Web Application User Credentials -- asp.net security

Dave Slinn
11/30/2004 9:28:33 AM

We are in the early planning stage of a new web (ASP.NET) application, are
currently determining the best strategy for managing users in this
application.

Our application will be a mix of internal (ie. company employees) users,
external users (third party associates, etc.), and the general public (ie.
anonymous users).

We would like the application to be able to user Integrated Windows
Authentication when a company employee uses the site from the internal
network, but use an HTML form for our external users when they are logging
in. Obviously, the public pages don't need any authentication.

Currently, we are planning on using Active Directory for our internal users,
including their group memberships. My question is - for external users,
would you add them to the Active Directory or is that a security no-no
(having external, non-network users in your domain directory)? The
alternative is to setup a SQL database to manage external users, their group
privileges and their passwords.

Thanks for any suggestions...

Matjaz Ladava [MVP]
11/30/2004 8:19:04 PM

Depends on the type of your web application. What you could do is, to use a
Formsbased authentication page for users coming from external addresses and
separate page for users coming from internal addresses. You can keep
external users in SQL server and internal in AD. You don't need to use
Integrated authentication, but you can also use form based authentication
and authenticate your users to your AD trough a LDAP query and your external
users trough SQL query. It involves a little overhead, but it can be done.
ASP.NET has a great way of dealing with this things.

--
Regards

Matjaz Ladava
MVP Windows Server - Directory Services
matjaz@ladava.com, matjazl@mvps.org

[quoted text, click to view]

asp.net security : Web Application User Credentials