Active Directory WCF Service

Question

I'm wondering what solutions/options I might have for managing user authentication and authorization with AD? I'm in a situation where we want to use AD accounts/groups/etc to manage our users, both internal and external. I found this article (http://blog.waleedmohamed.net/2009/12/create-active-directory-service-using.html) that shows a simple WCF Service exposing some AD operations.

My thought is to create an AD WCF Service which multiple apps can consume for account CRUD operations and other needed functions like logging in and password retrieval. Is this a good idea to have a service with this much power? We're thinking about having the service use an account that only has permissions on certain OU's to limit its power.

Thanks!

Answer 1

I asked a similar question and was also only able to find the resource you found as well. I like the idea since I have multiple internal applications that interface with AD already using an AD Helper library I've created. I want to create a WCF service from that AD Helper library in order to have a single application to maintain should I need to add or fix functionality instead of revisiting every application that utilizes the AD Helper library.

My concern is reinventing the wheel. I don't want to implement something that MS may already have an implementation to. It was suggested to me to look at Active Directory Web Services to see if that's something that already does what I've already implemented within my AD Helper library. From what I can tell, it's just another way of interfacing with AD which I already do using the System.DirectoryServices namespace.

I think if implemented properly, this would be an excellent addition to any development environment to more uniformly integrate their internal applications with Active Directory and centralize their maintenance of this implementation.

Answer 2

A lot of CRUD operations can be done by Domain Admins only. As one approach, this would require the WCF service to be running as Domain Admin in which case it is probably very dangerous if someone can hack into and run a code in.

Windows authentication would not work (in IIS) to pass the authentication token across to DC since most likely IIS is not running on DC.

On the other hand, user can pass username/password in a secure session (possibly over SSL) and it would be used to connect to Domain Controller. As long as you can secure it, it could be fine.

Answer 3

I would pay a lot of attention to implementing security for the WCF service, such as having it on port 443 (SSL). Restriction of access to the server by certain IP range (IIS) comes to mind as well.