To AD or Not to AD?

The possibility of using Active Directory (AD) as a Microsoft Commerce Server 2000 credential store stresses the important role Microsoft gives to AD in its .NET infrastructure servers product line. When should you use AD? In which case should you use another credential store? Here are some considerations.

A key strength of using AD (through Windows authentication mode) is the tight integration AD creates between Commerce Server authentication, access control and auditing, and the Windows security model. If you're authenticating against AD, the IIS server process impersonating the user will have an access token linked to the IIS server process that contains all user-specific access-control information (e.g., group memberships, user rights). This link means that you can take advantage of the built-in Windows access control and auditing system to secure access to your Commerce Server resources. This option is useful in business-to-business (B2B) Commerce Server scenarios, in which you want to limit access to valuable resources available from your commerce site.

Another AD feature you might want to use in a B2B scenario is AD's administrative delegation. Using this feature, you can delegate the management of your business partners' user accounts to predefined business partner administrator accounts. This scenario is illustrated in the SupplierActiveDirectory Commerce Server solution site. In this solution site, the equivalent of an AD organizational unit (OU) is an Organization. Creating a new Organization automatically creates an OU in AD (beneath \mscs_40_root\ solution site) and populates it with an Admingroup and a Usergroup security group. If you go to the security properties of the OU, you'll see that Commerce Server also automatically delegates the appropriate permission to these two groups, as Web-exclusive Figure A shows.

Many questions have arisen about AD's scalability. Scalability is crucial if you plan to use AD as the credential store for a Commerce Server Web site that will deal with the authentication of thousands or even millions of users. Because AD is a true directory, it's optimized for read operations, not write operations. To handle write operations, AD disposes of one thread, which could be a bottleneck because authentication always involves a write operation. Microsoft has performed tests that show that AD can handle up to 5 million users and up to 1 percent of the total user population for concurrent authentication operations. For a good example of how well AD scales for read operations, go to the Compaq US Phone Directory Web site ( To help you with your AD scalability tests, Microsoft has included a set of Commerce Server authentication-specific counters for the Windows 2000 Performance Monitor (they're installed as part of the Commerce Server installation program). To access the counters, select the CS2000: User Profile Management object, then select one of the AuthMgr counters.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.