List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: [ActiveDir] Customer Portal Userids - Utilizing Email Address

Prev Next

You are not authorized to post a reply.

Author

Messages

jwalker34

Posts:1

03/09/2010 1:27 PM
I am currently working on a project where all our customers should be able to login to a customer portal with their email address as their login name. This has been designated as a REQUIREMENT by the portal project team. They will not accept standard userids. They have also required that these customer accounts reside within Active Directory so they can be given permissions on our current servers and applications (after authenticating through the SSL VPN reverse proxy appliance). There is another domain admin in our organization that has discovered the user principal name will allow (if using ADSIEDIT) the use of a full email address in that field without changing the suffix. For instance, you can enter john.doe@yahoo.com so that the upn essentially becomes john.doe@yahoo.com@mycompany.com. I believe this could be dangerous and that the upn is not meant to be formatted in this way. However, since the portal team wants it and this admin discovered it can be done, my concerns are being discounted. Is there a problem with doing this? Is my concern valid? What solution can be used to have customers' login accounts be their email addresses and still be able to grant security permissions to domain resources? How do other organizations allow customers to authenticate with email addresses and access internal resources? _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/201469230/direct/01/

Servernet

Posts:55

03/09/2010 5:20 PM
I can't shed any light on the validity of using UPN in the manner described, however, the overall scenario suggests that this would be an ideal candidate for federation. Do you really want the account management headache of looking after who knows how many accounts when it is unlikely you'll ever be told that employees at your customers have left or have changed roles? With regard to customers accounts existing within Active Directory, are there not some licensing issues here, as each user would need a CAL? I recently came across a company designing a portal for external access by customers and they implemented AD LDS to host the accounts (they were too far down the development cycle to consider a federated approach...pity!). I'm sure you'll get a reply from Laura Hunter about this, who will probably say much the same thing about federation, but with far more evangelical zeal! Steve G From: jwalker34@hotmail.com To: activedir@mail.activedir.org Subject: [ActiveDir] Customer Portal Userids - Utilizing Email Address Date: Tue, 9 Mar 2010 08:26:51 -0500 I am currently working on a project where all our customers should be able to login to a customer portal with their email address as their login name. This has been designated as a REQUIREMENT by the portal project team. They will not accept standard userids. They have also required that these customer accounts reside within Active Directory so they can be given permissions on our current servers and applications (after authenticating through the SSL VPN reverse proxy appliance). There is another domain admin in our organization that has discovered the user principal name will allow (if using ADSIEDIT) the use of a full email address in that field without changing the suffix. For instance, you can enter john.doe@yahoo.com so that the upn essentially becomes john.doe@yahoo.com@mycompany.com. I believe this could be dangerous and that the upn is not meant to be formatted in this way. However, since the portal team wants it and this admin discovered it can be done, my concerns are being discounted. Is there a problem with doing this? Is my concern valid? What solution can be used to have customers' login accounts be their email addresses and still be able to grant security permissions to domain resources? How do other organizations allow customers to authenticate with email addresses and access internal resources? Hotmail: Powerful Free email with security by Microsoft. Get it now. _________________________________________________________________ Do you have a story that started on Hotmail? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/

skradel

Posts:177

03/09/2010 5:30 PM
On Tue, Mar 9, 2010 at 8:26 AM, Jacob Walker <jwalker34@hotmail.com> wrote: > I am currently working on a project where all our customers should be able > to login to a customer portal with their email address as their login name. > This has been designated as a REQUIREMENT by the portal project team. They > will not accept standard userids. They have also required that these > customer accounts reside within Active Directory so they can be given > permissions on our current servers and applications (after authenticating > through the SSL VPN reverse proxy appliance). [SK] What is the underlying authentication mechanism here? Are we talking about forms authentication? ASP.NET or some other platform? You should be able to configure the auth provider for most platforms to identify users by email address, provided that emails are unique within your directory. I believe ASP.NET ships with an LDAP membership and role provider... I have also written a more sophisticated federation-capable provider. > There is another domain admin in our organization that has discovered the > user principal name will allow (if using ADSIEDIT) the use of a full email > address in that field without changing the suffix. For instance, you can > enter john.doe@yahoo.com so that the upn essentially becomes > john.doe@yahoo.com@mycompany.com. [SK] I do not at all like the idea of jamming "a@b.c@d.e" into the userPrincipalName field--although I can't say if this will incur later brokenness specific to your situation, it is not how the field is meant to be used and is likely to result in trouble. --Steve

adwulf

Posts:93

03/09/2010 10:34 PM
On 9 March 2010 17:28, Steve Kradel <skradel@zetetic.net> wrote: > > [SK] I do not at all like the idea of jamming "a@b.c@d.e" into the > userPrincipalName field--although I can't say if this will incur later > brokenness specific to your situation, it is not how the field is > meant to be used and is likely to result in trouble. > It's not unprecedented to have two '@' signs in the UPN, but I would expect it to cause you some problems: http://support.microsoft.com/kb/925634 -- AdamT Among economists, the real world is generally considered to be a special case.

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Customer Portal Userids - Utilizing Email Address

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads