Some of you that tuned into my webcast (or attended my session) at TechEd might have been surprised when, during the section reviewing the pros and cons of Windows authentication, I stated the following:
“So disadvantages are along the same lines in that you’re now linked to Active Directory, so all the users that are accessing your application have to be in Active Directory or the local user database [Windows SAM]. It’s not as scalable, if you’re writing a big ecommerce application and you’re having thousands of customers and they’re signing themselves up you probably don’t want those folks in your AD, so it wouldn’t work well for that solution.“
The point I was trying to make – and stumbled over – was that for large ecommerce scenarios, the management of hundreds of thousands of user accounts in Active Directory might not scale as well compared to the management of those same users as simple records in a database. I was not saying that AD is not a scalable technology. Quite the contrary – from an architectural standpoint, there are numerous case studies that show how scalable a technology AD is. Specifically, here is a case study of AD being used in an ecommerce extranet type of web application.
Also, later on in the session I was answering another question talking about using Forms Authentication against accounts stored in AD (good reference on how to do that here). That’s a perfectly valid model as well. The decision as to which user store to use (and therefore, to some degree the authentication mechanism to use) should be based on factors such as manageability, because a solution with accounts as records in a SQL Server table or one with accounts in AD can scale equally well to meet just about any requirements. I misspoke and misrepresented that point in part due to having a compressed time slot – turns out the speaker following me was scheduled to start at exactly my finish time. Such is the risk of live events!