C# Active Directory App - How do I store service account credentials?
C# Active Directory App - How do I store service account credentials?
I'm creating a web front end for some common Active Directory tasks. I'm planning to store service account credentials in the database so that they are able to be changed by the end user. How can I safely store the password when I need to pass it to AD?
1 Answer
1
Do you need to support different domains / use different accounts for accessing AD ?
If no, I suggest to not store credentials at all, but let your process run under a specific user account. (using IIS or a standalone service.) Some time ago, I used a Windows service for that
(see https://www.rsprog.de/aspnet-webapi2-angularjs/).
If you really want/need to store passwords, you can use the MS Data Protection API. See
https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.protecteddata
I have used it a few times and it has proven to be a solid and reliable approach.
But be aware that anyone who knows your algorithm and entropy and has admin rights on the server is able to decrypt (if he is able to let a process be run under the service user).
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
You could use an encrypted column, but it depends heavily on your threat model.
– Dan Wilson
Aug 21 at 19:14