectoryEntry(userDn);int val = (int)user.Properties["userAccountControl"].Value;user.Properties["userAccountControl"].Value = val | 0x2;user.CommitChanges();user.Close();
  • Some more … Create/Delete groups. Check for existence of an AD object Enumerating all of AD objects such as Forests, Domain Controllers, Global Catalogs etc in a specific location such as a domain or OU. Add/Remove trust relationship.
  • Other applications of DirectoryService Managing Local Security Database “Users and Groups”, just change LDAP to WinNT in query line. Managing IIS server. Add virtual directory to IIS, change settings and …
  • Summary Traditional Authentication system has some issues. Facilitating AD DS user database as centralized authentication system. Facilitating DirectoryServices namespace to communicate with AD
  • Questions & Answers
  • ResourcesCodeproject.com - thund3rstruck and Uwe KeimMsdn.microsoft.comhttp://directoryprogramming.net
  • Win Cool Prizes!!! Complete the Tech Insights contests and stand a chance to win many cool prizes… Look in your conference bags NOW!!
  • We value your feedback!Please remember to complete theoverall conference evaluation form (inyour bag) and return it to theRegistration Counter on the last day inreturn for a Limited Edition Gift