Using AD for web authentication

From: Nils Magnus Englund (nils.magnus.englund_at_orkfin.no)
Date: 12/28/04

• Next message: Tomasz Onyszko [MVP AD]: "RE: Using AD for web authentication"
• Previous message: Tomasz Onyszko [MVP AD]: "Re: Active Directory Mailbox Creation"
• Next in thread: Tomasz Onyszko [MVP AD]: "RE: Using AD for web authentication"
• Reply: Tomasz Onyszko [MVP AD]: "RE: Using AD for web authentication"
• Reply: Al Mulnick: "Re: Using AD for web authentication"
• Messages sorted by: [ date ] [ thread ]

---

Date: Tue, 28 Dec 2004 10:18:35 +0100

Hi,

I use a dedicated AD server for servicing web accounts only. I want to use
only the users account for communicating with the AD server. Even if the web
server is compromised, I don't want it to be easy for the malicious hacker
to see what users are in the AD (the AD accounts don't have the permission
to list users in the AD).

1. One problem is that I want to use AD's builtin functionality for
authentication and its password policy, so I won't have to deal with that
sort of thing outside the AD. But when I try to log in as a user, I simply
get to know whether the login was successful or not - in case the login was
not successful, I need to know why (so I can display a suitable error
message to the user, i.e. "Wrong password, account locked"). How can I do
this? Will I have to use a service account of some sort, or should I manage
with the actual users themselves?

2. After a password expires, I still want the user to be able to log in, but
force him/her to change password before continuing. Is this possible? How?
If not, how can I get the same functionality?

3. And finally, are there any best practices when it comes to using AD for
storing, managing and authenticating web users?

I'm in a bit of a pinch, so I would appreciate any and all feedback heading
my way! :)

Thanks!

Regards,
Nils Magnus Englund

---

• Next message: Tomasz Onyszko [MVP AD]: "RE: Using AD for web authentication"
• Previous message: Tomasz Onyszko [MVP AD]: "Re: Active Directory Mailbox Creation"
• Next in thread: Tomasz Onyszko [MVP AD]: "RE: Using AD for web authentication"
• Reply: Tomasz Onyszko [MVP AD]: "RE: Using AD for web authentication"
• Reply: Al Mulnick: "Re: Using AD for web authentication"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Re-Post - "the trust relationship between this workstation and the ... "the trust relationship between this workstation and the primary domain ... only problem is adding a new user account on the station. ... Client computer must use STRICTLY the INTERNAL DNS server which can ... Attr: subschemaSubentry ... (microsoft.public.windows.server.active_directory) Re: Same question, still no answer!!! ... Sounds then like we are all paying for a feature set only large companies ... The "proxy server" pc is actually an older box stuffed ... Expectation #1) keep the ethernet more or less as is. ... The kids account would be ... (microsoft.public.windowsxp.basics) Re: Re-Post - "the trust relationship between this workstation and the ... "the trust relationship between this workstation and the primary domain ... only problem is adding a new user account on the station. ... This would be on the DNS server 172.20.100.2 ... Attr: subschemaSubentry ... (microsoft.public.windows.server.active_directory) Sending email to mydomain.com ... server will appear as undeliverable. ... This happens because you are using the POP3 connector... ... an NDR when an account doesn't exist). ... >different from the user account names for the exchange ... (microsoft.public.windows.server.sbs) Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure? ... Everytime I attempt to login under Basic Authentication, ... IUSR_blah account. ... the anonymous user impersonated by the IIS Server is the ... > Event Viewer Security log. ... (microsoft.public.inetserver.iis.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)