none
Using Active Directory for public services

    Question

  • I know not traditional that using on-premise active directory (Local AD) for public services, but I don't have alternative that has AD's features. For example many software that integrated with AD.

    I want know active directory is good choice for using as authentication/authorization/account solution in a website? (For public services)

    Note: I don't give permission to public users that they can access directly to AD. It is possible use the ADFS between AD and public users.

    Sunday, January 22, 2017 8:34 AM

All replies

  • This one might help.

    https://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication?showTreeNavigation=true

    or also ask over here in microsoft official web development forums

    https://forums.iis.net/

    https://forums.asp.net/

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Sunday, January 22, 2017 4:30 PM
  • Hi

     You should check AD LDS;

    Active Directory Lightweight Directory Services Overview

    https://technet.microsoft.com/en-us/library/cc754361(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Sunday, January 22, 2017 5:32 PM
  • Hello Burak

    Thank you for your reply. 

    I think AD LDS is for applications that need to authentication. You mean that, I should build an application for registration/login/profile pages and connect it to AD LDS for relation with PDC?

    But I need know, using active directory is a good solution for public services (in a website)? or no? and how status of security in this solution?

     And how can I register my public users from a web page?

    Note: I don't want build any applications, I want use existing product in market.


    Sunday, January 22, 2017 6:08 PM
  • Yes, you can use AD DS (or AD LDS) for this purpose. Your website can query your AD services to authentication users and query the attributes. ADFS is also an option if you need to integrate external applications and make them authenticate against your local AD services without the need to expose  your DCs.

    To register your users, you can create a registration portal on your web application and, after registration, your portal will create the user accounts. As you do not want to build your own application, you need to find the available applications on the market that allow this.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Sunday, January 22, 2017 10:03 PM
  • Hi Ahmed and thank you so much for your reply.

    Do you know any portal that integrated with active directory?

     
    Monday, January 23, 2017 5:58 PM
  • Hi Guys,

    I need a "web based portal" that integrated with active directory for using in a website. (Public users can be should using this portal from the internet, for self-registration and another self-services)

    I asked this question to another threads, but don't get to a good solution: link1 , link2

    Any guys, answer to this question by mistake solutions like:

    1- Using FIM/MIM (This solution don't have any self-service like self-registration for anonymous/public users from the internet)
    2- Offered me to using web based third-party software like "Adaxes" or etc. these software have only many solutions for manager of active directory, that if using these, management will be easier. But I need a web based portal for my anonymous/public users of my website, that their can do self-registration on my website.

    If you think can help me, please do this. I really need your help. 

    Wednesday, January 25, 2017 7:55 PM
  • See below the answers:

    1- Using FIM/MIM (This solution don't have any self-service like self-registration for anonymous/public users from the internet)

    If you need more information about FIM, consider asking them in FIM forum: https://social.technet.microsoft.com/forums/en-us/home?forum=ilm2

    2- Offered me to using web based third-party software like "Adaxes" or etc. these software have only many solutions for manager of active directory, that if using these, management will be easier. But I need a web based portal for my anonymous/public users of my website, that their can do self-registration on my website.

    Either you need to develop it or search for a third party solution that fits your requirements. I am not aware about builtin Microsoft solutions that would fit your needs without extra development.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Thursday, January 26, 2017 1:04 AM
  • Hi Ahmed,

    Thank you for your reply,

    1- I asked about this problem in FIM froum: Link, But I can't get to good solution.

    2- I know, I should using third-party software, but I don't know which software. I want using other expert's experience. Really don't exist any software that have these requirements? Or you and other experts don't have experience about it? !!!!!!!

    Really I should, developing it? !!!!

    Thursday, January 26, 2017 4:40 AM

  • If you think can help me, please do this. I really need your help. 

    What you need is a customized portal, so expect people not to be aware because there may be no need in their organization to implement this portal. :)

    If you need a portal, FIM is not going to help you. I have never seen a FIM portal exposed to Internet. Considering I am not really OK to use third party software, I can tell you that there are couple of things which needs to be taken into account.

    Firs of all you need to define what do you mean by Self Register concept. You want public users to have permission to create a user object via a portal or you want them to have ability to edit their user account in AD via a portal? I still fail to understand what exactly you are trying to do. 

    Talking about the possibility, Yes it is possible. But you need to consider a couple of things. Firstly, AD is not built in a way to be exposed to Internet. Secondly, you say you want anonymous users does self registration on website. Well why should you do that? I mean when you can store them in another DB, why you want to store them in AD?

    If you clarify a little bit, others and me can contribute in a better way.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Thursday, January 26, 2017 5:23 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 26, 2017 6:22 AM
    Moderator
  • Hi mahdi,

    Thank you so much for your reply,

    My target for require a good solution about "User Store":

    I want deploy a public website (on internet) that providing any public services to public/anonymous users.

    I would like provide below public services on my website - For example - :
    1- CMS service (I would like using DNN, Joomla, Wordpress, etc)
    2- LMS service (I would like using open eLMS, DotNetScorm, etc)
    3- Email Service (I would like using MS Exchange, etc) 
    4- Web storage service like "one drive" (I would like using a software that existing in the market like previous services)
    5- And another services for providing to form of public ....

    For implement above services on my website, I should have a central "user store" solution that ability to integration of these services. I think active directory is a good solution, that it has ability to integration with too many software and services in the market. (I question about it at last)

    If using active directory is a good solution for this scenario, I need a "web based portal" that integrated with AD and can be providing any self-services like self-registration to anonymous/public users on the internet.

    I don't want public users after the registration on my website can be access to add/edit any object,

    but I want public users after the registration on my website can be access to using above services and edit their profile.


    Thursday, January 26, 2017 6:47 AM
  • Hi Alvin,

    I don't get to a specific answer about this problem.

    Many guys tell, active directory is a good solution and many another tell me that active directory is a bad solution for using on the internet.

    I sent a new question on this URL.

    I am waiting for more comment.

    Thursday, January 26, 2017 6:52 AM
  • > I think active directory is a good solution
     
    ...and it requires a Client Access License for every computer that is accessing it. Quite expensive for your scenario...
     
    Thursday, January 26, 2017 9:48 AM
  • Hi martin,

    Thank you for your reply,

    Do you offered me, instead solution? Another expert what doing for this problem? (Integrated "user store" with too many software and services)

    Thursday, January 26, 2017 10:36 AM
  • OK. Now it seems a little clear to me. If you are insisting on using Active Directory within your application, you may need to create a portal with a login page and utilize forms authentication in that. Then pass them to Active Directory and gets authenticated. This place is a start to look:

    For each task you are interested (like password reset or ... ) you have to write a different workflow and honestly speaking you really have to spend time on configuring that portal in terms of security and workflows. 

    This is a concept though and you have to do a lot of things to achieve it.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Thursday, January 26, 2017 3:49 PM
    Moderator
  • Hi again, Mahdi

    Thank you for your reply,

    I am very confuse and desperate. ADFS or AD LDS can't help me For implement reasonable scenario? If no:

    In this discuss, I realized that AD (alone) is bad solution for a public project like a website. (unlike discuss in this thread)

    By the way, I don't want going to development. Because I don't have a big time.

    Could you help me with new offer about this problem? Another expert what doing for this problem? (Integrated "user store" with too many software and services)



    Thursday, January 26, 2017 4:54 PM
  • Hi guys,

    Please help me, I really need to resolve this problem. I sent many question about my problem in this forum, but I don't get a transparent answer.

    My scenario:
    I want implement a website that providing too many services to end users like:
    1- CMS as a service (I would like using DNN, Joomla, Wordpress, etc)
    2- LMS as a service (I would like using open eLMS, DotNetScorm, etc)
    3- Email as a Service (I would like using mailenable, MS Exchange, etc)
    4- Web storage as a service like "one drive" (I would like using a software that existing in the market like previous services)
    5- And another services for providing to form of public ....

    My strategy in this project, is using the existing software in the market. I don't want to development any software/application, I want only configuration of existing software to the one project.

    For implement above services on my website, I should have a central "user store" solution that ability to integration of these services. In the other words, I want having a central "user store" for register my gusts/public users and then I need a solution for Authenticate and authorize users for providing above services to them.

    I have tree problem on this scenario:

    1- Choose a best solution for "user store" and authentication/authorization: I think AD is good solution for only "User Store" and using products that supported OAuth/OpenID for authentication/authorization. This conclusion is from discuss with Mr. Barry and another people, but in another discuss, Mr. Mahdi and Mr. Martin tell me, "using AD in a public project like a website is a bad solution, because very expensive and not reasonable"

    2- If AD is a good solution for "user store", how can I register public users from the internet into AD database? I think, I need a web portal that could be do it. which software can do this? Do you know? (I don't want development any application for this step)

    3- In this scenario, I don't know how can I provide above software (e.g. Joomla or DNN) as a service (SaaS) to my end users? Could you guidance me and give many clue?

    Note: I know AAD is a good solution for my scenario, but I can't use it, because I want follow fixed cost at now. I don't want pay for "service based cost" products.


    Saturday, January 28, 2017 11:39 AM
  • For web development using microsoft technologies I'd ask in microsoft official web dev forums here.

    https://forums.iis.net/

    https://forums.asp.net/

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Saturday, January 28, 2017 2:39 PM
  • Nobody for help me?
    Saturday, January 28, 2017 9:16 PM
  • Nobody for help me?

    The AD part of your scenario has been already answered. You need to follow a flow chart model if you would like to find an applicable solution. In the first step of your flow chart, it is like:

    1. "I need a User Store for my APP, Do AD is a good choice or not? if Yes then proceed to next step, if no then change to another method to store your users."

    For this part you have received the answers of whether AD is good or not, in terms of security, in terms of complexity and in terms of cost. So what you have to do is move to the next step in your flowchart rather than struggling and asking repetitive questions. Besides, you are mixing all the ingredients at once and you expect people to say what is the best name for the food. Nobody can offer you a complete solution because firstly it is your scenario and you have to mess with it, secondly not everyone knows about everything.  :)

    If you are really OK with security and cost, yes, I believe you can use forms based authentication and send them to AD to authenticate. But creating a portal to handle the task is all on you.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Sunday, January 29, 2017 4:02 AM
    Moderator
  • Hi Mahdi,

    Thank you so much for reply.

    If you follow the history of my questions, you can see, I asked my problems to separate and not ask to completely, but when the discussions moved, many experts asked again and again about my scenario to appear hidden angles. So, I think, I should define completely my scenario for give the correct solution.

    I have tree questions in my scenario that the first is choice of "user store" solution. You survey this step in tree terms:

    1- Your comment about security: If I use form based authentication in active directory solution, security will be weakened. New question: If I use AD only for "user store"/"identity server" and handle authentication with other solutions like a product that supported Oauth 2.0 / OpenID this disaster will be solved? (Plz see) And I want know, ADFS don't ability to solving this disaster? 

    2- Your comment about cost: If I use AD, I should have a licence for all client computer. New question: If I use AD only for "user store"/"identity server" and handle authentication with other solutions like a product that supported Oauth 2.0 / OpenID, I should have only a licence for each AD server. Is true? (Plz see)

    3- Your comment about Complexity: You say, implement this scenario with AD is complexity. I think, this comment is true.

    These features important for me in this scenario: Security, Cost, Easier management, Easier troubleshoot and using the market potential (I don't want development any application at now). 

    Sunday, January 29, 2017 10:16 AM
  • Hi,

    Thanks for sharing your current progress.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 30, 2017 1:07 AM
    Moderator
  • Hi Alvin,

    I can't decision, that which solution for "User Store" and "Authentication" is appropriate for me. I started new discusses like this for find a correct solution, but don't result till this moment.

    Monday, January 30, 2017 3:39 AM
  • Hi,

    The link for the new discuss is not available.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 1, 2017 5:51 AM
    Moderator
  • Hi Alvwan,

    Yes, I don't know who has to clean it? This is so ugly and I am very upset for it.

    Wednesday, February 1, 2017 8:01 AM
  • Hi,

    Sorry for the inconvenience that brought to you.

    Please post a new thread for the discussion.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 1, 2017 8:10 AM
    Moderator