CoderNotIT
asked on
asp.net web site with AD authentication
I wrote and maintain an internal company asp.net web app that uses the SQL Server membership provider. My users and my bosses want me to convert this to use our company's Active Directory for authentication so they don't have to log in. I'm really having a hard time trying to figure out where to start.
First of all, I have complete control over the app and the SQL database. I do not have any control over our Active Directory server. As a start, what will I need from our IT department so that I can proceed? ...at the moment I don't even know the proper questions to ask: the hostname of the AD server? The users will all already have accounts in the Active Directory, but what about assigning them to roles for my app? Is this something that IT administrators will have to do?
I dont know if this complicates matters, but the server my app runs on is not on the domain and there's no way my boss is going to join it to the domain. Does it need to be on the domain to be able to query AD?
What do I need to ask IT for? Can any computer query AD? Does it need an account (machine or user)?
As you can probably see from my questions, I can't figure out where to start. Any help will be much appreciated.
First of all, I have complete control over the app and the SQL database. I do not have any control over our Active Directory server. As a start, what will I need from our IT department so that I can proceed? ...at the moment I don't even know the proper questions to ask: the hostname of the AD server? The users will all already have accounts in the Active Directory, but what about assigning them to roles for my app? Is this something that IT administrators will have to do?
I dont know if this complicates matters, but the server my app runs on is not on the domain and there's no way my boss is going to join it to the domain. Does it need to be on the domain to be able to query AD?
What do I need to ask IT for? Can any computer query AD? Does it need an account (machine or user)?
As you can probably see from my questions, I can't figure out where to start. Any help will be much appreciated.
raterus
If it's internal, and you can force users to use IE (or manually configure Firefox browsers), enable integrated windows authentication in IIS, and be done with it!
ASKER
It is internal. And I can force them to use IE.
But if the server is not on the domain, isn't it only going to try to authenticate them against the server's own user list?
But if the server is not on the domain, isn't it only going to try to authenticate them against the server's own user list?
Probably, which isn't going to work very well. Any reason you can't add it to the domain?
ASKER
My boss has a bunch of his own apps on that server and he has had all kinds of problems with things like group policy and AV software settings every time he has tried to join it to the domain. He's pretty much sworn off joining his servers to our IT's domains.
There is an Active Directory Provider in asp.net, but you'd still have to log in every time, kind of defeating the purpose of what you are trying to do here.
There really is no other "secure" solution available, if you want to be authenticated to an internal site, and not have to log in, you must use Integrated Windows Authentication, and that will require the server to be on the domain. Once you have that, security is as easy as NTFS permissions on the webserver, and you can check membership by the User.IsInRole("MYDOMAIN\so
There really is no other "secure" solution available, if you want to be authenticated to an internal site, and not have to log in, you must use Integrated Windows Authentication, and that will require the server to be on the domain. Once you have that, security is as easy as NTFS permissions on the webserver, and you can check membership by the User.IsInRole("MYDOMAIN\so
ASKER
OK, I clarified this. I guess not having to log in again is not a big issue. Just so user's credentials are the same as in the AD. Sorry for the detour.
So, if I use the ActiveDirectoryMembershipP
So is this what I go to IT with:
1) I need the address of the DC or AD server.
2) I need the 2 groups created.
3) I need an admin account in AD capable of adding/removing existing users to/from the 2 groups.
Is that all I need? (That, and to figure out a UI for admins to add/delete people while not having their credentials to validate and possibly not being able to list usernames.)
So, if I use the ActiveDirectoryMembershipP
So is this what I go to IT with:
1) I need the address of the DC or AD server.
2) I need the 2 groups created.
3) I need an admin account in AD capable of adding/removing existing users to/from the 2 groups.
Is that all I need? (That, and to figure out a UI for admins to add/delete people while not having their credentials to validate and possibly not being able to list usernames.)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help raterus. That got me started.