0

I have been tasked with coming up with the authentication/authorization for an enterprise intranet web application. The requirements I were given were:

  1. Must authenticate against Active Directory
  2. All Active Directory password requirements must be the same as that is in AD
  3. The authorization within the application must take place OUTSIDE of AD. Locking/unlocking users should still take place with AD via a Support team.

Originally what I did was authenticate against LDAP with the users provided credentials in which the user would get locked out of the APPLICATION only after x amount of attempts (NOT AD). I am now being told that if the user fails to login after x amount of times, they should be locked out of ALL APPS and ALL ENTERPRISE connections (essentially logged out/force signed off of Windows). My feelings are the following:

  1. It sounds like we are trying to have our cake and eat it too. We want to use AD but at the same time we don't as in the actual authorization takes place outside of it. I don't see what the purpose of this is. They seem to be trying to use SSO but at the same time aren't.
  2. I don't see why this should lock the user outside of the the entire network. To access the site, the user must first be signed in over VPN (already logged in on Windows and through the VPN with 2FA). They then are required to login to the site again with their Windows password only. I don't understand the security benefits of doing this.
  3. ANY user could type in whoever user they wanted to and lockout everyone from their accounts from this website. So in theory I could type in the CEOs AD name and just type in the password into the application to lock them out of the entire corporate network.

Is there any rationale for the requirements I am given that makes sense from a security standpoint? Should invalid logins to an application be something that locks something out of a Windows account especially when any user on the network can access the application? Please help me understand the pros/cons of both approaches. I understand neither are "ideal", but I don't think the one I am instructed to make is appropriate.

Improve this question

1 Answer 1

Reset to default
1

If you want the authentication to be based on AD, you should try to use the GSSAPI (in fact a good old Kerberos). In fact AD uses LDAP as its storage backend, but relies on Kerberos for the authentication part. That means that each user which is logged into AD has a Kerberos ticket. Most browsers (we tested Firefox, Chrome and Edge) can be instructed to request an application ticket when they connect to a web application and pass that ticket to the server that uses it to transparently authenticate the user.

Not only the authentication system is based on AD, but it is fully transparent on a user point of view: no need to type again and again the user and password, their identity is automatically known to the server. And it has the very same security level as the original AD authentication. It is not specially a piece of cake for the initial configuration, but you could find information if you Google search how to couple a Unix web server on Active Directory authentication.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .