SlideShare ist ein Scribd-Unternehmen logo

Centralizing users’ authentication at Active Directory level 

Als PPTX, PDF herunterladen
Hossein Sarshar
Hossein Sarshar

Nowadays, network structure of most companies is based on Active Directory. Developers can benefit from this advantage by developing applications compatible with Active Directory user management system and its authentication protocols. Consequently, a users’ single domain logon is enough to access your application securely. The resulting system causes reduction in significant development and administrative efforts.

Technologie
1 von 33
Centralizing users’ authentication at Active Directory level Hossein Sarshar Senior Web Developer
A Typical Authentication Scenario 1000 users User DB of App 1 User DB of App 2 User DB of App 3 User DB of App n
A Typical Authentication Scenario Creation of 1000 * N Users 1000 users User DB of App 1 User DB of App 2 User DB of App 3 User DB of App n
What is the problem Huge amount of administrative effort. Redundant data for user management system Redundant development effort for creation of multiple user management system. Adding one user, needs redundant updates in all user databases. ...
A Typical Authentication Solution 1000 users Centralized DB of Users Web App 1 Win App 1 Web App 2 Win App 2
What is the problem of this solution? Being doubtful about the authentication mechanism used there. Can all applications trust it? It is only possible when all of apps are purchased from a single or trusted vendors.
Important AD tasks Contains secure methods of data storage and retrieval. Secured centralized authentication mechanism. Makes a Windows Domain. Controls access of users to any network resources in the defined domain(s). Secures users’ authentication. …
Active Directory Preview
Active Directory Solution Database 1000 local users of users, grou ps, … App 1 App 2 App 3 App 3
Active Directory Solution Relying on basic authentication information and add separate profile database system for each application.
Benefits of this method Centralize authentication on a trusted platform. Reduction of user management system. Reduction of huge amount administrative effort. Adds an effective option to your application. Possibility of applying single sign on solution Removal of redundant user information. …
Some of AD protocols Kerberos A secured protocol used to authenticate users against AD database. Interactive Logon Network Authentication LDAP (Lightweight Directory Access Protocol) This protocol is used to query AD for its objects. It is to communicate with AD. We as developers should use LDAP to communicate with AD
Exploration of System.DirectoryServices In order to communicate with AD by LDAP protocol in .Net: Add System.DirectoryServices assembly to your project. “Add the following section to web.config” <assemblies> <add assembly="System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> </assemblies> Include System.DirectoryServices.ActiveDirectory and System.DirectoryServices name spaces.
Exploration of System.DirectoryServices Points of concerns: ASP.Net application must have appropriate permissions to communicate with AD. Make an impersonator class: using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) ) { ... <code that executes under the new context> ... } It is strongly recommended that you do not use it unless necessary
Exploration of System.DirectoryServices Points of concerns: Run queries code in a different thread from your application. (Use non-blocking calls such as web service or a new thread) Because of time-out issue use ASP pages only for view.
Terms before starting 1. friendlyDomainName: the non qualified domain name “FQDN” (contoso - NOT contoso.com) 2. ldapDomain: the fully qualified domain such as contoso.com or dc=contoso,dc=com 3. objectPath: the fully qualified path to the object: CN=user, CN=USERS, DC=contoso, DC=c om(same as objectDn) 4. objectDn: the distinguishedName of the object: CN=group, CN=GROUPS, DC=contoso, D C=com
Terms before starting 5. userDn: the distinguishedName of the user: CN=user, OU=USERS, DC=contoso, DC=com 6. groupDn: the distinguishedName of the group: CN=group,OU=GROUPS,DC=contoso,DC =com
What is possible now! Authenticate users against active directory: DirectoryEntry entry = new DirectoryEntry("LDAP://" + domain, userName, password); Add/remove a user to/from a group: DirectoryEntry dirEntry = new DirectoryEntry("LDAP://" + groupDn); dirEntry.Properties["member"].Add(userDn); dirEntry.CommitChanges(); dirEntry.Close();
Some more feasibility User creation: string oGUID = string.Empty; string connectionPrefix = "LDAP://" + ldapPath; DirectoryEntry dirEntry = new DirectoryEntry(connectionPrefix); DirectoryEntry newUser = dirEntry.Children.Add ("CN=" + userName, "user"); newUser.Properties["samAccountName"].Value = userName; newUser.CommitChanges(); oGUID = newUser.Guid.ToString(); newUser.Invoke("SetPassword", new object[] { userPassword }); newUser.CommitChanges(); dirEntry.Close(); newUser.Close();
Some more feasibility Password issues: int val = (int) newUser.Properties["userAccountControl"].Value; //newUser is DirectoryEntry object newUser.Properties["userAccountControl"].Value = val | 0x80000; //ADS_UF_TRUSTED_FOR_DELEGATION
Some more feasibility Enabling a user: DirectoryEntry user = new DirectoryEntry(userDn); int val = (int)user.Properties["userAccountControl"].Value; user.Properties["userAccountControl"].Value = val & ~0x2; //ADS_UF_NORMAL_ACCOUNT; user.CommitChanges(); user.Close();
Some more feasibility Disabling a user: DirectoryEntry user = new DirectoryEntry(userDn); int val = (int)user.Properties["userAccountControl"].Value; user.Properties["userAccountControl"].Value = val | 0x2; user.CommitChanges(); user.Close();
Some more … Create/Delete groups. Check for existence of an AD object Enumerating all of AD objects such as Forests, Domain Controllers, Global Catalogs etc in a specific location such as a domain or OU. Add/Remove trust relationship.
Other applications of DirectoryService Managing Local Security Database “Users and Groups”, just change LDAP to WinNT in query line. Managing IIS server. Add virtual directory to IIS, change settings and …
Summary Traditional Authentication system has some issues. Facilitating AD DS user database as centralized authentication system. Facilitating DirectoryServices namespace to communicate with AD
Questions & Answers
Resources Codeproject.com - thund3rstruck and Uwe Keim Msdn.microsoft.com http://directoryprogramming.net
Win Cool Prizes!!! Complete the Tech Insights contests and stand a chance to win many cool prizes… Look in your conference bags NOW!!
We value your feedback! Please remember to complete the overall conference evaluation form (in your bag) and return it to the Registration Counter on the last day in return for a Limited Edition Gift

Empfohlen

What is active directory
What is active directoryWhat is active directory
What is active directory
Adeel Khurram
 
1.2 active directory
1.2 active directory1.2 active directory
1.2 active directory
Muuluu
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and application
aminpathan11
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
thoms1i
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directory
thebigredhemi
 
Active directory
Active directoryActive directory
Active directory
Muuluu
 
MCSA 70-410 5 introduction to active directory and basic installation
MCSA 70-410 5 introduction to active directory and basic installationMCSA 70-410 5 introduction to active directory and basic installation
MCSA 70-410 5 introduction to active directory and basic installation
Tarek Amer
 
Active directory
Active directory Active directory
Active directory
deshvikas
 

Empfohlen

What is active directory
What is active directoryWhat is active directory
What is active directory
Adeel Khurram
 
1.2 active directory
1.2 active directory1.2 active directory
1.2 active directory
Muuluu
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and application
aminpathan11
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
thoms1i
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directory
thebigredhemi
 
Active directory
Active directoryActive directory
Active directory
Muuluu
 
MCSA 70-410 5 introduction to active directory and basic installation
MCSA 70-410 5 introduction to active directory and basic installationMCSA 70-410 5 introduction to active directory and basic installation
MCSA 70-410 5 introduction to active directory and basic installation
Tarek Amer
 
Active directory
Active directory Active directory
Active directory
deshvikas
 
Active directory slides
Active directory slidesActive directory slides
Active directory slides
Timothy Moffatt
 
Active Directory component
Active Directory componentActive Directory component
Active Directory component
kuldeep singh shishodia
 
Active directory ii
Active directory iiActive directory ii
Active directory ii
deshvikas
 
Domain Controller Critical Services
Domain Controller Critical ServicesDomain Controller Critical Services
Domain Controller Critical Services
Jani Sabtriady
 
Active Directory Services
Active Directory ServicesActive Directory Services
Active Directory Services
Varun Arora
 
6425 c 01
6425 c 016425 c 01
6425 c 01
tanvutha
 
Hunt for Domain Controller : Active Directory Pentesting Session
Hunt for Domain Controller : Active Directory Pentesting SessionHunt for Domain Controller : Active Directory Pentesting Session
Hunt for Domain Controller : Active Directory Pentesting Session
hacknpentest
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory Domain
Napoleon NV
 
active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services
202066
 
Introduction_of_ADDS
Introduction_of_ADDSIntroduction_of_ADDS
Introduction_of_ADDS
Harsh Sethi
 
Activedirecotryfundamentals
ActivedirecotryfundamentalsActivedirecotryfundamentals
Activedirecotryfundamentals
Shekhar Singh
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory Training
Nishad Sukumaran
 
Directory services by SAJID
Directory services by SAJIDDirectory services by SAJID
Directory services by SAJID
Sajid khan
 
Designing the active directory logical structure
Designing the active directory logical structureDesigning the active directory logical structure
Designing the active directory logical structure
John Carlo Catacutan
 
Active directory installation windows 2003 1
Active directory installation windows 2003 1Active directory installation windows 2003 1
Active directory installation windows 2003 1
tameemyousaf
 
Active directory basics
Active directory basicsActive directory basics
Active directory basics
Sanjeev Gupta
 
70 640 Lesson03 Ppt 041009
70 640 Lesson03 Ppt 04100970 640 Lesson03 Ppt 041009
70 640 Lesson03 Ppt 041009
Coffeyville Community College
 
70 640 Lesson04 Ppt 041009
70 640 Lesson04 Ppt 04100970 640 Lesson04 Ppt 041009
70 640 Lesson04 Ppt 041009
Coffeyville Community College
 
11g architecture
11g architecture11g architecture
11g architecture
Manohar Jha
 
Active directory interview_questions
Active directory interview_questionsActive directory interview_questions
Active directory interview_questions
subhashmr
 
IIS Smooth Streaming
IIS Smooth StreamingIIS Smooth Streaming
IIS Smooth Streaming
Hossein Sarshar
 
Comparison of the workflow management systems bizagi, process maker, and joget
Comparison of the workflow management systems bizagi, process maker, and jogetComparison of the workflow management systems bizagi, process maker, and joget
Comparison of the workflow management systems bizagi, process maker, and joget
Mohamed Zeinelabdeen Abdelgader Farh jber
 

Weitere ähnliche Inhalte

Was ist angesagt?

Active directory ii
Active directory iiActive directory ii
Active directory ii
deshvikas
 
Domain Controller Critical Services
Domain Controller Critical ServicesDomain Controller Critical Services
Domain Controller Critical Services
Jani Sabtriady
 
Active Directory Services
Active Directory ServicesActive Directory Services
Active Directory Services
Varun Arora
 
Hunt for Domain Controller : Active Directory Pentesting Session
Hunt for Domain Controller : Active Directory Pentesting SessionHunt for Domain Controller : Active Directory Pentesting Session
Hunt for Domain Controller : Active Directory Pentesting Session
hacknpentest
 
active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services
202066
 
Introduction_of_ADDS
Introduction_of_ADDSIntroduction_of_ADDS
Introduction_of_ADDS
Harsh Sethi
 
Activedirecotryfundamentals
ActivedirecotryfundamentalsActivedirecotryfundamentals
Activedirecotryfundamentals
Shekhar Singh
 
Designing the active directory logical structure
Designing the active directory logical structureDesigning the active directory logical structure
Designing the active directory logical structure
John Carlo Catacutan
 
Active directory installation windows 2003 1
Active directory installation windows 2003 1Active directory installation windows 2003 1
Active directory installation windows 2003 1
tameemyousaf
 
Active directory basics
Active directory basicsActive directory basics
Active directory basics
Sanjeev Gupta
 
Active directory interview_questions
Active directory interview_questionsActive directory interview_questions
Active directory interview_questions
subhashmr
 

Was ist angesagt? (20)

Active directory slides
Active directory slidesActive directory slides
Active directory slides
 
Active Directory component
Active Directory componentActive Directory component
Active Directory component
 
Active directory ii
Active directory iiActive directory ii
Active directory ii
 
Domain Controller Critical Services
Domain Controller Critical ServicesDomain Controller Critical Services
Domain Controller Critical Services
 
Active Directory Services
Active Directory ServicesActive Directory Services
Active Directory Services
 
6425 c 01
6425 c 016425 c 01
6425 c 01
 
Hunt for Domain Controller : Active Directory Pentesting Session
Hunt for Domain Controller : Active Directory Pentesting SessionHunt for Domain Controller : Active Directory Pentesting Session
Hunt for Domain Controller : Active Directory Pentesting Session
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory Domain
 
active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services
 
Introduction_of_ADDS
Introduction_of_ADDSIntroduction_of_ADDS
Introduction_of_ADDS
 
Activedirecotryfundamentals
ActivedirecotryfundamentalsActivedirecotryfundamentals
Activedirecotryfundamentals
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory Training
 
Directory services by SAJID
Directory services by SAJIDDirectory services by SAJID
Directory services by SAJID
 
Designing the active directory logical structure
Designing the active directory logical structureDesigning the active directory logical structure
Designing the active directory logical structure
 
Active directory installation windows 2003 1
Active directory installation windows 2003 1Active directory installation windows 2003 1
Active directory installation windows 2003 1
 
Active directory basics
Active directory basicsActive directory basics
Active directory basics
 
70 640 Lesson03 Ppt 041009
70 640 Lesson03 Ppt 04100970 640 Lesson03 Ppt 041009
70 640 Lesson03 Ppt 041009
 
70 640 Lesson04 Ppt 041009
70 640 Lesson04 Ppt 04100970 640 Lesson04 Ppt 041009
70 640 Lesson04 Ppt 041009
 
11g architecture
11g architecture11g architecture
11g architecture
 
Active directory interview_questions
Active directory interview_questionsActive directory interview_questions
Active directory interview_questions
 

Andere mochten auch

Comparison of the workflow management systems bizagi, process maker, and joget
Comparison of the workflow management systems bizagi, process maker, and jogetComparison of the workflow management systems bizagi, process maker, and joget
Comparison of the workflow management systems bizagi, process maker, and joget
Mohamed Zeinelabdeen Abdelgader Farh jber
 

Andere mochten auch (6)

IIS Smooth Streaming
IIS Smooth StreamingIIS Smooth Streaming
IIS Smooth Streaming
 
Comparison of the workflow management systems bizagi, process maker, and joget
Comparison of the workflow management systems bizagi, process maker, and jogetComparison of the workflow management systems bizagi, process maker, and joget
Comparison of the workflow management systems bizagi, process maker, and joget
 
Building Extensions in VSTS and TFS
Building Extensions in VSTS and TFSBuilding Extensions in VSTS and TFS
Building Extensions in VSTS and TFS
 
Managing software projects with Team Foundation Server 2013 in Agile Scrum
Managing software projects with Team Foundation Server 2013 in Agile ScrumManaging software projects with Team Foundation Server 2013 in Agile Scrum
Managing software projects with Team Foundation Server 2013 in Agile Scrum
 
Netezza pure data
Netezza pure dataNetezza pure data
Netezza pure data
 
Introduction to Team Foundation Server (TFS) Online
Introduction to Team Foundation Server (TFS) OnlineIntroduction to Team Foundation Server (TFS) Online
Introduction to Team Foundation Server (TFS) Online
 

Ähnlich wie Centralizing users’ authentication at Active Directory level 

AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
Amazon Web Services
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
MongoDB
 
Premier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADPremier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure AD
uberbaum
 
O365-AzureAD Identity management
O365-AzureAD Identity managementO365-AzureAD Identity management
O365-AzureAD Identity management
David Pechon
 
Introduction to Cloud Computing (New)
Introduction to Cloud Computing (New)Introduction to Cloud Computing (New)
Introduction to Cloud Computing (New)
Chathuranga Bandara
 

Ähnlich wie Centralizing users’ authentication at Active Directory level  (20)

AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
 
29041329 interview-questions-for-server-2003
29041329 interview-questions-for-server-200329041329 interview-questions-for-server-2003
29041329 interview-questions-for-server-2003
 
DSpace: Technical Basics
DSpace: Technical BasicsDSpace: Technical Basics
DSpace: Technical Basics
 
Essay On Active Directory
Essay On Active DirectoryEssay On Active Directory
Essay On Active Directory
 
Office 365 introduction and technical overview
Office 365 introduction and technical overviewOffice 365 introduction and technical overview
Office 365 introduction and technical overview
 
Evolving your Data Access with MongoDB Stitch - Drew Di Palma
Evolving your Data Access with MongoDB Stitch - Drew Di PalmaEvolving your Data Access with MongoDB Stitch - Drew Di Palma
Evolving your Data Access with MongoDB Stitch - Drew Di Palma
 
MongoDB World 2018: Evolving your Data Access with MongoDB Stitch
MongoDB World 2018: Evolving your Data Access with MongoDB StitchMongoDB World 2018: Evolving your Data Access with MongoDB Stitch
MongoDB World 2018: Evolving your Data Access with MongoDB Stitch
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDB
 
Premier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADPremier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure AD
 
Identity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureIdentity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft Azure
 
Final domain control policy
Final domain control policy Final domain control policy
Final domain control policy
 
Cloudbase.io MoSync Reload Course
Cloudbase.io MoSync Reload CourseCloudbase.io MoSync Reload Course
Cloudbase.io MoSync Reload Course
 
Easy integration of Bluemix services with your applications
Easy integration of Bluemix services with your applicationsEasy integration of Bluemix services with your applications
Easy integration of Bluemix services with your applications
 
Andy Malone - The new office 365 for it pro's
Andy Malone - The new office 365 for it pro'sAndy Malone - The new office 365 for it pro's
Andy Malone - The new office 365 for it pro's
 
O365-AzureAD Identity management
O365-AzureAD Identity managementO365-AzureAD Identity management
O365-AzureAD Identity management
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
 
Ad ds ws2008 r2
Ad ds ws2008 r2Ad ds ws2008 r2
Ad ds ws2008 r2
 
Docker Roadshow 2016
Docker Roadshow 2016Docker Roadshow 2016
Docker Roadshow 2016
 
Introduction to Cloud Computing (New)
Introduction to Cloud Computing (New)Introduction to Cloud Computing (New)
Introduction to Cloud Computing (New)
 

Kürzlich hochgeladen

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Kürzlich hochgeladen (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Centralizing users’ authentication at Active Directory level 

  • 1.
  • 2. Centralizing users’ authentication at Active Directory level Hossein Sarshar Senior Web Developer
  • 3. A Typical Authentication Scenario 1000 users User DB of App 1 User DB of App 2 User DB of App 3 User DB of App n
  • 4. A Typical Authentication Scenario Creation of 1000 * N Users 1000 users User DB of App 1 User DB of App 2 User DB of App 3 User DB of App n
  • 5. What is the problem Huge amount of administrative effort. Redundant data for user management system Redundant development effort for creation of multiple user management system. Adding one user, needs redundant updates in all user databases. ...
  • 6. A Typical Authentication Solution 1000 users Centralized DB of Users Web App 1 Win App 1 Web App 2 Win App 2
  • 7. What is the problem of this solution? Being doubtful about the authentication mechanism used there. Can all applications trust it? It is only possible when all of apps are purchased from a single or trusted vendors.
  • 8.
  • 9. Important AD tasks Contains secure methods of data storage and retrieval. Secured centralized authentication mechanism. Makes a Windows Domain. Controls access of users to any network resources in the defined domain(s). Secures users’ authentication. …
  • 10.
  • 12. Active Directory Solution Database 1000 local users of users, grou ps, … App 1 App 2 App 3 App 3
  • 13. Active Directory Solution Relying on basic authentication information and add separate profile database system for each application.
  • 14. Benefits of this method Centralize authentication on a trusted platform. Reduction of user management system. Reduction of huge amount administrative effort. Adds an effective option to your application. Possibility of applying single sign on solution Removal of redundant user information. …
  • 15. Some of AD protocols Kerberos A secured protocol used to authenticate users against AD database. Interactive Logon Network Authentication LDAP (Lightweight Directory Access Protocol) This protocol is used to query AD for its objects. It is to communicate with AD. We as developers should use LDAP to communicate with AD
  • 16. Exploration of System.DirectoryServices In order to communicate with AD by LDAP protocol in .Net: Add System.DirectoryServices assembly to your project. “Add the following section to web.config” <assemblies> <add assembly="System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> </assemblies> Include System.DirectoryServices.ActiveDirectory and System.DirectoryServices name spaces.
  • 17. Exploration of System.DirectoryServices Points of concerns: ASP.Net application must have appropriate permissions to communicate with AD. Make an impersonator class: using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) ) { ... <code that executes under the new context> ... } It is strongly recommended that you do not use it unless necessary
  • 18. Exploration of System.DirectoryServices Points of concerns: Run queries code in a different thread from your application. (Use non-blocking calls such as web service or a new thread) Because of time-out issue use ASP pages only for view.
  • 19. Terms before starting 1. friendlyDomainName: the non qualified domain name “FQDN” (contoso - NOT contoso.com) 2. ldapDomain: the fully qualified domain such as contoso.com or dc=contoso,dc=com 3. objectPath: the fully qualified path to the object: CN=user, CN=USERS, DC=contoso, DC=c om(same as objectDn) 4. objectDn: the distinguishedName of the object: CN=group, CN=GROUPS, DC=contoso, D C=com
  • 20. Terms before starting 5. userDn: the distinguishedName of the user: CN=user, OU=USERS, DC=contoso, DC=com 6. groupDn: the distinguishedName of the group: CN=group,OU=GROUPS,DC=contoso,DC =com
  • 21. What is possible now! Authenticate users against active directory: DirectoryEntry entry = new DirectoryEntry("LDAP://" + domain, userName, password); Add/remove a user to/from a group: DirectoryEntry dirEntry = new DirectoryEntry("LDAP://" + groupDn); dirEntry.Properties["member"].Add(userDn); dirEntry.CommitChanges(); dirEntry.Close();
  • 22. Some more feasibility User creation: string oGUID = string.Empty; string connectionPrefix = "LDAP://" + ldapPath; DirectoryEntry dirEntry = new DirectoryEntry(connectionPrefix); DirectoryEntry newUser = dirEntry.Children.Add ("CN=" + userName, "user"); newUser.Properties["samAccountName"].Value = userName; newUser.CommitChanges(); oGUID = newUser.Guid.ToString(); newUser.Invoke("SetPassword", new object[] { userPassword }); newUser.CommitChanges(); dirEntry.Close(); newUser.Close();
  • 23. Some more feasibility Password issues: int val = (int) newUser.Properties["userAccountControl"].Value; //newUser is DirectoryEntry object newUser.Properties["userAccountControl"].Value = val | 0x80000; //ADS_UF_TRUSTED_FOR_DELEGATION
  • 24. Some more feasibility Enabling a user: DirectoryEntry user = new DirectoryEntry(userDn); int val = (int)user.Properties["userAccountControl"].Value; user.Properties["userAccountControl"].Value = val & ~0x2; //ADS_UF_NORMAL_ACCOUNT; user.CommitChanges(); user.Close();
  • 25. Some more feasibility Disabling a user: DirectoryEntry user = new DirectoryEntry(userDn); int val = (int)user.Properties["userAccountControl"].Value; user.Properties["userAccountControl"].Value = val | 0x2; user.CommitChanges(); user.Close();
  • 26. Some more … Create/Delete groups. Check for existence of an AD object Enumerating all of AD objects such as Forests, Domain Controllers, Global Catalogs etc in a specific location such as a domain or OU. Add/Remove trust relationship.
  • 27. Other applications of DirectoryService Managing Local Security Database “Users and Groups”, just change LDAP to WinNT in query line. Managing IIS server. Add virtual directory to IIS, change settings and …
  • 28.
  • 29. Summary Traditional Authentication system has some issues. Facilitating AD DS user database as centralized authentication system. Facilitating DirectoryServices namespace to communicate with AD
  • 31. Resources Codeproject.com - thund3rstruck and Uwe Keim Msdn.microsoft.com http://directoryprogramming.net
  • 32. Win Cool Prizes!!! Complete the Tech Insights contests and stand a chance to win many cool prizes… Look in your conference bags NOW!!
  • 33. We value your feedback! Please remember to complete the overall conference evaluation form (in your bag) and return it to the Registration Counter on the last day in return for a Limited Edition Gift

Hinweis der Redaktion

  1. Presenters please use this slide to direct participants to websites, books, trials, product pages etc as a follow through to your presentation