Re: customer authentication center

On Feb 13, 2:05 am, "Sergei Karimov" <OverDrone_Tr...@xxxxxxx> wrote:
Hi, Guru!
There are several company web sites (ASP.NET) that use forms authentication.
For now each web site has it's own customer (web site end user)
login/password database.
The idea is to merge all login info into one secure repository. There are
several benefits: customers will be able to use single login for all web
sites, simplified administration and others...
In future some web sites and customers will use sertificates to login and/or
perform critical operations, so this center must support PKI.

I googled and found MS Product - ADAM (Active Directory Application Mode),
standalone LDAP repository. And there are several questions that I couldn't
find info in documentation:
1. Is MS ADAM appropriate for this task?
2.Is it possible to set up several instances of ADAM that share same
repository using synchronization (similar to AD)?
3. How password in LDAP repository stored - in clear text or encrypted
(let's say by some one way hash)? If it's encrypted, what algorithm is used
and is it possible to change it?
4. Has certificate based authentication (in PKI) anything to do with LDAP
and ADAM?  If there is no any integration then some additional
module/delegate must be implemented to route authorization request based on
type (certificate based authorization is routed to PKI CA and login/password
based authorization is routed to ADAM via LDAP)...
5. Is it possible to store in ADAM repository such information as (per
application or web site): user roles, grants? What are the common practices
to store and manage this kind of data in LDAP repository such as ADAM?
6. Are there any problems setting up LDAP over SSL?

I would appreciate to receive an answer to any question...

I agree with all of the answers above, except that if you are
seriously going down the path of a certificate-based authentication
system you may want to consider setting up regular AD instead of ADAM.
AD provides deep integration with server-side Schannel (the SSL
authentication package) to properly validate a client certificate and
map it to a user account. The mechanism is very flexible, but well
tested and secure. If you went the ADAM route, you'd have to write (or
have someone write) the mapping function for you. There seems little
good reason to do this since it is built in to AD/Windows/IIS.

Maybe someone has a good reason not to use a separate AD for
customers, but I'm not aware of any real blocking issues.

HTH,
Dave
.

Relevant Pages

  • customer authentication center
    ... For now each web site has it's own customer ... In future some web sites and customers will use sertificates to login and/or ... I googled and found MS Product - ADAM, ... How password in LDAP repository stored - in clear text or encrypted ...
    (microsoft.public.windows.server.active_directory)
  • RE: SBS 2003 Activesync Problem-getting 0x85010004 error on the PD
    ... Please open IIS manager console, navigate to Web Sites->Default Web Site ... Click Directory Security tap, Under Authentication and access control, ... When opening a new thread via the web interface, we recommend you check the ...
    (microsoft.public.windows.server.sbs)
  • RE: SBS 2003 Activesync Problem-getting 0x85010004 error on the PDA
    ... when access Activesync on PDA. ... Please open IIS manager console, navigate to Web Sites->Default Web Site ... Click Directory Security tap, Under Authentication and access control, ...
    (microsoft.public.windows.server.sbs)
  • RE: CEICW-OMA errors
    ... Please double confirm the settings of the default Web Site settings as ... Open IIS Manager, navigate Web site -> Default Web Site, right click it ... Authentication Methods: ...
    (microsoft.public.windows.server.sbs)
  • Re: OWA and RWW not accessible.
    ... In Authentication and Access Control... ... Is all of this correct on your SBS server? ... Open the Web site home page, and then look for links to the information ...
    (microsoft.public.windows.server.sbs)