A Plumber's Confessions

The blog of Doug Lawty, Microsoft Services Infrastructure Consultant

Blogs

Active Directory Application Mode (ADAM) -- Just Say Maybe

  • Comments 3
  • Likes

Last year Microsoft released another great tool for Plumbers to keep in their toolbox: Active Directory Application Mode (ADAM).

The "sweet spot" for ADAM is as LDAP-based storage for your custom applications -- applications that would otherwise request schema extensions to AD. There will be times when ADAM is the perfect tool for the job. (For more information on ADAM, you can read the introductory white paper.)

However, if you find yourself saying, "This is great! I'm going to use this because setting up a domain controller is just too hard," then I'd like to challenge your thinking. If your job is primarily authentication, your tool should be Active Directory domain controllers.

Support for the extranet authentication scenario (mentioned in ADAM white paper) is nice. But only if you are really committed to using LDAP simple binds for authentication and don't need any of the other authentication features built into Active Directory. This is often the case if you're using a web-sso product like those from OpenNetwork, Oblix, or Netegrity.

Some of the authentication features that you'll be missing are:

  • Kerberos (Remember, ldap binds send your password in the clear.)
  • Delegation (Whether or not you choose to support this in your infrastructure will affect the architecture of all your applications. You have included the dev teams in making these decisions, right?)
  • Windows integrated authentication with IIS (including digest).
  • Certificate-based authentication (including the use of SmartCards).

Also, you may find that AD as a solution is better supported...

  • Fast backup and restore (Although... ADAM does support VSS and a similar technique should be theoretically possible.)
  • More robust tools for health monitoring.
  • Active Directory Users and Computers. That's right -- we don't ship a simple GUI for managing users in ADAM.

When using Active Directory, developers will have the choice of which authentication scheme is most appropriate for their application. Most (all?) of Microsoft's own server applications will continue to be written to use Windows principals (AD users) and rely on a richer authentication method than an LDAP simple bind.

So, if you were building an authentication service, why wouldn't you want to use the option that is the most full-featured and best supported?

In the future, I'll address some of the objections to using Active Directory for the extranet access management scenario and try to debunk the myth that managing ADAM for that role would be easier.

Comments
  • I subscribe to Eric Fleischman's blog (http://blogs.msdn.com/efleis) and should have read it before posting this entry. It's pure coincidence that we are both writing about ADAM. Given what he just said about it (http://blogs.msdn.com/efleis/archive/2004/10/06/238518.aspx) and the fact that he just warned me, I expect he's going to disagree with me. :-)

  • Guilty as charged. :)
    I replied a bit here: http://blogs.msdn.com/efleis/archive/2004/10/06/238850.aspx

    At the end of the day, I agree with the spirit of your comments Doug, but I do disagree with some of the points along the way. And I think that there is a story for ADAM user auth that is worth considering.

  • On ADAM user authentication….