1

Can someone tell me how Active Directory stores it's passwords for users?

Is it like this answer : storing passwords in SQL Server

Is it a hash and a salt or multiple hashes?

EDIT

I ask because I want to mimic the way they store them for a custom authorization application I want to build. Or if someone can offer a existing framework or class that handles user authorization for a web application. If I can use asp.net membership for multiple applications using web service that would be even better.

Community
  • 1
  • 1
FarFigNewton
  • 7,108
  • 13
  • 50
  • 77
  • The Question even exists [here](http://stackoverflow.com/questions/833835/active-directory) and **for me** the right answer is "Administrators do not have access to users passwords, only the ability to change them." – JPBlanc Apr 21 '11 at 16:00
  • I updated by question. I'm not looking to find out that a password is. – FarFigNewton Apr 21 '11 at 17:47

2 Answers2

2

The best way to mimic the way Microsoft store the password for a custom authorization is to setup Active Directory Lightweight Directory Services (AD LDS) on Windows Server 2008 R2 or Active Directory Application Mode (ADAM) on Windows Server 2003. LDS and ADAM are Lightweight Directory Access Protocol (LDAP) directory services in the Windows Server 2008 R2 and Windows Server 2003 operating system that provides flexible support for directory-enabled applications, without the dependencies and domain-related restrictions of Active Directory Domain Services (AD DS). You can run them on member servers or stand-alone servers. You can also run multiple instances of AD LDS—each with its own independently managed schema—on one server.

Using Fine-Grained password policies which is provided by AD DS of Windows Server 2008, you can have different password policies. However, the AD LDS doesn't provide the function of Fine-Grained password policy. But you can install your LDS on a Workgroup server it will have his own policy.

JPBlanc
  • 70,406
  • 17
  • 130
  • 175
  • Great answer to take advantage of AD directly. – Chris Marisic Apr 21 '11 at 18:37
  • We currently are using this model for another project. Currently the password length and complexity are set for the entire server. My question is, can I have separate security policies for each instance? – FarFigNewton Apr 21 '11 at 18:43
0

Use the ASP.NET SqlMembershipProvider It will do encrypted 2-way passwords or salted one-way hashes (I prefer the 1-way hash myself).

You can use the aspnet_regsql.exe tool in your C:\Windows\Microsoft.NET\Framework\vX.XXX folder to create the database schema for you.

I would not recommend rolling this by hand. There are a lot of gotchas which have already been solved by others.

Mike Marshall
  • 7,788
  • 4
  • 39
  • 63