Re: Using AD for web authentication

From: Al Mulnick (amulnick_No_SPAM_at_ncDOTrr.com)
Date: 12/28/04 

Date: Tue, 28 Dec 2004 08:49:51 -0500

Interesting.

1. One problem is that I want to use AD's builtin functionality for
authentication and its password policy, so I won't have to deal with that
sort of thing outside the AD. But when I try to log in as a user, I simply
get to know whether the login was successful or not - in case the login was
not successful, I need to know why (so I can display a suitable error
message to the user, i.e. "Wrong password, account locked"). How can I do
this? Will I have to use a service account of some sort, or should I manage
with the actual users themselves?

When you wrote the page, what language and what methods did you follow? If
you used a try/catch routine, you may be able to catch the error and parse
the meaning. If you used ADSI, I believe it returns the reason during the
transaction cycle. I'm thinking of the iadsopendsobject method, but the idea
should make it across other methods.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/iadscontainer_getobject.asp

2. After a password expires, I still want the user to be able to log in, but
force him/her to change password before continuing. Is this possible? How?
If not, how can I get the same functionality?

When you say login, what exactly do you mean by that? In this case, the
user has not authenticated except as the 'old user' when the password
expiration was checked. Some already written applications, such as Exchange
5.5's OWA have done this by checking for the expiration of the account and
presenting it to the user. Changing the password comes in the example of
IISWEB.

Using IADSUser might be of value for you.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/security_properties.asp

I think it might also be worth mentioning that you may get some great ideas
on scripting newsgroups vs. this one. What you're looking for we can
provide, but the scripting expertise of how to get it is on other newsgroups
(usually).

3. And finally, are there any best practices when it comes to using AD for
storing, managing and authenticating web users?

Yes there are.

For example, use a separate forest if using AD. You probably already are,
but...

What you may want to consider, if you need some sort of read access to the
directory as a whole, is to allow the machine account to have that access
vs. a user account. In your environment that doesn't sound like your
security policy will support that so you should check to make sure that the
system account can't enumerate the DIT same as any logged on user (or any
object for that matter other than the DC). Otherwise, what's the point,
right?
You probably want to restrict access to the AD environment to only being
accessed by the web server with the application. You may also want to
consider ISA as a way to publish the application. I'm sure there's more
ideas, but I think that gives some high-level ideas to get you down the
path....

Using ADAM would have saved you some of the overhead of DNS, etc that Active
Directory has. You still likely would have wanted AD in place behind ADAM
for the authentication mechanisms. I don't see a better way to do it off
the top of my head.

One last idea that may be useful. It *sounds* like an auditor or other got
hold of the application. Whomever is sending the requirements your way may
have something in mind and it may be useful to know what that is.
Otherwise, you may solve the problem but not to the satisfaction of the
driver. I could be off-base on that :)

I'm in a bit of a pinch, so I would appreciate any and all feedback heading
my way! :)
"Nils Magnus Englund" <nils.magnus.englund@orkfin.no> wrote in message
news:OzIn24L7EHA.824@TK2MSFTNGP11.phx.gbl...
> Hi,
>
> I use a dedicated AD server for servicing web accounts only. I want to use
> only the users account for communicating with the AD server. Even if the
> web server is compromised, I don't want it to be easy for the malicious
> hacker to see what users are in the AD (the AD accounts don't have the
> permission to list users in the AD).
>
> 1. One problem is that I want to use AD's builtin functionality for
> authentication and its password policy, so I won't have to deal with that
> sort of thing outside the AD. But when I try to log in as a user, I simply
> get to know whether the login was successful or not - in case the login
> was not successful, I need to know why (so I can display a suitable error
> message to the user, i.e. "Wrong password, account locked"). How can I do
> this? Will I have to use a service account of some sort, or should I
> manage with the actual users themselves?
>
> 2. After a password expires, I still want the user to be able to log in,
> but force him/her to change password before continuing. Is this possible?
> How? If not, how can I get the same functionality?
>
> 3. And finally, are there any best practices when it comes to using AD for
> storing, managing and authenticating web users?
>
> I'm in a bit of a pinch, so I would appreciate any and all feedback
> heading my way! :)
>
> Thanks!
>
>
> Regards,
> Nils Magnus Englund
>
>

Relevant Pages