Re: customer authentication center
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 15 Feb 2008 10:39:19 -0600
Agree. There is no good story for ADAM with client cert auth yet. It
really isn't designed for that use case.
There are many deep mysteries surrounding doing client cert auth with LDAP
bind in general and none of it is documented anywhere, at least on the MS
platform. The schannel integration you get with Windows directly and IIS is
much more elegant but assumes Windows accounts (AD).
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"DaveMo" <david.mowers@xxxxxxxxx> wrote in message
news:b3d2334e-7b34-4fc4-b115-1325649e3901@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Feb 13, 2:05 am, "Sergei Karimov" <OverDrone_Tr...@xxxxxxx> wrote:
Hi, Guru!
There are several company web sites (ASP.NET) that use forms
authentication.
For now each web site has it's own customer (web site end user)
login/password database.
The idea is to merge all login info into one secure repository. There are
several benefits: customers will be able to use single login for all web
sites, simplified administration and others...
In future some web sites and customers will use sertificates to login
and/or
perform critical operations, so this center must support PKI.
I googled and found MS Product - ADAM (Active Directory Application Mode),
standalone LDAP repository. And there are several questions that I
couldn't
find info in documentation:
1. Is MS ADAM appropriate for this task?
2.Is it possible to set up several instances of ADAM that share same
repository using synchronization (similar to AD)?
3. How password in LDAP repository stored - in clear text or encrypted
(let's say by some one way hash)? If it's encrypted, what algorithm is
used
and is it possible to change it?
4. Has certificate based authentication (in PKI) anything to do with LDAP
and ADAM? If there is no any integration then some additional
module/delegate must be implemented to route authorization request based
on
type (certificate based authorization is routed to PKI CA and
login/password
based authorization is routed to ADAM via LDAP)...
5. Is it possible to store in ADAM repository such information as (per
application or web site): user roles, grants? What are the common
practices
to store and manage this kind of data in LDAP repository such as ADAM?
6. Are there any problems setting up LDAP over SSL?
I would appreciate to receive an answer to any question...
I agree with all of the answers above, except that if you are
seriously going down the path of a certificate-based authentication
system you may want to consider setting up regular AD instead of ADAM.
AD provides deep integration with server-side Schannel (the SSL
authentication package) to properly validate a client certificate and
map it to a user account. The mechanism is very flexible, but well
tested and secure. If you went the ADAM route, you'd have to write (or
have someone write) the mapping function for you. There seems little
good reason to do this since it is built in to AD/Windows/IIS.
Maybe someone has a good reason not to use a separate AD for
customers, but I'm not aware of any real blocking issues.
HTH,
Dave
.
- References:
- customer authentication center
- From: Sergei Karimov
- Re: customer authentication center
- From: DaveMo
- customer authentication center
- Prev by Date: Re: GPO Useage
- Next by Date: Way to Grant Access to Local System Account to NETLOGON Share?
- Previous by thread: Re: customer authentication center
- Next by thread: Decision criteria for AD replication
- Index(es):
Relevant Pages
|
