Active Directory (AD) Authentication Application

Requirements

Contents
Active Directory (AD) Authentication Application Requirements ................................................................ 1
Overview ....................................................................................................................................................... 2
Requirements................................................................................................................................................ 2
Development Environment....................................................................................................................... 2
Coding Language ....................................................................................................................................... 2
Database ................................................................................................................................................... 2
Application Type ....................................................................................................................................... 2
Third-Party Libraries.................................................................................................................................. 2
Design........................................................................................................................................................ 2
Client Code ............................................................................................................................................ 2
Server Code ........................................................................................................................................... 3
Database ............................................................................................................................................... 4
Deliverables................................................................................................................................................... 4
Version History.............................................................................................................................................. 4
Overview
This document sets forth requirements for a simple application that will use LDAP (more specifically
Active Directory, AD) for authentication. The application requires the user to login with username and
password. Authentication credentials are passed to a (configurable) LDAP end point, which determines
whether or not the user is authenticated.

This application serves to demonstrate that a MVC application may authenticate with Active Directory,
permitting a user to sign in with AD credentials rather than credentials stored in a user store specific to
that application.

Requirements
Development Environment
Visual Studio 2015 or later

Coding Language
C#/.NET.

Database
MS SQL 2008 or later

Application Type
MVC

Third-Party Libraries
Any third-party libraries, tools or add-ons used in this design must be authorized in advance by Employer
to ensure that they fit within Employer cost and security policies.

Design
As a MVC application, this design includes client- and server-side code.

Client Code
Client code presents a HTML UI with two tabs:

1. Configuration tab

a. The configuration tab contains entries permitting the user to configure the
following information:

 Host (the active directory server) – text entry

 Port (389 for non-SSL or 636 for SSL) – text entry
 Bind DN (the DN of the account used to access the domain) – text entry
 Bind Password (the password for the Bind account) – text entry
 User base DN (DN where the user accounts are located. LDAP queries
will run only in this DN) – text entry
 User base filter (allows for filtering the search of the above DN) – text
entry
  User name attribute (samaccountname is a VERY standard. This is an
LDAP attribute that every account has. This would be something like
“mdroppo”) – text entry
 Real name attribute (cn is the standard. This would be something like
“Michael Droppo”) – text entry
 Static member attribute (member or memberOf are basic values. These
allow the use of security groups to specify users) – text entry
 Allow nested groups (this allows a group within a group instead of just a
group of user accounts) – checkbox
 Search limits
o request size limits – text entry
o request time limit to prevent runaway or looped searches – text
entry
o network timeout to prevent hung connections – text entry

b. The configuration tab additionally contains two buttons:

i. Save – when clicked, all configuration information is sent to the server
to be stored in the database ((see Server Code section 1).
ii. View – when clicked, currently-saved configuration information from
the database is displayed, along with the specific LDAP query that would
be used for AD authentication based on that information.

2. User login tab

a. The user login tab presents the user with entries for username/password
b. The user login tab additionally contains a Submit button. When clicked,
username/password are sent to the server (see Server Code section 2).
i. If the server authenticates the user, then the user is redirected to a URL
presenting a message “Successfully Logged In!” as well as the LDAP
query string used for authentication.
1. The URL presenting the success message must be protected,
such that if a non-authenticated user attempts to access it, the
user will be denied.
ii. If the server rejects the user credentials, then a “Failed Authentication”
message is presented to the user, along with any specific error codes or
messages relevant to the failure.

Server Code
Some behaviors of View and Controller (the ‘VC’ in MVC) are largely implied by other
requirements in this document. This section is not a comprehensive detail of server
code; rather it highlights server-side code (primarily View and Model) behavior
specifically tied to client-side button-click events defined in the Client Code section.

1. Configuration Save – when a user saves LDAP configuration information (see Client
Code Section 1bi), the information should be stored to a SQL table.
 2. User Authentication – when a user submits credentials for authentication (see Client
Code Section 2b), the LDAP configuration information stored in SQL, along with
credentials passed upon user login form submit, are used to construct a LDAP query
string to request authentication from the configured LDAP end point.

Database
Developer may use any SQL table structure that makes sense to achieve necessary
functionality. However, developer may not use SQL stored procedures of database logic;
SQL is to be used only as a repository for data, not a logic engine.

Deliverables
Upon project completion, developer will provide:

1. a working demonstration of the project, via Skype or in person as appropriate

2. a code review
3. source code and any documentation associated with project completion

Version History

Version Author Notes Date

0.9 Matt Oefinger, Michael Working Draft 8/8/2017
Droppo