Sql – Forms authentication against multiple providers (SQl and AD)

active-directoryasp.netasp.net-membershipforms-authenticationsql

We have an application that is for both internal users and external customers. We would like to authenticate against AD for the internal users and against sql membership for the external customers. Has anyone taken a similar approach? Also what is the best way to authenicate against AD when in a DMZ? I would rather have a proxy of some sort that is in the dmz and handles authentication against the AD DCs on our internal network. Any suggestions?

TIA,
Kevin

Best Answer

We have a similar situation. Our Internal users go against AD the external guys against an ADAM store. Different than your database approach, but similar in that they have two user stores. Our authentication against AD occurs in the secure zone, the web servers in the DMZ make a webservice call into the secure zone for authentication. Don't know what you are rally looking for, but your approach sounds ok.

EDIT to answer comments:

The ADAM store is not synced with the database.
Basically there were two providers that the webservice was configured to use, one for each store. I fact, there were three for a period of time when users were migrated from the legacy system. To determine which store a user was in, the application simply asked the most common provider first (ADAM in our case) and if the user did not exist, it would move to the next provider.
The endpoint was the webservice, inside the firewall, running on a the middle tier server. That server did run IIS, so technically it was a webserver, but actually our middle tier server as it did not serve up any pages or host anything other than a few webservices.
So it sounds like you have 2 types of external users. Ones that are really internal users (in AD) and ones that are truely external (in DB). This is not very elegant, but you could ave 2 login screens, one for each. Don't publish the internal users external login screen to anyone but them, and publish the real external login screen to teh world. A little hacky but it would work. Otherwise, you login would process will need to identify the type of user.

Related Solutions

Sql – How to concatenate text from multiple rows into a single text string in SQL Server

If you are on SQL Server 2017 or Azure, see Mathieu Renda answer.

I had a similar issue when I was trying to join two tables with one-to-many relationships. In SQL 2005 I found that XML PATH method can handle the concatenation of the rows very easily.

If there is a table called STUDENTS

SubjectID       StudentName
----------      -------------
1               Mary
1               John
1               Sam
2               Alaina
2               Edward

Result I expected was:

SubjectID       StudentName
----------      -------------
1               Mary, John, Sam
2               Alaina, Edward

I used the following T-SQL:

SELECT Main.SubjectID,
       LEFT(Main.Students,Len(Main.Students)-1) As "Students"
FROM
    (
        SELECT DISTINCT ST2.SubjectID, 
            (
                SELECT ST1.StudentName + ',' AS [text()]
                FROM dbo.Students ST1
                WHERE ST1.SubjectID = ST2.SubjectID
                ORDER BY ST1.SubjectID
                FOR XML PATH ('')
            ) [Students]
        FROM dbo.Students ST2
    ) [Main]

You can do the same thing in a more compact way if you can concat the commas at the beginning and use substring to skip the first one so you don't need to do a sub-query:

SELECT DISTINCT ST2.SubjectID, 
    SUBSTRING(
        (
            SELECT ','+ST1.StudentName  AS [text()]
            FROM dbo.Students ST1
            WHERE ST1.SubjectID = ST2.SubjectID
            ORDER BY ST1.SubjectID
            FOR XML PATH ('')
        ), 2, 1000) [Students]
FROM dbo.Students ST2

C# – Validate a username and password against Active Directory

If you work on .NET 3.5 or newer, you can use the System.DirectoryServices.AccountManagement namespace and easily verify your credentials:

// create a "principal context" - e.g. your domain (could be machine, too)
using(PrincipalContext pc = new PrincipalContext(ContextType.Domain, "YOURDOMAIN"))
{
    // validate the credentials
    bool isValid = pc.ValidateCredentials("myuser", "mypassword");
}

It's simple, it's reliable, it's 100% C# managed code on your end - what more can you ask for? :-)

Read all about it here:

Update:

As outlined in this other SO question (and its answers), there is an issue with this call possibly returning True for old passwords of a user. Just be aware of this behavior and don't be too surprised if this happens :-) (thanks to @MikeGledhill for pointing this out!)

Best Answer

Related Solutions

Sql – How to concatenate text from multiple rows into a single text string in SQL Server

C# – Validate a username and password against Active Directory

Related Topic