Implementing active directory authentication using web api and its scope

Question

I need to create a web-api which should authenticate a user through active directory . The api should be available publicly and need to authenticate the users which is inside a intranet. But the user authentication should also be done from outside the particular intranet. What should i do to open service avail publically

Answer 1

It's not secure to Authenticate external users against your production Active Directory directly. But that doesn't mean you can't accomplish your task. You should start looking into Active Directory Lightweight Directory Services

AD LDS or formerly known as ADAM will allow you to authenticate external users against your Active Directory using Proxy Authentication.

What Is Proxy Authentication?

Proxy authentication allows a user to perform a simple bind to an AD LDS instance, while still maintaining an association to an Active Directory account. Two accounts are involved in the transaction. The first is a special object in AD LDS called a userProxy object. The second is the user's account in Active Directory.

The AD LDS userProxy object is a representation of the Active Directory account. The proxy object is tied to the Active Directory account through that account's security identifier (SID). There is no password stored on the actual proxy object itself.

When a user performs a simple bind to an LDS instance with a proxy object, the bind is redirected to Active Directory by passing the SID and password to a domain controller. The AD LDS server performs the authentication, and the entire process is invisible to the end user

Answer 2

You can not authenticate users with AD outside your intranet. They should use an VPN connection to gain access to your network before been authenticated.