I'm interested in how well Active Directory would fare as the authentication backend for a website, scaled for ~1 million users. Do you have experience with AD in web environments of this scale, and if so what level of hardware would we need?
[Update] Regarding frequency of login: I agree that this is a key factor, but we don't have that information yet. Assume a regular commerce/banking site setup: login via a form once, carry your identity in a session (ie. no authentication calls to AD on pages other than login page).
The AD will not store a significant amount of user information beyond what's needed for authentication.
-
How busy are you expecting the website to be:
Assume a normal commerce/banking site. No further information on this. -
Will this AD be partitioned:
It can be, although simplest architecture is preferred. -
Will this AD be serving anything else:
No. -
How complicated will your OU structure be
-
Will you be extending the schema:
The standard schema will be used. The OU structure will be fairly simple. -
Will you be performing many searches on it: only to lookup username / email for a subsequent bind.
-
Will you be storing a lot of information against the User Objects: No
- Will exchange be involved with this AD: No
Best Answer
Could you? Yes. Should you? No.
First, scaling load - 1M users with an average of 1 login per second is a LOT different than 1M users with an average of 100-1000 logins per second.
Just some general thoughts on this though - While technically it could, I don't know that Active Directory would be the ideal vehicle to store 1M users all within one domain. If you were to use this for your web application and started having performance issues, it would be pretty difficult to troubleshoot. Personally, for something supporting 1M users, it really needs to be something more dedicated to that particular task.
If this is the benchmark you need to hit and you really want to use AD, you probably need to get Microsoft involved to make sure your architecture is absolutely correct and get your load/performance testing in place at minimum.
The amount of "other things" that Active Directory does and introduces (layers, replication, extensions, security concerns of the accounts being on your "production" network domain) when you just need it for an authentication database is, IMHO, not appropriate for the amount of users and the relative simplicity required. Way too overkill and complex.