Developing Active Directory Based Application
Developing Active Directory Based Application
Abdellatif Tarhine
Microsoft Regional Director for North Africa
[email protected]
Session Objectives
Introduction
Identity Flow & Authentication
Authorization
Auditing
Summary & Call to Action
Index: Fundamental Concepts & Backup
Slides
Introduction
Business Challenges & Benefits
Introduction
The Business Challenges
Rapidly develop line-of-business (LOB) applications
Leverage Active Directory infrastructure
Achieve greater security
Capitalize on a consistent authorization policy models &
data
Effectively use existing provisioning mechanisms
Provide secure access for different types of users
Meet the authentication, authorization, and audit
requirements of new industry & government regulations
Introduction
The Business Benefits
Impersonation/Delegation
Trusted Subsystem
Credential Mapping
Combining Models
Identity Flow Models
Impersonation/Delegation
Network Resource or Service can “flow” Identity from one point to
another
Delegation of the user context or credentials
Advantages
Unconstrained Delegation
Resource is always
Constrained Delegation (New in accessed by user
WS2K3) – A2D2 System Level Access
Protocol Transition (Internet) Auditing
Disadvantages
No connection Pooling
Not all Tiers support
Impersonation/
Delegation model
Mainframe
Other Non-Microsoft
Server
Identity Flow Models
Kerberos Protocol Delegation
Operating System Delegation
Windows NT with IIS 4.0 No
Note: The credential mapping would have failed if the architect had chosen the Trusted Subsystem Model instead of the Delegation Model
between the Web server(s) and the application server(s).
Authorization
ASP.NET Roles & Authorization Manager
Authorization
Mechanisms
Access Control List Model
NT Private Object Security (POS) APIs – old school
Authz APIs – new school (Windows XP/WS2K3)
Resource Managers: Well-Defined, Persistent Objects
Role-Based Access Control Model
Maps user job roles to app permissions
Little need to change roles once established
Manage Membership not Permissions on Objects
RBAC Implementation:
COM+ Roles
ASP.NET Roles
URL Authorization
Role-Based Security
Windows Authorization Manager
URL Authorization
Role-Based Security
ASP.NET Roles
URL Authorization
Role-Based Security
ASP.NET Roles
URL Authorization
<authorization>
<allow users="DomainName\Bob" />
<allow users="DomainName\Mary" />
<deny users="*" />
</authorization>
قف
ASP.NET URL authorization also allows for access based on role, for
example:
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
Note: Although ASP.NET URL authorization provides basic role-based access at the URL level, the manual configuration it requires through Web.config
files makes it unsuitable for an enterprise environment.
ASP.NET Roles
Role-Based Security
ASP.NET Applications can use IsInRole Method (System.Security.Principle,
for example:
If (User.IsInRole("BUILTIN\\Administrators"))
ExecutePrivilegedOperation();
EndIf
قف
String[ ] myRoles = new String[3];
myRoles[0]= "managers";
myRoles[1]= "testers";
myRoles[2]= "developers";
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(id,myRoles);
}
}
}
XML
Policy Store
Storage in AD, ADAM, XML
Policy Store
Deployment
Role
Permissions needed to
do a job Buyer Acct Rep Auditor
Operation Design
Payment
Web Database Directory
Application action that System
Operation Operation Operation
developer writes dedicated Operation
code for.
Role Assignments
Web Ordering
Application
Role Definitions
Buyer Acct Rep Auditor
Role Assignment
Buyer: email = *@ADatum.com
Role Assignment
Acct Rep: Group = Dept01Manager
Role Assignment
Auditor: (Group = TreyAuditor) && (Status = Active)
Authorization Manager
Advantages
*For detailed information, see the "Logging Application Block" on MSDN at:
http://msdn.microsoft.com/library/en-us/dnpag/html/Logging.asp.
Summary & Call to Action