Centralizing users’ authentication at Active Directory level 


Published on

Nowadays, network structure of most companies is based on Active Directory. Developers can benefit from this advantage by developing applications compatible with Active Directory user management system and its authentication protocols. Consequently, a users’ single domain logon is enough to access your application securely. The resulting system causes reduction in significant development and administrative efforts.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Presenters please use this slide to direct participants to websites, books, trials, product pages etc as a follow through to your presentation
  • Centralizing users’ authentication at Active Directory level 

    1. 1. Centralizing users’ authenticationat Active Directory level Hossein Sarshar Senior Web Developer
    2. 2. A Typical Authentication Scenario 1000 usersUser DB of App 1 User DB of App 2 User DB of App 3 User DB of App n
    3. 3. A Typical Authentication Scenario Creation of 1000 * N Users 1000 usersUser DB of App 1 User DB of App 2 User DB of App 3 User DB of App n
    4. 4. What is the problem Huge amount of administrative effort. Redundant data for user management system Redundant development effort for creation of multiple user management system. Adding one user, needs redundant updates in all user databases. ...
    5. 5. A Typical Authentication Solution 1000 users Centralized DB of Users Web App 1 Win App 1 Web App 2 Win App 2
    6. 6. What is the problem of this solution? Being doubtful about the authentication mechanism used there. Can all applications trust it? It is only possible when all of apps are purchased from a single or trusted vendors.
    7. 7. Important AD tasks Contains secure methods of data storage and retrieval. Secured centralized authentication mechanism. Makes a Windows Domain. Controls access of users to any network resources in the defined domain(s). Secures users’ authentication. …
    8. 8. Active Directory Preview
    9. 9. Active Directory Solution Database 1000 local users of users, grou ps, … App 1 App 2 App 3 App 3
    10. 10. Active Directory Solution Relying on basic authentication information and add separate profile database system for each application.
    11. 11. Benefits of this method Centralize authentication on a trusted platform. Reduction of user management system. Reduction of huge amount administrative effort. Adds an effective option to your application. Possibility of applying single sign on solution Removal of redundant user information. …
    12. 12. Some of AD protocols Kerberos A secured protocol used to authenticate users against AD database. Interactive Logon Network Authentication LDAP (Lightweight Directory Access Protocol) This protocol is used to query AD for its objects. It is to communicate with AD. We as developers should use LDAP to communicate with AD
    13. 13. Exploration of System.DirectoryServicesIn order to communicate with AD by LDAP protocol in.Net: Add System.DirectoryServices assembly to your project. “Add the following section to web.config”<assemblies> <add assembly="System.DirectoryServices,Version=, Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"/></assemblies> Include System.DirectoryServices.ActiveDirectory and System.DirectoryServices name spaces.
    14. 14. Exploration of System.DirectoryServices Points of concerns: ASP.Net application must have appropriate permissions to communicate with AD. Make an impersonator class: using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) ) { ... <code that executes under the new context> ... } It is strongly recommended that you do not use it unless necessary
    15. 15. Exploration of System.DirectoryServices Points of concerns: Run queries code in a different thread from your application. (Use non-blocking calls such as web service or a new thread) Because of time-out issue use ASP pages only for view.
    16. 16. Terms before starting1. friendlyDomainName: the non qualified domain name “FQDN” (contoso - NOT contoso.com)2. ldapDomain: the fully qualified domain such as contoso.com or dc=contoso,dc=com3. objectPath: the fully qualified path to the object: CN=user, CN=USERS, DC=contoso, DC=c om(same as objectDn)4. objectDn: the distinguishedName of the object: CN=group, CN=GROUPS, DC=contoso, D C=com
    17. 17. Terms before starting5. userDn: the distinguishedName of the user: CN=user, OU=USERS, DC=contoso, DC=com6. groupDn: the distinguishedName of the group: CN=group,OU=GROUPS,DC=contoso,DC =com
    18. 18. What is possible now! Authenticate users against active directory: DirectoryEntry entry = new DirectoryEntry("LDAP://" + domain, userName, password); Add/remove a user to/from a group: DirectoryEntry dirEntry = new DirectoryEntry("LDAP://" + groupDn); dirEntry.Properties["member"].Add(userDn); dirEntry.CommitChanges(); dirEntry.Close();
    19. 19. Some more feasibility User creation:string oGUID = string.Empty;string connectionPrefix = "LDAP://" + ldapPath;DirectoryEntry dirEntry = newDirectoryEntry(connectionPrefix);DirectoryEntry newUser = dirEntry.Children.Add ("CN=" +userName, "user");newUser.Properties["samAccountName"].Value = userName;newUser.CommitChanges();oGUID = newUser.Guid.ToString();newUser.Invoke("SetPassword", new object[] { userPassword });newUser.CommitChanges();dirEntry.Close();newUser.Close();
    20. 20. Some more feasibility Password issues:int val = (int)newUser.Properties["userAccountControl"].Value;//newUser is DirectoryEntry object newUser.Properties["userAccountControl"].Value = val |0x80000; //ADS_UF_TRUSTED_FOR_DELEGATION
    21. 21. Some more feasibility Enabling a user:DirectoryEntry user = new DirectoryEntry(userDn);int val = (int)user.Properties["userAccountControl"].Value;user.Properties["userAccountControl"].Value = val & ~0x2;//ADS_UF_NORMAL_ACCOUNT;user.CommitChanges();user.Close();
    22. 22. Some more feasibility Disabling a user:DirectoryEntry user = new DirectoryEntry(userDn);int val = (int)user.Properties["userAccountControl"].Value;user.Properties["userAccountControl"].Value = val | 0x2;user.CommitChanges();user.Close();
    23. 23. Some more … Create/Delete groups. Check for existence of an AD object Enumerating all of AD objects such as Forests, Domain Controllers, Global Catalogs etc in a specific location such as a domain or OU. Add/Remove trust relationship.
    24. 24. Other applications of DirectoryService Managing Local Security Database “Users and Groups”, just change LDAP to WinNT in query line. Managing IIS server. Add virtual directory to IIS, change settings and …
    25. 25. Summary Traditional Authentication system has some issues. Facilitating AD DS user database as centralized authentication system. Facilitating DirectoryServices namespace to communicate with AD
    26. 26. Questions & Answers
    27. 27. ResourcesCodeproject.com - thund3rstruck and Uwe KeimMsdn.microsoft.comhttp://directoryprogramming.net
    28. 28. Win Cool Prizes!!! Complete the Tech Insights contests and stand a chance to win many cool prizes… Look in your conference bags NOW!!
    29. 29. We value your feedback!Please remember to complete theoverall conference evaluation form (inyour bag) and return it to theRegistration Counter on the last day inreturn for a Limited Edition Gift