Active Directory integration - implications

There is the possibility of having a Dynamics application  put on a network. One choice of installation is to have it integrated into Active Directory so that anyone who is an authenticated user of will not have to login to the Dynamics app - their AD credentials will be good enough. In the past we have had a situation with an app of this nature and there was a big hassle when we moved the network  to a newer AD e.g. Windows 2000 to Windows 2008 - Dynamics would not recognize the users on the new AD even though the names/passwords would be the same.

I am concerned about any other such issues with AD integration  of this Dynamics app. In particular, I am concerned about reverse effects - i.e. a problem at the Dynamics end that will somehow spill back and cause problems in AD.  Also any other gotchas - performance issues, security issues, etc.

Any real world input is appreciated on what can go wrong in this type of scenario is appreciated.
lineonecorpAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mcsweenSr. Network AdministratorCommented:
We run Microsoft Dynamics here integrated into our Windows 2003 Active Directory.

I suspect the issue you were referring to about changing domains.  If you create a new domain and re-create the users, groups, etc... your integrated apps will not recognize the new users because they have a new SID (security identifier).  The accounts must be migrated with ADMT or AD must be upgraded in place to allow the users SID to stay the same and work with AD integrated apps.

To address your second issue of spill back; this shouldn't be an issue.  All Dynamics is going to do is an LDAP query into active directory to check the username and password of the user.  Dynamics will not write to AD, only query.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cris HannaCommented:
Personally I wouldn't do it.  1) for the reason you mentioned above and you will migrate again at some point
Secondly because we know people have this tendandcy to share passwords or not use strong passwords
If someone is able to hack the network using an AD Password, they have access to all your financial data in Dynamics
If you use separate logons...not as likely...assuming that folks use a different and strong password for Dynamics
0
mcsweenSr. Network AdministratorCommented:
I don't entirely disagree with CrisHanna but the more logons and passwords you require people to "remember" the more likely they are to write them down and leave them under their keyboard, mousepad, top drawer of their desk, etc...

From the security point of MS SQL it is better to run only integrated logins than to run under mixed mode.  If you do not use AD integration you will have to run SQL in Mixed Mode which is less secure.

http://download.microsoft.com/download/8/5/e/85eea4fa-b3bb-4426-97d0-7f7151b2011c/SQL2005SecBestPract.doc
0
FemSteenkampCommented:
pro:
you get single signon for users
so long as domain name stays the same, upgrades should not affect the login.
single source of user admin (AD)

cons
all passwords in single directory means that exposure is a lot more if password does get out.
depending on "how" the dynamics application makes the association between AD and app users, ( some old apps store the FULL LDAP path to user)  it can be a problem if users are moved to a different OU.

normally such aplications do not cause performance problems to AD, although badly written LDAP queries can ause problems, but if you dont have tens of thousnads of users in AD this should not be a maoyr concern.

i would suggest (if you have the luxury) of doing a quick QA with the app to a single NEW DC, and see if your normal AD maintenace ( moving users around, resetting passwords, modifying groups etc) cause a problem for the app, if not then go for it

my 2c worth
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Tax / Financial Software

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.