Geek Answers Handbook

How to authenticate with Active Directory using ASP.NET web service code?

I have several working websites that live outside the corporate network - and therefore from the Active Directory (A / D) range with direct connection - but for which I would like to be able to authenticate users against corporate A / D servers as well as a secondary user / role repository ***. The pseudocode for this action is the following:

  • The user enters the username / password in the login form on the external website.
  • An external website calls a web service within the local network that can talk to A / D.
  • The webservice service checks to see if username / password authentication can map to a user in A / D. If so, return the list of the A / D role of which the user is a member.
  • If the username / password cannot be found / authenticated against A / D, check the database / service, which is the secondary repository of user / role information. Return all roles in which they are used if they are authenticated on the secondary auth server.
  • Return the list of roles that the user is on on the calling website.

*** The idea is that we do not want to put dozens - potentially hundreds - of contractors and branches in Active Directory, when all of them will only be registered on our external web servers. Therefore, the secondary authentication scheme.

+6
web-services active-directory
source share
3 answers

I think there are several layers here, each of which has its own question:

How can I get to the web service inside my LAN from the DMZ?
This is a difficult task because it really violates the DMZ / LAN separation concept. Usually, the connections between the LAN and the DMZ are allowed (and on a limited basis) from the local network — in this way, the unified DMZ cannot initiate contact with the local network and is extremely limited by what it can do (it cannot issue arbitrary requests, only respond to requests from the local network).

How can I use the service on another computer to authenticate username / password?
Again, this is a sticky problem - you are transmitting passwords over the network - is it possible that they are intercepted. With AD, this is solved using kerberos, a call / response system that ensures that the password is never transmitted. Of course, kerberos and similar protocols are quite complicated - you should never try to minimize your own, as this is likely to be less secure and then use something existing - for example, your web service can run on https, so, at least passwords are only plaintext on two servers, not the connection between them. Certificates can also be used to prevent traffic destined for the web service of your local network from being redirected to a reconfigured DMZ machine (the created DMZ device will not be able to fake a certificate, and therefore your system may determine that it is connected to a fake server before sending information to authentication)

In my own experience, these problems lead to the fact that AD outside the local network is simply not running. Companies prefer either to go beyond the people on the local network using VPNs authenticated with RSA keys (those small trinkets that show a constantly changing set of numbers), or they use a completely separate set of logins for services in the DMZ area.

+1
source share

You can take a look at these two resources. The first will give you everything you want to know about the active directory, and the second will show you how to connect.

You may have problems connecting to the remote AD server. Therefore, in order to potentially work, I would think that a web application calls an authentication web service that resides on the corporate network.

+1
source share

You may be able to simplify this by providing another portal for entering contractors / branches.

0
source share

More articles:


All Articles