We store user email addresses, phones, physical addresses and other info in our corporate Windows Active Directory. Active Directory users need to access this information from all kind e-mail clients, such as Mozilla Thunderbird, Outlook, iOS Contacts, MacOS X, Android addressbook, etc. both from corporate network and outside if it, from Internet. We do not use Microsoft Exchange server.
I have found that this could be done via LDAP and CardDAV (through in-house app installed).
Which one to be better approach for accessing contacts in all kinds of email and mobile clients LDAP or CardDAV?
Think about this way - Active Directory is Microsoft's own implementation of LDAP, in addition to being their version of a database driven directory server. I wouldn't use anything else.
Also, Active Directory primarily supports LDAP based user authorization, so if you're going to be serving applications or individual requests outside of your local network and domain (especially from the various sources you named), this is a feature you'll need to consider for security purposes.
I'm not quite sure what your tech stack looks like, but many languages support LDAP based querying and authorization. I've cut my teeth in C# working with the System.DirectoryServices.Protocols namespace, and I've come to appreciate the adaptability and performance.
And, here is great link on the Protocols and Interfaces to Active Directory.
Related
I have implemented MFA and registered personal devices to access organization data and applications. Now users can access organization apps on personal devices, i want to restrict document uploads from the managed devices.
Users should not be able to upload files from personal devices to application such Onedrive/ SharePoint etc.
here are your options: https://learn.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices
at the bottom under advanced, there is option to limit editing from browser, this may be sufficient to what you are seeking.
According to here. personal devices as long as they are not marked compliant,
then they are considered unmanaged.
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices#managed-devices
is it possible tracking all authentication requests on AD Server? no matter the requests go through LDAP, Kerberos or NTLM, and getting know the source IP address and account name?
That information is already in the Event Viewer on each of your domain controllers.
If you search online, you may be able to find some software that can be installed on each DC that will consolidate all that information for you to make it easier to look at and search. But I've never done that, so I can't recommend anything.
I have been developing an asp.net core web application and published on the production mode (online server), the users can access it with the specific domain name and will log in and do data entry from three different countries.
But, the problem is sometimes, in one specific country there is no internet access, my client wants that this application should work online and offline, If there is no internet access the local branch must be able to do data entry, then when the internet gets connected data should send to the online server database,
What is the best way to achieve this goal?
Please write your view or add some good forum link below.
Rationally, it is not possible for you to access a Web App without internet. Web Apps are meant for network usage. However, I believe there is a workaround for such requirements. What you can do is that you can create a clone of your database for the third user, who has no internet access and perform all transactions within the local machine and when the connection comes back on line, you can replicate the data from the local SQL Server into the online server database.
And then there is something called Progressive Web Apps , which will allow you below privileges :
Reliable - Load instantly and never show the downasaur, even in uncertain network conditions.
Fast - Respond quickly to user interactions with silky smooth animations and no janky
Engaging - Feel like a natural app on the device, with an immersive user experience.
What are Progressive Web Applications, Google has something more to discuss here
Yesterday I got a call from a Microsoft representative asking if we supply "hosted solutions", presumably as part of the big Windows Azure push. As soon as I got off that call, our marketing director came into my office and said the majority of our customers are demanding Active Directory integration in the next version. Then it occurred to me: how does one use Active Directory in a "hosted solution" if the application does not live on the customer's network?
As a more general question about Active Directory integration, what kind of functional changes does that usually imply for an app? Does it mean a user is signed into the app just by authenticating to Active Directory or does it mean the app gets its list of users from Active Directory or does the creation of new users or groups in the app create new users or groups in Active Directory?
Am I just caught in the crossfire of a war of buzzwords?
You're not. Active Directory can be run across the public Internet, though this complicates the security and setup of the network rather considerably.
Generally, authenticating an app against Active Directory means that your membership provider (for example) would call into Active Directory to do the authentication and, after that, the user is simply logged in; you don't keep active credentials, etc, in your own database. However I would consider it smart to cache that information as well, and be prepared to authenticate against that cache in addition to the directory, in case the domain controller is unavailable for authentication (an especially large risk if you're running the directory across the Internet).
You can use Active Directory Federated Services to enable authentication using AD over the internet between two organizations. See: http://technet.microsoft.com/en-us/library/cc786469.aspx
I've never used it only read about it. Hope it helps.
The accepted answer explains the role of Active Directory and I agree that caching basic user information may be useful in many instances.
Active Directory can be expanded outside of a corporate network, to the internet and connected web services. As another user mentioned, this is achieved through ADFS (Active Directory Federation Services) which allows "trusted" connections to be set up between separate authentication services. There were a number of scenarios explained as part of the "Office 365 Jump Start" webinars:
http://technet.microsoft.com/en-us/edge/office-365-jump-start-04-microsoft-office-365-identity-and-access-solutions
After viewing these, I immediately thought that a "hosted" AD and ADFS service would be useful, where a customer doesn't want to maintain the AD servers internally (Microsoft don't recommend running less than 5 seperate servers if you're doing this!) Recently, Microsoft have also launched their Azure cloud platform. One of the services they provide is labelled "Identity" which you can see here:
http://www.windowsazure.com/en-us/services/identity/
This is Microsoft's own solution to hosted AD services. In fact, they even mention using their "Identity" hosted service as a solution for SSO (Single Sign-On) for Office 356 and even Google web apps.
I am still learning about AD and Microsoft's cloud offerings, but I hope this points you in the right direction.
There's an article here: http://www.developerfusion.com/article/121561/integrating-active-directory-into-azure/ which describes in-depth how to integrate Active Directory with Azure - hope that helps.
Active Directory can be run across the public internet but you will experience lag times which may cause your app to time out or crash depending on your bandwidth. In the past, I have setup accounts with another company called ultradns.com who specializes in these types of scenarios. hope that helps.
You'd be best off going with a true hosting framework if you would like any support from MS.
I'm sure you'd like some links so:
HMC (Hosted Messaging and Collaboration)
The ONLY true blog I know about on the framework is from Kip Ng
The ASP.NET forums are a good resource for questions on the Framework as well.
An example of the work that goes into configuring AD for Exchange multitenancy is here, though it is based on an older version of the framework a lot of the same principles apply.
Also, try searching on the keyword multitenancy for some articles.
I am developing a web based intranet for my company. I just want to know is it a good thing for users to login the application using the active directory login details or shall i create a login together with the application db.
If there is anything better that this please suggest. This is my first application development so need help from experienced people.
Generally it's a good idea to try and minimize the number of accounts people need to have.
So I'd definately try and use their active directory login.
Also if desireable, you can automatically log people into your application using various single sign on methods. (Either integrated into IIS, or other.).
This makes for a very usable application, as people always forget login details, and hate to login again to other systems.
Only use Active directory for your intranet, if you infrastructure supports it.
You question is phrased as if you think the user to type there password in again to login to the intranet site - they should not do this! have windows pass on the credentials automatically. This is pretty much built in to dotnet/iis/etc.
Also AD will add group management a privledges so you can restrict areas of you intranet to members of certain groups.
And you support team already have the tools to manage all this.
PS you can enable FireFox to auto log on via NTLM and it is one of the most requested features for Chrome too so don't let browser issues put you off
There are several pros using Active Directory authentication in the intranet.
Thoses are the main ones:
You want to to keep authentication stores number as low as possible
Using Active Directory, users who have their desktop in the domain (as they should) will be able to use Integrated Windows Authentication. They will be able to log in without having to type their password.
An Active Directory authentication mechanism probably exists for your language
More information:
http://msdn.microsoft.com/en-us/library/ms998358.aspx
If you create a separate login system, then your users have to remember 2 different logins. Why bother, when their "real" login is right at hand?
Less code for you to write and better integration into the wider system. And, who doesn't want FEWER passwords to remember.
Definitely go for the Active Directory option, or use Active Directory as an LDAP server if whatever language you're using doesn't directly support AD. Active Directory actually makes a pretty good LDAP server.
If there is anything better that this please suggest.
OpenID?...