Using Active Directory to authenticate internet users

**Jaws** · 23 August 2009, 22:34

Yes this should be possible, I believe there is an active directory membership provider for asp.net (or you could create your own if it doesn't meet your requirements). Have a look for that on google.

**NickFitz** · 24 August 2009, 00:56

Yes, this is possible.
I can't remember all the details, as I haven't done anything like this with .NET in several years.

If you don't get enough help here (and I'm not exactly helping with the above) then you may want to try searching or posting a question on serverfault.com - there's a good chance somebody over there has either answered your question, or can answer it.

**pmeswani** · 24 August 2009, 05:52

Originally posted by bekarovka View Post

I have an intranet application that is using windows authentication. What I want to do is port it to internet useage for homeworkers. Web server will be in the DMZ.

What I would like know is this. If home worker logs in to internet using forms authentication (this is asp.net app) and enters user name in the form of their normal windows login (domain\userid) can this be passed to active directory and validated? I dont want maintenance of login details in dtatbase or anthing I would like to be using active directory. I think I would have to set up trust between DMZ webserver and AD. Is this possible. Thank you if you help me.

Why not get a SSL VPN solution which will then make what you are doing more secure?

**DimPrawn** · 24 August 2009, 07:41

This should help.

http://msdn.microsoft.com/en-us/library/ms998360.aspx

Simples.

**Not So Wise** · 24 August 2009, 09:01

Honestly, don't do it. Not to be mean but fact that you even need to ask if it possible tells me you are not experienced enough to make this properly secure for internet publication

Do as pmeswani suggested and use VPN, if they are home workers they should already have this and it would require no extra config from yourself

**DimPrawn** · 24 August 2009, 09:07

Originally posted by Not So Wise View Post

Honestly, don't do it. Not to be mean but fact that you even need to ask if it possible tells me you are not experienced enough to make this properly secure for internet publication

Do as pmeswani suggested and use VPN, if they are home workers they should already have this and it would require no extra config from yourself

Have to agree. A VPN with perhaps a smartcard for authentication in combination with the users usual Windows account and SSL is the way to go. In this way all your Intranet apps are available to remote workers and it is secure and the code doesn't have to change.

I've used RSA stuff before.

http://www.ansecurity.co.uk/products/rsa.htm

And Juniper too.

http://www.ansecurity.co.uk/products/juniper/sslvpn.htm

**bekarovka** · 24 August 2009, 09:18

Thankyou for your answers. Unfortunately I can't use VPN as the requirement is very adhoc access among a large user base.

My main concern really is the implication of the ASP.Net application being in DMZ & communication with AD from there. I would think that there would need to be some extra configuration to get this to work. DMZ machine isn't in a domain. I will try the url that was recommended for asking this question.

**DaveB** · 24 August 2009, 09:44

VPN is definately the way to go. Trying to roll your own solution is going to cause you all sorts of security headaches. From the sound of it though, the app has been knocked up on the cheap and an equally cheap access solution is being sought.

**JoJoGabor** · 24 August 2009, 09:52

COnsider using ISA Server to allow authentication to your webserver in the DMZ. This will integrate with AD to authorise specific AD groups to allow access to that web server via forms based auth or basic/integrated auth.

Using Active Directory to authenticate internet users