I have been tasked with coming up with the authentication/authorization for an enterprise intranet web application. The requirements I were given were:
- Must authenticate against Active Directory
- All Active Directory password requirements must be the same as that is in AD
- The authorization within the application must take place OUTSIDE of AD. Locking/unlocking users should still take place with AD via a Support team.
Originally what I did was authenticate against LDAP with the users provided credentials in which the user would get locked out of the APPLICATION only after x amount of attempts (NOT AD). I am now being told that if the user fails to login after x amount of times, they should be locked out of ALL APPS and ALL ENTERPRISE connections (essentially logged out/force signed off of Windows). My feelings are the following:
- It sounds like we are trying to have our cake and eat it too. We want to use AD but at the same time we don't as in the actual authorization takes place outside of it. I don't see what the purpose of this is. They seem to be trying to use SSO but at the same time aren't.
- I don't see why this should lock the user outside of the the entire network. To access the site, the user must first be signed in over VPN (already logged in on Windows and through the VPN with 2FA). They then are required to login to the site again with their Windows password only. I don't understand the security benefits of doing this.
- ANY user could type in whoever user they wanted to and lockout everyone from their accounts from this website. So in theory I could type in the CEOs AD name and just type in the password into the application to lock them out of the entire corporate network.
Is there any rationale for the requirements I am given that makes sense from a security standpoint? Should invalid logins to an application be something that locks something out of a Windows account especially when any user on the network can access the application? Please help me understand the pros/cons of both approaches. I understand neither are "ideal", but I don't think the one I am instructed to make is appropriate.