Sun, Jul 31 2005 12:56 AM Rob van der Meijden

Authorization Manager (AzMan); An implementation scenario

This article describes a possible implementation scenario with Windows 2003 Authorization Manager (AzMan) in a webservice environment with a load balancer. To create the right context for this article be sure that you are familiar with the following writings: 

Scenario 

The application only contains a number of web methods divided across different entry points and servers (WS1, WS2). These entry points represent the type off users we recognize. The users can only connect with a valid X509 certificate. These certificates are offloaded by the load balancer on the wire and put in the HTTP header before it reaches our web servers (WS1, WS2). The load balancer is used to balance the load between the webservice (duh), to verify the X509 certificates and to relieve the web servers. The end-users must be authorized against the active directory (AD) server with the help of AzMan.

Issues 

  1. Normally we should use the X509 certificate from the message to authenticate the user on the AD and when the user is authenticated the right authorizations can be given. However in this scenario the X509 certificate has been put into the HTTP header, when we want to use it again we must create an X509 object from the HTTP header. We don’t want to do this because off the performance penalty (one off the reasons to use this load balancer). 
  2. The users have different roles and these roles must be authorized for the various webservice methods.

 

Solution 

  1. As pointed at problem 1 we don’t want to create the X509 certificate again in the web server to know which user is connecting. At this point we know it as a valid user (done by the load balancer). We use the information in the HTTP headers to look up (LDAP query) the user in the active directory of our domain server. One little requirements however, this information must be unique within the set of connecting users. For this example we use the distinguished name in one off the http headers. 
  2. For a change we do not start building our own authorization store but use the one which is part of Windows 2003; Authorization Manager aka AzMan. Using Authorization Manager, you can define roles and the tasks those roles can perform, this is exactly what we need.

 

Installing AzMan on Windows XP 

When you’re using Windows XP (SP1 and later) as the development platform you will have to install the Windows Server 2003 Administration Tools Pack (see Nihit Kaul's WebLog and How to Install the Windows Administrative Tools Pack) to have to AzRoles.DLL (%windir%\systemew\azroles.dll) which you can develop against.  

 

The AzMan helper 

I created an AuthorizationHelper to abstract the ‘how’ of authorization for this scenario. The only things the application needs to know are two enums and two methods from this helper. See class diagram.  

 

 

 

 

So, for this scenario the constructor of the helper needs the distinguished name to search for the active directory user account. When the helper is created (and authenticated) the method IsAuthorized an IsInRole can be used to do various authorization checks in your’re app. These authorizations can be managed with Authorization Manager (start->run->azman.msc), see screenshot

Download the AuthorizationHelper code (VS2003, C#) here.

Have fun ... or not and build you're own authorisation store again

Filed under:

Leave a Comment

(required) 
(required) 
(optional)
(required) 
Please add 3 and 1 and type the answer here: