Commerce Server 2000: Active Directory Authentication
On This Page
.gif "Introduction")
Introduction
Active Directory in Internet Scenarios
Proposed Solution
Domain accounts
References
Introduction
Commerce Server 2000 Windows Authentication1 allows the authentication of Internet user's requests against Microsoft Active Directory Service: every access to the site is impersonated with a domain account.
A special ISAPI Filter (AuthFilter2), installed by Commerce Server 2000, realizes Windows Authentication; it uses credentials supplied by the Internet user to get Ticket-Granting Ticket3 (TGT4) from Key Distribution Center5 domain service. (It is implemented by one of the Domain Controllers installed in the domain.)
In an Internet scenario, Active Directory authentication provides great benefits, but it can also introduce some limitations and constraints. In circumstances in which there are many users and several concurrent accesses, Active Directory authentication may limit the use of the services that are provided.
The main issues introduced in this paper are:
scalability of the user provisioning service,
domain data replication delay (introduced by Domain Controllers replication process in case of distributed6 Active Directory architecture).
This document analyzes these two problems in depth and describes a solution to them.
.gif "Top of page")
Top of page
Active Directory in Internet Scenarios
With Active Directory authentication, Internet user's requests are "impersonated" using specific domain account credentials.
This type of authentication provides some key benefits:
Integrate Active Directory-enabled services (that require a domain account, for example Internet Mailbox service provided by Exchange 2000)
Configure ACL (Access Control List) makes it possible to set the most granular access permission to thec resources.
With these benefits, it is possible to deliver all types of services easily across the Internet without any restrictions.
The use of Active Directory also introduces some typical constraints, due to its hierarchically distributed architectures:
- Scalability: Each Domain Controller can guarantee up to 35 LDAP adds (creation of new users) per second (the performance for the read operations competes with SQL Server);
Replication Latency: In a scenario in which there are many domain controllers, the attributes7 stored in the Active Directory are updated directly in only one domain controller. The domain information is then replicated, with a delay of up to 15 minutes, to all domain controllers, thereby synchronizing the same managed credentials.
The scalability constraints of a domain controller would introduce limitations about usability of the user provisioning service. In an Internet scenario with lots of concurrent accesses, the constraint would limit the use of a registration service.
To supply a more scalable and reliable service (one that guarantees it is "always" working), the Active Directory architecture should be distributed on many domain controllers. But this introduces a domain information replication latency problem: only one domain controller handles updates (especially new user creation) and, during the replication period, the new information should not be stored in any other domain controllers.
When a new user is generated, his or her domain account is created in only one domain controller Thus, during the domain replication latency period, other domain controllers should not yet contain the new user's credentials. When a user logs on, WindowsLocatorService, querying the DNS or via NetBIOS, gets to Commerce Server AuthFilter the specific domain controller used to authenticate the requests. For that reason, AuthFilter authentication uses only one domain controller at a time, thus, during the domain replication period it would look for the user credential in a domain controller that does not yet have it and cannot impersonate the request, nonetheless the user's account is already present in the domain.
The above brief description emphasizes the need to build specific solutions to avoid the constraints and limitations introduced by using Active Directory in an Internet scenario.
Top of page
Proposed Solution
Main Features
To avoid the limitations described in the previoussection, this paper proposes a solution based on these features:
Authentication with proxy account8 : the user's requests are authenticated using a "service" account, which is different from the real domain user's account. The service account is used to impersonate the user's requests only during the domain controllers replication period to avoid accessing to the real user's account credentials that have not yet replicated on all domain controllers;
Asynchronous user creation process (using a store and forward architecture): the user's profile is created separately from the domain account in the Active Directory. That separation is implemented using a queue to store the account creation requests. Because domain controllers are not involved immediately, Internet users are spared a long wait.
Implementation
To separate the user's profile from the domain account used to impersonate the user's requests, a proxy account authentication is used. As described earlier, this special authentication solves the domain controller's data synchronization latency problem or "transition period".
The use of a service domain account (a proxy account that is different from the user's account) during the transition period introduces a limitation: users cannot access services that need their real domain accounts: for examples change password, mailbox folder, and so on.
During the same navigation session, the user is always authenticated with the unchanged domain account. Therefore, until the transition period ends during the session, the user's requests are always impersonated by the service account. It should be possible to use the user's real domain account; the authentication with that real account will occur at next logon. During the session some services that require a specific user security credential should be disabled. However, generic services that do not require a specific user security credential can proceed. The change of impersonation account during the navigation session is very complex (every page should check if the latency period has already occurred), and it will introduce an unacceptable overhead with respect to the benefits.
The Commerce Server authentication service is configured to Windows Authentication. It uses the ISAPI Filter (AuthFilter) to authenticate the user's requests and to check the user's authentication session information.
.gif "Figure 1: Authentication and personalization architecture.")
Figure 1: Authentication and personalization architecture.
See full-sized image.
.jpg)
The user profile is build to store a user's data only in the database. This feature separates the profile from authentication and guarantees that the user's profile is always accessible, even during the transition period. To know which domain account to use, the user's profile contains some specific, recognizable attributes:
The account_registration_status attribute is initialized to DB_Only by the synchronous provisioning component (Provisioning.User9); it is updated to AD_Latency by the asynchronous component (QCProvisioning.User10) after the account has been created by Active Directory. Therefore, the attribute is set to AD_latency during the transition period and is updated to "Normal" by the authentication ASP page after the domain replication latency has ended.
The authentication type-checking process11 is written entirely inASP code in the authentication functions used by the Logon.asp page.
The authentication ticket (Auth Ticket) used by Auth Filter to check the user's authentication information contains:
The UserID (GUID) from the user's profile (GeneralInfo.user_id). This is the main piece of information stored in the ticket (using AuthManager::setAuthTicket function), and the same information is stored in the MSCSAuth and MSCSProfile cookies, therefore guaranteeing that users are tracked accurately12 .
Property (called LogonName) containing the user's logon name (GeneraInfo.user_name). This property allows immediate access to the user's name in every page without accessing the user's profile.
Property (called SessionType) containing information about the type of authentication used for the user's requests. As already described, the user is always impersonated with the unchanged domain account during the same navigation session. To avoid changing the impersonification type during the same user's session, the authentication functions (used by the Logon.asp page) use this property to check the type of impersonification (normal with the real user's domain account, or service with the service domain account) it must use in the entire Web farm. The attribute should have the following values:
- A property (called guid) containing the user's authentication session id is used to avoid the distributed denied of service attack13 .
.gif "Figure 2: Authentication process.")
Figure 2: Authentication process.
See full-sized image.
To separate the creation of the user's profile from the user's domain account during the user creation process, the insertion in the Active Directory is done asynchronously by a queued componentthat uses ADSI (Active Directory Service Interfaces14). The component is configured in a server COM+ application with component execution identity set to a domain user administrator of the Organization Unit (or sub tree) where the users are stored15.
To create the new account, the component makes an ADSI bind with implicit authentication16 to the Web user's container. A Serverless LDAP Path is used to connect the component to the Active Directory. This feature avoids having a single point of failure (the server-oriented LDAP path uses a specific domain controller). To create the account and change the password, the above methods of ADSI persistent interfaces are used:
IADsContainer::Create()
IADsUser::SetPassword()
All user data is handled by two components:
Provisioning.User: A Visual Basic component handles the user's profile data on the database. The Visual Basic component is always called synchronously by ASP pages and is configured in the library COM+ Application. It accesses the user profile through the Commerce Server Profile User Object or by directly using OLEDB Provider for SQL Server. It does not directly use Active Directory; any changes to Active Directory are made by calling the ADProvisioning component.
ADProvisioning.User: A Visual Basic component handles the user's data stored on Active Directory. It is called synchronously for password changes and asynchronously for the user's account creation. It's a queued component that is configured in a COM+ Server Application running with the user's OU administrative rights.
.gif "Figure 3: New user creation process 17.")
Figure 3: New user creation process17.
See full-sized image.
The ADProvisioning.User::Add() updates two transactional stores (SQL Server and MSMQ) and a non-transactional store (Active Directory). Therefore, it updates the database first and the Active Directory last. If the component fails and aborts a transaction after a successful update to the Active Directory, the database rollbacks the update, MSQM puts the message in the retry queue, but the Active Directory will still maintain the new value (Active Directory has no transaction rollback facility). When the COM+ listener reads the message from the retry queue and calls the ADProvisioni.User::Add method again, the component fails when it creates the account in the Active Directory (using IADsContainer::Create method) because it has already been created. Therefore, after an IADsContainer::Create failure, the component should check if the account is already present in the domain and set its password. This behavior works only if the component sets the user's password using IAdsUser::setPassword instead of IADsUser::ChangePassword.
Because the account is created asynchronously in the domain, all errors generated by QCProvisioning.User::Add are not communicated directly to the user. To allow the user's domain account to be created, the system should guarantee the uniqueness of Web accounts with respect to others domain accounts (Web accounts' uniqueness is guaranteed by the profile table in the database).
The user's password is stored in the unicodePwd attribute (of the Active Directory user class), and it is not affected by the domain replication latency problems that affect other attributes18. Therefore, the method that changes the password (ADProvisioning.User::ChangePassword) could be called synchronously. As described above, the ADProvisioning component runs in server COM+ application configured with a domain account identity with enough rights to run IADUser::setPassword method.
.gif "Figure 4: Change password process 1920.")
Figure 4: Change password process1920.
See full-sized image.
Top of page
Domain accounts
Active Directory contains accounts that are not provisioned directly by Web channel (for example, administrative domain accounts). This characteristic introduces the account duplication problem: Internet users may register themselves using logon names that are already present in the domain.
Using asynchronous provisioning, the problem could disable some services for users who are registered using a duplicate logon name: if a user tries to register with a logon name that is already present in the domain (but not provisioned by the Web channel), the Provisioning.User component creates the user profile successfully in the database and sends a message to the QCProvisioning.User component. When QCProvisioning is asynchronously called, it cannot create the account in the domain, and the user's account_registration_status attribute will contain a DB_Only value forever (the user's profile has already been created but the user's domain account does not yet exist). Therefore, the user is always impersonated by the service account and cannot use any Active Directory-enabled services that require the user's real account.
To avoid this limitation, the provisioning service should guarantee uniqueness of the logon name between the profile database (users registered by Web channel) and the domain accounts of other users.
There are a few ways to achieve this uniqueness:
Introduce constraints to differentiate the users who are provisioned by the Web channel from other users. For example, use a unique prefix for the logon name of Internet users. This solution guarantees uniqueness but introduces restrictions to the acceptable logon name21 .
Maintain a block list of logon names that are not usable by the Web channel. The block list contains all logon names used by other domain accounts, and it must be synchronized with accounts created in the domain.
Use the new Kerberos22 authentication type: UPN (User Principal Name23 ) authentication. UPN authentication, unlike the classic netBIOS, uses the userPrincipalName24 attribute to authenticate users; it can be personalized and does not have any restrictions.
UPN (User Principal Name) authentication
The UPN is an Internet-style logon name for the user, based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and is easier to remember. By convention, the UPN should map to the user's e-mail name. The point of the UPN is to consolidate the e-mail and logon namespaces so that the user need only remember a single name. The UPN is the preferred logon name for Windows 2000 users. Users should be using their UPN to log on to the domain.
At logon time, a UPN is validated, first by searching the local domain, then by searching the Global Catalog (GC)25. Failure to find the UPN in the local domain or the GC results in rejection of the UPN. The UPN can be assigned, but is not required, when the user account is created. Once assigned, the UPN is unaffected by changes to other properties of the user object (for example, if a parent domain was renamed or a domain was moved). Thus, a user can keep the same logon name, although the directory may be radically restructured.
Note that the UPN is a string property that can contain any string value, and it can be administratively changed at any time.
The UPN must be unique among all security principal objects within the directory forest. By default (that is, for the built-in user accounts and user accounts created using the Active Directory Users and Computers snap-in), the UPN can consist of any name for the user (such as the sAMAccountName property of the user) and the domain tree name to which the user belongs in the following form: Name@treeName.
The treeName is the domain name system (DNS) name of a domain, but is not required to be the name of the domain containing the user. However, the treeName portion of the UPN must be the name of a domain in the current forest or an alternate name listed in the upnSuffixes property of the Partitions container within the Configuration container. You can add or remove UPN suffixes by modifying the upnSuffixes property. Usually, the treeName is the name of the first domain in the first tree of the forest.
When creating a new user object, you should check the local domain and the Global Catalog for the proposed name to ensure that it does not already exist26.
Thus, generally a User Principal Name (UPN) is composed of a user account logon name and user principal name suffix joined by the "@" sign (for example: fabiochi@europe.corp.microsoft.com). The UPN allows for a simplified logon. Because the user principal name provides the ability to perform a single logon anywhere in the enterprise, the UPN is required to be unique across the entire Microsoft Windows 2000 forest27.
The tidiest way to guarantee the domain account uniqueness is to use UPN authentication.
The profile system is based in a database that guarantees user logon name uniqueness28,so the users provisioned by the Web channel cannot have a duplicate logon name.
To preserve the uniqueness constraints and the authentication functions, the account must have unique a distinguished name29 (DN), unique sAMAccountName, and unique userPrincipalName.
Because the container name is unique by default (although the container did not be created), a unique distinguished name requires a unique common name30 (CN) on the same container. The profile database guarantees logon name uniqueness, because CN is valued by the logon name. Using a special container (or a subtree) to store the Web user's domain account assures distinguished name uniqueness in the forest. For example, the Web user's accounts are stored in a container like this: UO=WebUsers, OU=Portal, DC=CompanyDomain, DC=net.
Using this constraint, two users (one of administrative type and one from the Web) with the same CN could coexist in the same domain with different distinguished names:
CN=Administrator,CN=Users,DC= CompanyDomain,DC=net
CN=Administrator,CN=WebUsers,DC= CompanyDomain,DC=net
Because SAMAccountName is used by Down-Level Authentication, the SAMAccountName must be unique in the domain: Web users' accounts use a random id for this property to guarantee its uniqueness (the id should be any 20-character string that is generated randomly). This characteristic hinders the use of the logon name in the property.
To guarantee correct authentication, users must have a unique userPincipalName in the forest. If two or more users have the same UPN, the Windows 2000 SSPI can log on one of them only (generally, the first created). To guarantee this constraint, the Web users are created with a special UPN suffix used only for accounts that are provisioned by the Web channel. Because Web users cannot have duplicate logon names, this constraint assures the uniqueness of UPN.
As an example, in a domain called CompanyDomain.net, the Web user could use the web.CompanyDomain.net UPN suffix. Therefore, two users with the same logon name have different UPN properties:
Domain user Administrator administrator@CompanyDomain.net
Web user Administrator administrator@web.CompanyDomain.net
and they could logon with no problem.
In brie,f the Web user fabiochi should have these property values:
| Logon Name | fabiochi |
| CN | fabiochi |
| DN | CN=fabiochi,OU=WebUsers,
DC=CompanyDomain,DC=net |
| sAMAccountName | 03012001120159122fab |
| userPrincipalName | fabiochi@web.CompanyDomain.net |
Therefore, UPN authentication have these benefits:
and these issues:
Summary
It is possible to provide a solution using Active Directory security and authentication integrated with Commerce Server 2000 for an Internet scenario overcoming the following issues:
Top of page
References
Microsoft Commerce Server 2000 Documentation
Microsoft Corporation
Microsoft Commerce Server 2000 Resource Kit Documentation
Microsoft Corporation
Microsoft Commerce Server 2000 Solution Sites Documentation
Microsoft Corporation
Microsoft Developer Network Library
MSDN
Microsoft System Journal
MSJ
Understanding Active Directory Services
Daniel Blum - 1999 Microsoft Press
| 1 | See Windows Authentication – Microsoft Commerce Server 2000 Documentation |
| 2 | See AuthFilter – Microsoft Commerce Server 2000 Documentation |
| 3 | See Exploring Kerberos, the Protocol for Distributed Security in Windows 2000 – Microsoft System Journal August 1999 |
| 4 | See Ticket-granting Tickets – Microsoft Developer Network Library [MSDN] |
| 5 | See Key Distribution Center - Microsoft Developer Network Library [MSDN] |
| 6 | Active Directory managed by several Domain Controllers. |
| 7 | Except for the user's password attribute, see later. |
| 8 | See Proxy Accounts – Microsoft Commerce Server 2000 Documentation |
| 9 | See Figure 3. |
| 10 | See Figure 3. |
| 11 | The authentication type checking process chooses the domain account used to impersonate the requests: normal account (real user's domain account) or service account. |
| 12 | A user who visits a site anonymously receives an MSCSProfile ticket. If the user decides to register, he receives an MSCSAuth ticket. The user now has two cookies in the HTTP header containing different tickets. The order of the tickets is unknown and can vary between requests. The AuthFilter is aware of this and automatically searches all cookies for an MSCSAuth ticket before searching for an MSCSProfile ticket. Both cookies are logged in the Web log file in the order they appear in the HTTP request header. The Web server log import DTS task imports the first cookie it finds. The one user can appear to be two users to the DTS task if it finds hits in the log file with the cookies in different orders. This compromises the ability to track the user and may produce erroneous visit and user calculations. The solution is to map the user IDs from both the MSCSAuth ticket and the MSCSProfile ticket to the same user ID. See Windows Authentication with Autocookie mode – Microsoft Commerce Server 2000 Documentation. |
| 13 | A distributed denial of service (DDOS) attack is an attempt to shut down a server by repeatedly logging on with a known valid user ID and incorrect password. By default, the AuthFilter does not associate each password cache entry with one, and only one, client session. When a user logs on with a valid user ID, the password cache is updated with the submitted password. A malicious user can use this technique to disrupt service. The malicious user does not gain entry to the site, but forces a registered user that is active when the password is changed, to login again. To avoid the attack, the AuthFilter can store an additional property in the cache besides the user ID and password. This property is generally a globally unique identifier (GUID) and is used to distinguish between different client sessions using the same user ID and possibly different passwords. On the login page, the GUID is placed on the ticket of the user as a custom property, guid, by the SetProperty method of the AuthManager object. Additionally, the property is appended to the query string for the redirected URL. Once set, the AuthFilter uses the guid property to access the password cache instead of the user ID. When a user logs on with the same user ID but with a different password, the AuthFilter identifies this as a different user and a new entry is made in the password cache instead of overwriting the original password. The AuthFilter then follows the same steps as for a new user. See Distributed Denied of Service Attack - Microsoft Commerce Server 2000 Documentation. |
| 14 | See Active Directory Service Interfaces – Microsoft Developer Network Library [MSDN] |
| 15 | The domain Organization Unit used for the users must delegate to the identity user of the COM+ application at least these functions: create, delete and manage user accounts, reset password on user account e read all user information. |
| 16 | With the implicit authentication mode, the ADSI uses the security context of the running thread to access to Active Directory via LDAP. |
| 17 | IADsUser::setPassword needs that the calling thread should run with security context of domain user with enough rights. |
| 18 | Password changes are replicated differently than normal (non-urgent) replication and urgent replication. Changes to security account passwords present a replication latency problem wherein a user's password is changed on domain controller A and the user subsequently attempts to log on, being authenticated by domain controller B. If the password has not replicated from A to B, the attempt to log on fails. Active Directory replication remedies this situation by forwarding password changes immediately to a single domain controller in the forest, the PDC emulator. In Windows 2000, when a user password is changed at a specific domain controller, that domain controller attempts to update the respective replica at the domain controller that holds the PDC emulator role. Update of the PDC emulator occurs immediately, without respect to schedules between sites on site links. The updated password is propagated to other domain controllers by normal replication within a site. When the user logs on to a domain and is authenticated by a domain controller that does not have the updated password, the domain controller refers to the PDC emulator to check the credentials of the user name and password rather than denying authentication based on a non valid password. Therefore, the user can log on successfully even when the authenticating domain controller has not yet received the updated password. See Advanced Replication Management – Microsoft Developer Network Library [MSDN]. |
| 19 | Because the update (done by Provisioning.User::ChangePassword method), for transactional reasons (see footnote 20), is not implemented via Profile Service (it uses ADO/OLEDB provider directly) it doesn't affect the Profile Service cache. Therefore, the method has to change the Profile Version cookie to guarantee the update of the caches at next profile data access. |
| 20 | The Profiling System, by default, does not transact write operations across multiple data stores. More specifically, it does not support executing a two-phase commit protocol across transactional data stores. The Profiling System provides loose support for transactions. The data aggregation layer brackets INSERT, UPDATE and DELETE data store operations that aggregate across multiple stores in a transaction, and commits them only after all data store operations have succeeded against non-transactional data stores (such as directory stores). See Transaction Support – Microsoft Commerce Server 2000 Resource Kit Documentation. |
| 21 | The most common authentication type (netBIOS or Down-Level Logon Name) uses Active Directory sAMAccountName attribute to authenticate the account. The sAMAccountName property should be less than 20 characters (see Structure and Content Rules – Microsoft Developer Network [MSDN]) to support clients and servers that cannot handle longer account names; it must be also unique among all security principal objects within a domain container. See sAMAccountName – Microsoft Developer Network [MSDN]. |
| 22 | See Kerberous Authetentication Protocol - Microsoft Developer Network [MSDN] |
| 23 | See User-Principal_Name – Microsoft Developer Network [MSDN] |
| 24 | See User Principal Name – Microsoft Developer Network [MSDN] |
| 25 | For this reason Down-Level Logon authentication is cheaper respect UPN. The overhead is added only to obtain the Ticket Granting Ticket from Key Distribution Center (when the TGT is cached the both authentication have the same overhead). |
| 26 | See Possible Duplicates User Principal Name (ID:251359) – Microsoft Developer Network [MSDN]. |
| 27 | See Users Can Log in Using Name or User Principal Name (ID: 243280) – Microsoft Developer Network [MSDN] |
| 28 | The user_logon_name column has a unique index. |
| 29 | Distinguished name is a name that uniquely identifies an object by using the relative distinguished name for the object, plus the names of container objects and domains that contain the object. The distinguished name identifies the object as well as its location in a tree. Every object in Active Directory has a distinguished name. An example of a distinguished name is CN=fabiochi, CN=Users, DC=europe, DC=corp, DC=Microsoft, DC=com. |
| 30 | See Common-Name – Microsoft Developer Network [MSDN] |
Top of page