Discussion:
web authentication methods... ADFS vs Radius
(too old to reply)
d***@nwlink.com
2006-09-06 22:47:11 UTC
Permalink
Please excuse this if this is just a totally off base question.

We are kicking around a way of authenticating a web-application user
with the users domain credentials. The user resides in one forest, and
the application in another, unrelated forest.

I've set up the adfs step-by-step example, and it seems to fit the
bill. However, when I started talking about it with a colleague, he
suggested that using RADIUS might be adequate, and easier (they don't
have windows 2003 boxes).

It seems to me that one thing is that most people do radius (or so I've
heard).

But it also occurs to me that in order to do the radius authentication,
the application has to be coded to talk to the radius server of the
users domain, right? It also seems to me that if you wanted to allow
users from a number of different forests, the application needs to know
about each of the trust relationships that are established, right?

Of course ADFS has to know about all the different domains as well, but
it's much easier to configure something that's already written, than to
have to write it into the application and *then* configure it.

Comments?

thanks in advance
Joe Kaplan
2006-09-07 00:47:10 UTC
Permalink
This is probably a better question for the aspnet.security newsgroup, but it
is also appropriate here.

Basically, the easiest way to integrate IIS with AD for authentication and
authorization is to make the web servers domain member servers and use built
in IIS/Windows auth (basic, digest or IWA). However, since you have two
separate forests with no trust, that won't work. That's a shame.

ADFS is definitely a way to create a trust between unrelated forests and get
web SSO to boot. However, it is a lot of stuff to do if you aren't trying
to build a federation solution or do SSO. To just enable it for one app
seems like overkill to me. Also, you really do need 2K3 R2 web servers, so
if there are no upgrade plans, you can't use that.

If you just want to get authentication working, RADIUS also seems like
overkill. LDAP authentication is probably easier to do and you'll find a
lot more ASP.NET software that already handles that. The
ActiveDirectoryMembershipProvider in .NET 2.0 is one such thing that will
work for this application. I'm not aware of any easy to use code that will
integrate RADIUS with forms authentication (although I'm sure it exists), so
you'd probably have to dig a bit more to get that working. It is certainly
an option, but I wouldn't do it unless all the RADIUS stuff is already in
place.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Post by d***@nwlink.com
Please excuse this if this is just a totally off base question.
We are kicking around a way of authenticating a web-application user
with the users domain credentials. The user resides in one forest, and
the application in another, unrelated forest.
I've set up the adfs step-by-step example, and it seems to fit the
bill. However, when I started talking about it with a colleague, he
suggested that using RADIUS might be adequate, and easier (they don't
have windows 2003 boxes).
It seems to me that one thing is that most people do radius (or so I've
heard).
But it also occurs to me that in order to do the radius authentication,
the application has to be coded to talk to the radius server of the
users domain, right? It also seems to me that if you wanted to allow
users from a number of different forests, the application needs to know
about each of the trust relationships that are established, right?
Of course ADFS has to know about all the different domains as well, but
it's much easier to configure something that's already written, than to
have to write it into the application and *then* configure it.
Comments?
thanks in advance
Loading...