RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?

[Jef Kazimer]

Mylo,

 

Thanks for the information!

 

I have setup ADAM utilizing a custom web UI utilizing AZman for a small project before, but I have concerns about scalabilty.  The issues are not with the ADAM instance at all, but the UI that is needed to manage ADAM.  ADSIedit is great for someone who understands the directory, but it's not that user friendly for web application owners, helpdesk, etc.  This was for a simple application of about 500 users, and it met their needs but I don't see this as a scalable solution from a global perspective.

 

This will be a backend data store that contains the user identity, but the applications that utilize it will be of different flavors from DMZ hosted web apps, to externally hosted apps.   The flavors of web apps will range from websphere, ColdFusion,  .NET and I suspect some PHP apps. 

 

With AD,  I guess I was thinking it has a well known support interface (though I am sure I would need to customize anyway...so I'm not sure that value is really there).   So I was expecting to maybe find 3rd parties that do sit in front of this to manage the IDs stored. Though this could be AD or ADAM with ADAM being the most cost effective.   This looks like siteMinder might be a good solution to manage all of these environments but I will need to look into that.

 

 

 I suppose I am getting ahead of myself, because I do not know the requirements as of yet, and I'm making assumptions that could be totally off the mark here.   I guess it's a new environment and wanted to get some info ahead of before it was needed. :)

 

Thanks again!

 

Jef

---

> Date: Fri, 28 Apr 2006 01:40:09 +0200
> From: [EMAIL PROTECTED]
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
>
> Jef,
>
> As Al pointed out, there are numerous products from vendors such as 
> IBM/BEA/Oracle/RSA/Netegrity/Entrust/Baltimore Labs (RIP) etc providing 
> web-based authentication/authorisation in front of AD. Since from a 
> design point-of-view it's generally not a good idea to stick AD too 
> close to the Internet, often these solutions comprise a presentation 
> tier, e.g. with  IIS (using  some sort of ISAPI plugins) that then hooks 
> into your business&n bsp;logic (e.g. middleware) or your data tier (e.g. 
> LDAP/AD/SQL) ... if you want to look at this from an MS purist 
> perspective then I'd suggest having a look at n-Tier solutions within 
> the MSDN area. Although, this has a more developer emphasis than you'll 
> probably want, it gives a good insight into how Internet authentication 
> works, particularly .NET as well as older products such as Site 
> Server/Commerce..
>
> Try googling on Authorization Manager (AZMan) to give a good example of 
> how a role-based management approach (assuming a web t ier) with an AD 
> backend would work..... Also look at ADAM as an initial 'point' solution 
> for Internet usag rather than AD alone.
>
> You also mentioned self-registration and this kicks off an entirely 
> different thread (in my mind anyway)... 
>
> 1. What are you providing access to?
> 2. Whom are you registering and for what ?
> 3. What authentication mechanism do you wish to use (username/password, 
> certs, OTP).
> 4. Do you need to provide some form of authorisation once authenticated 
> as well? What form does this need to take?
> &nb sp;
> Hope this helps.
>
> Regards,
> Mylo
>
> if you need an initial
>
> Jef Kazimer wrote:
>
> >Al,
> > 
> >I apologize,  as I am going only on what little information I have.  I guess I was trying to do some pre-meeting recon work since I had seen it metioned here about 25mil internet users for some people.  I had assumed there might be some scenario documentation for such a thing.
> > 
> >I will know more after the meeting of course, so I'll see if I can explain myself better.
> > 
> >I understand dire ctory design for an enterprise, but have never done so for a internet instance that would have self registration.  I suspect there are some different lessons learned from that scenario so was curious.
> > 
> >Thanks,
> > 
> >Jef
> >
> >
> >
> >  
> >
> >>Date: Thu, 27 Apr 2006 15:31:33 -0400> From: [EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] Internet Authentication Concepts: Pointers?> > That's not a lot to go on, Jef.  Can you give some more information?> > For example, these public internet sites? Are  they web only? What type> of authentication is needed? What were your plans for authorization?> Are you planning to use something like SiteMinder or Tivoli or ?? to> help you deal with authorization if using web sites?> > Al> > On 4/26/06, Jef Kazimer <[EMAIL PROTECTED]> wrote:> >> >> > Ok, here is something I'm just starting to research, and I thought maybe> > someone here has some pointers or a direction they can steer me in.> >> >> >> > We are looking at a potential consolidated directory/database to contain>&nbs p;> user registrations (Self registration and possible bulk load) for multiple> > public internet sites for products of our company.> >> >> >> >> >> >> >> > I was wondering if there are any published scenarios that addess this> > solution as 
> >>    
> >>
> >a starting point for consideration.  We are thinking of using a> > public AD forest as the potential repository, but I am curious if there are> > any lessons learned when designed such a scenario.> >> >> >> > Thanks,>  >> >> >> > Jef> >> >> >> >> >> >> > ________________________________> > Upgrade for free to Windows Live Mail beta and you could win an African> > Safari Learn more> ا~m 
> >List info   : http://www.activedir.org/List.aspx
> >List FAQ    : http://www.activedir.org/ListFAQ.aspx
> >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> >  
> >
> >------------------------------------------------------------------------
> >
> >No virus found in this incoming message.
> >Checked by AVG Free Edition.
> >Version: 7.1.385 / Virus Database:&nbs p;268.5.1/326 - Release Date: 27/04/2006
> >  
> >
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

---

Join the next generation of Hotmail and you could win a trip to Africa Upgrade today