-1

I am not sure if this is the right place to post this question but I figured since some users here are familiar with Windows Servers and Active Directories, that I might to get some information about my issue.

I am developing an server cloud backup application. The software will be deployed to all users on an Active Directory and the files should be backed up to the cloud under the same account using a single email and password. This is all very trivial and straight forward.

My problem is when a specific (Non-Administrator) user tries to manage his backed up files. I need to differentiate this user on the web console, he needs to enter some credentials that are unique to this user. This is because only the administrator should know the main credentials of the account.

I am leaning on implementing a method that incorporates the account name [username@domain] as the sub-account name and the application will ask the user for a password while the administrator can still access all users' data using the main account's credentials.

I am creating this question mainly to ask what are the best practices for such system as I am not a server expert and haven't done much time with active directory and Windows servers. My main concern is the security of the main account and the sub-users accounts.

Zaid Amir
  • 179
  • 6
  • 2
    If possible don't use passwords at all. Use some kind of integrated authentication system that link into the AD for authentication. – Zoredache Mar 13 '14 at 16:22
  • @Zoredache do you have an example of such a system? – Zaid Amir Mar 13 '14 at 17:53
  • @RedSerpent Lookup "GSSAPI kerberos" and "windows integrated authentication" – Chris S Mar 14 '14 at 13:50
  • Sorry, but application architecture questions are off-topic for [SF]. There are existing solutions to your authentication needs, but none of them are simple and the hybrid nature of your application stack is going to complicate deployment (assuming you want to leverage AD for deployment, more than simply installing the software). – Chris S Mar 14 '14 at 13:56
  • This question appears to be off-topic because it is about Application Architecture. You might receive better feedback from [SO], but I would generally advise picking up a book or two on the topic. – Chris S Mar 14 '14 at 13:58
  • @ChrisS man stackexchange sites are being run by a bunch of A-Holes who complement each other on being rude to users. I am getting out of this garbage. – Zaid Amir Mar 14 '14 at 15:03
  • @RedSerpent I'm sorry you've had a negative experience, but please do remember that it's only a couple of people. Zoredache and Katherine have done nothing but try to help. [SF] is for System Administrators only, that is part of the warning when you ask a Question. When you ignore those warnings you will attract people like TomTom (an extremely knowledgeable admin, with a habit of "finding" people who erroneously posted on [SF]). – Chris S Mar 14 '14 at 15:08
  • @ChrisS well thanks to your "knowledgeable admin" I have wasted enough time going in circles. You guys need to put a system to pick up admins based on attitude. If your so called "knowledgeable" admin would have spent five seconds of his time by reading the question, I was clear from the beginning that I am unsure whether this post should go here. But instead you "knowledgeable" admin decided it would be fun to condescend on me with his out of place remarks and sarcasm. Giving little to no information whatsoever on my issue. – Zaid Amir Mar 14 '14 at 15:42
  • @ChrisS and again just to be clear, my question was never about programming, I was simply asking for best practices used by backup softwares. I am asking for an opinion based on server user's experiences. I am not asking anyone to give me an API or a library. I do not need any help about programming. All I need is some help about deciding which way to go, what is the common practice on AD servers for similar client softwares. – Zaid Amir Mar 14 '14 at 15:45
  • @ChrisS and yes I know not everyone is the same, and I am thankful to both Zoredache and Katherine for their help. – Zaid Amir Mar 14 '14 at 15:47
  • @ChrisS Software architecture questions are generally welcome on [programmers.se]. – Michael Hampton Mar 14 '14 at 16:22

1 Answers1

2

I'm pretty sure that what you want is not some random username and password. I'm pretty sure that what you want is instead for the software itself to be AD-aware, and to ask the domain controller if the user is valid.

Which isn't the same thing as "web console credentials," alas. But the client software itself should know whether or not the logged in user is valid by standard AD means (valid Kerberos ticket, etc.).

Perhaps you could pull the user's email address from AD and generate a password/OTP for the user that way.

(I would also be nervous about less-savvy users putting their valid AD credentials into your web portal if prompted with DOMAIN/USERNAME, and/or "training them to do so" with third parties. But that's perhaps beyond the scope of what you're asking.)

Katherine Villyard
  • 18,550
  • 4
  • 37
  • 59
  • 1
    Let me add as a developer that t his is totally trivial - once you read the documentation. Connect to AD AS THE USER - i.e. with his entered username and password - nd either you get a connection, or a reminder to go away. Or write a portal that integrated into AD (standard setting in IIS, bsaeline for a web developer). – TomTom Mar 13 '14 at 16:45
  • @TomTom what documentation?? – Zaid Amir Mar 13 '14 at 17:55
  • 1
    @RedSerpent .NET has classes for dealing with active directory. In case you do not know, .NET classes have documentation. System.Directoryservices namespace – TomTom Mar 13 '14 at 17:57
  • @TomTom yes I know the classes, I have read the documentation for those. It is finding a good way to implement an authentication system that I am struggling with. I am hoping that someone might direct me to an example/document that shed light on how to create a system that meets my requirements – Zaid Amir Mar 13 '14 at 18:02
  • 1
    well, here is what I use... get a new PrincipalContext and call the ValidateCredentials method on it ;) – TomTom Mar 13 '14 at 18:06
  • @TomTom But wouldnt that require all traffic to go through a single onsite sts service before the data get sent to the online server. We are talking about a backup software here and i am not sure if this is a good approach since each file (chunk of data) needs to be authenticated on the server before it gets uploaded to the web service? I mean having and sts service could solve the authentication issue but it will raise a traffic issue – Zaid Amir Mar 14 '14 at 10:53
  • @RedSerpent Where does STS enter into that? I use a direct access to an undetermined AD server here. I use that basically to validate passwords against AD in an intranet app (integrated security not possible due to the fact that access happens from machine not on the domain). – TomTom Mar 14 '14 at 11:00
  • @TomTom I am a bit confused now. My application needs to be deployed on each AD user's machine to monitor file changes yet each request to upload a file to the cloud needs to be authenticated. I am looking for a way to differentiate between users so that when a user tries to login to view/download a file that he will only have access to his files and cannot view the other users' files or download them. The user can access his files through a web browser or through the application it self as it communicates with the server to list only the files of that user. – Zaid Amir Mar 14 '14 at 11:50
  • I'm sorry but if you do not know enough to make a simple validation infrastructure then maybe ask your lead dev or tell your boss to hire someone. This is turning from a "I have no idea which API to use" to "I Have no clue how to make a backup system architecture with integrated security" and the later is way to big to answer here. Besides programming questions not being right here anyway, this is [SF], not [SO]. – TomTom Mar 14 '14 at 11:54
  • @TomTom well it is not my problem that you did not understand my question. and it is not a programming question. ServerFault is part of stackexchange so your argument is invalid. I did not ask about which API to use. – Zaid Amir Mar 14 '14 at 12:28