Nowadays, network structure of most companies is based on Active Directory. Developers can benefit from this advantage by developing applications compatible with Active Directory user management system and its authentication protocols. Consequently, a users’ single domain logon is enough to access your application securely. The resulting system causes reduction in significant development and administrative efforts.
3. A Typical Authentication Scenario
1000 users
User DB of App 1 User DB of App 2 User DB of App 3 User DB of App n
4. A Typical Authentication Scenario
Creation of 1000 * N Users
1000 users
User DB of App 1 User DB of App 2 User DB of App 3 User DB of App n
5. What is the problem
Huge amount of administrative effort.
Redundant data for user management system
Redundant development effort for creation of
multiple user management system.
Adding one user, needs redundant updates in
all user databases.
...
6. A Typical Authentication Solution
1000 users
Centralized DB
of Users
Web App 1 Win App 1 Web App 2 Win App 2
7. What is the problem of this solution?
Being doubtful about the authentication
mechanism used there.
Can all applications trust it?
It is only possible when all of apps are purchased from a
single or trusted vendors.
8.
9. Important AD tasks
Contains secure methods of data storage and
retrieval.
Secured centralized authentication mechanism.
Makes a Windows Domain.
Controls access of users to any network
resources in the defined domain(s).
Secures users’ authentication.
…
13. Active Directory Solution
Relying on basic authentication information and
add separate profile database system for each
application.
14. Benefits of this method
Centralize authentication on a trusted platform.
Reduction of user management system.
Reduction of huge amount administrative
effort.
Adds an effective option to your application.
Possibility of applying single sign on solution
Removal of redundant user information.
…
15. Some of AD protocols
Kerberos
A secured protocol used to authenticate users
against AD database.
Interactive Logon
Network Authentication
LDAP (Lightweight Directory Access Protocol)
This protocol is used to query AD for its objects.
It is to communicate with AD.
We as developers should use LDAP to communicate with AD
16. Exploration of System.DirectoryServices
In order to communicate with AD by LDAP protocol in
.Net:
Add System.DirectoryServices assembly to your
project. “Add the following section to web.config”
<assemblies>
<add assembly="System.DirectoryServices,
Version=4.0.0.0, Culture=neutral,
PublicKeyToken=B03F5F7F11D50A3A"/>
</assemblies>
Include System.DirectoryServices.ActiveDirectory
and System.DirectoryServices name spaces.
17. Exploration of System.DirectoryServices
Points of concerns:
ASP.Net application must have appropriate
permissions to communicate with AD.
Make an impersonator class:
using ( new Impersonator( "myUsername", "myDomainname",
"myPassword" ) )
{
... <code that executes under the new context> ...
}
It is strongly recommended that you do not use it unless
necessary
18. Exploration of System.DirectoryServices
Points of concerns:
Run queries code in a different thread from your
application. (Use non-blocking calls such as web
service or a new thread)
Because of time-out issue use ASP pages only for
view.
19. Terms before starting
1. friendlyDomainName: the non qualified
domain name “FQDN” (contoso - NOT
contoso.com)
2. ldapDomain: the fully qualified domain such as
contoso.com or dc=contoso,dc=com
3. objectPath: the fully qualified path to the
object: CN=user, CN=USERS, DC=contoso, DC=c
om(same as objectDn)
4. objectDn: the distinguishedName of the
object: CN=group, CN=GROUPS, DC=contoso, D
C=com
20. Terms before starting
5. userDn: the distinguishedName of the
user: CN=user, OU=USERS, DC=contoso,
DC=com
6. groupDn: the distinguishedName of the
group: CN=group,OU=GROUPS,DC=contoso,DC
=com
21. What is possible now!
Authenticate users against active directory:
DirectoryEntry entry = new DirectoryEntry("LDAP://" +
domain, userName, password);
Add/remove a user to/from a group:
DirectoryEntry dirEntry = new DirectoryEntry("LDAP://" +
groupDn);
dirEntry.Properties["member"].Add(userDn);
dirEntry.CommitChanges();
dirEntry.Close();
22. Some more feasibility
User creation:
string oGUID = string.Empty;
string connectionPrefix = "LDAP://" + ldapPath;
DirectoryEntry dirEntry = new
DirectoryEntry(connectionPrefix);
DirectoryEntry newUser = dirEntry.Children.Add ("CN=" +
userName, "user");
newUser.Properties["samAccountName"].Value = userName;
newUser.CommitChanges();
oGUID = newUser.Guid.ToString();
newUser.Invoke("SetPassword", new object[] { userPassword });
newUser.CommitChanges();
dirEntry.Close();
newUser.Close();
23. Some more feasibility
Password issues:
int val = (int)
newUser.Properties["userAccountControl"].Value;
//newUser is DirectoryEntry object
newUser.Properties["userAccountControl"].Value = val |
0x80000; //ADS_UF_TRUSTED_FOR_DELEGATION
24. Some more feasibility
Enabling a user:
DirectoryEntry user = new DirectoryEntry(userDn);
int val = (int)user.Properties["userAccountControl"].Value;
user.Properties["userAccountControl"].Value = val & ~0x2;
//ADS_UF_NORMAL_ACCOUNT;
user.CommitChanges();
user.Close();
25. Some more feasibility
Disabling a user:
DirectoryEntry user = new DirectoryEntry(userDn);
int val = (int)user.Properties["userAccountControl"].Value;
user.Properties["userAccountControl"].Value = val | 0x2;
user.CommitChanges();
user.Close();
26. Some more …
Create/Delete groups.
Check for existence of an AD object
Enumerating all of AD objects such as Forests,
Domain Controllers, Global Catalogs etc in a
specific location such as a domain or OU.
Add/Remove trust relationship.
27. Other applications of DirectoryService
Managing Local Security Database “Users and
Groups”, just change LDAP to WinNT in query
line.
Managing IIS server.
Add virtual directory to IIS, change settings and
…
28.
29. Summary
Traditional Authentication system has some
issues.
Facilitating AD DS user database as centralized
authentication system.
Facilitating DirectoryServices namespace to
communicate with AD
32. Win Cool Prizes!!!
Complete the Tech Insights contests
and stand a chance to win many cool
prizes…
Look in your conference bags NOW!!
33. We value your feedback!
Please remember to complete the
overall conference evaluation form (in
your bag) and return it to the
Registration Counter on the last day in
return for a Limited Edition Gift
Hinweis der Redaktion
Presenters please use this slide to direct participants to websites, books, trials, product pages etc as a follow through to your presentation