Re: Use of Active Directory vs Database (e.g. SQL server)

---

• From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 5 Oct 2005 09:36:45 -0500

---

In my book, the main reason to use ADAM for authentication is that it
already provides a lot of useful semantics for user accounts that you have
to build yourself. For example, ADAM already supports secure storage of
hashed passwords, password policies, permissions around password changes and
password resets and a built in notion of groups. It also provides good
integration with AzMan to provide application-level authorization services.
Finally, ADAM (now) supports Digest authentication which is a secure
authentication protocol, as well as simple bind via SSL/LDAP which is also
secure. These both provide an easy mechanism to secure your authentication
traffic.

If you go with SQL for the user store, you have to build all that. Even
though there have been may articles written on how to properly store salted,
hashed passwords in a database, developers routinely get this wrong anyway
and as a result routinely compromise the security of their data and their
users.

However, if you have already bought SQL and know how to build all of this
stuff, ADAM seems less compelling.

>From a scale perspective, either should work fine into the millions of
users.

Joe K.

"santosh" <santosh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8BF27D71-C0CA-4131-8E7D-0E225FBEF023@xxxxxxxxxxxxxxxx
> Thanks to both Simon and Robert for your responses.
>
> I have one question on each of your feedback.
>
> Simon:
> You have stated that SQL server is not a good choice for authentication.
> Could you elaborate why? or point me to any article/white paper on the
> comparison?
>
> Robert:
> To your point, the app going to have its own SQL server database for OLTP
> and other business functionality. The app also has 3 physical tiers (and
> possibly more logical) and it has a webtier in the DMZ, an app tier inside
> the firewall and a database tier. So the choice we have is either to keep
> the
> authentication information in the already existing database or keep that
> in
> something like ADAM in the middle/web tier. Are you suggesting that ADAM
> is
> recommended only if we do not have SQL database at all? So, in our case,
> ADAM
> is not recommended?
>
> Thanks again and regards
>
>
> "Robert Moir" wrote:
>
>> santosh wrote:
>> > I am designing 2 enterprise applications for my client.
>> > One of them will be accessed only by internal users, meaning only the
>> > employees having a valid windows account on the client's domain.
>> > The other one is however for all the external users. The number for
>> > users will grow over time and could be over 100,000.
>> >
>> > For authentication and authorization purpose, I have recommended use
>> > of Active Directory. This will obviously work very well for the
>> > internal application. However, for the external application, I was
>> > little bit concerned on the scaling of this and was wondering if the
>> > use of a database will be more appropriate for this. (i.e. whether to
>> > use active directory or directly use database for authentication).
>> >
>> > What are the pros and cons in both of these approaches and which is
>> > the approriate one for my scenario?
>>
>> I'd go with Simon's suggestion of ADAM, if the app is a large distributed
>> one that doesn't natively use its own database server already.
>>
>> It's worth remembering that Active Directory *is* based on database
>> technology already, and hence is pretty darn scalable in the right
>> circumstances.
>>
>> --
>> --
>> Rob Moir
>> Website - http://www.robertmoir.co.uk
>> Virtual PC 2004 FAQ -
>> http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
>> Kazaa - Software update services for your Viruses and Spyware.
>>
>>
>>


.

---

• References:
  • Re: Use of Active Directory vs Database (e.g. SQL server)
    • From: Robert Moir

• Prev by Date: Restore ADAM Instance
• Next by Date: Re: Restore ADAM Instance
• Previous by thread: Re: Use of Active Directory vs Database (e.g. SQL server)
• Next by thread: Re: Use of Active Directory vs Database (e.g. SQL server)
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Sql Server Login ... firstly I was under the impression SQL authenticaiton will be better ... But now I know windows authentication is recommended. ... Now my application is ready and talking to this database in MSDE. ... (microsoft.public.sqlserver.msde) Re: Forms Authentication and DB ... this also explain how to have Forms Authentication ... Instead of connection to SQL server, ... I have my users and their passwords stored in an access database ... (microsoft.public.dotnet.framework.aspnet.security) Re: Synchronize users from AD to SQL-Server [password problem] ... users to the database is by setting it up with AD Integrated Authentication. ... If you want them to be the same, just utilize SQL ... (microsoft.public.win2000.active_directory) RE: SQL server didnt exist or access denied ... Does the connect to SQL step return an error? ... I can't connect to our database from within my ... I have configured the webService to use "windows" authentication and to ... (microsoft.public.dotnet.framework.webservices) Re: adam bind-redirect ... a third party doing authentication) then the proxy-redirect isnt an option. ... could benefit from bind redirect/User Proxy Object ... >> Our Adam will have a user store where we put custom user attributes. ... > Integrated authentication gives you a Windows security context ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2005-10