Re: AD Authentication from a Web Server in DMZ
From: Josh R. Andrews (jra_at_kccllc.com)
Date: 01/14/05
- Next message: inge.henriksen_at_booleansoft.com: "IIS 6 WinHTTP Certificate : A security error occurred"
- Previous message: agentuser: "ASP Request Queue stays constantly high or starts to grow slowly till IIS hangs."
- In reply to: einkopf1: "RE: AD Authentication from a Web Server in DMZ"
- Next in thread: Alok Kumar: "RE: AD Authentication from a Web Server in DMZ"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 13 Jan 2005 17:08:15 -0800 To: einkopf1 <einkopf1@discussions.microsoft.com>
I don't believe that there is a way to do this without the webserver
actually being a member of the Active Directory Domain.
This is because you essentially want the web app to run in the context
of the user (delegation) on the webserver. Or you want to set NTFS ACLs
on the site on the webserver and restrict them to the user or groups in
question while denying anonymous access.
The webserver's not going to do that, or even be aware of the accounts
unless it can access the domain to get the accounts, which requires that
it be in the domain in the first place.
I highly recommend using custom database-driven authentication for a
scenario like this. There are also other operational issues with your
web app being dependent upon the domain and the domain being available.
i.e. what happens if the domain gets corrupted or goes down -- you've
just lost all of your users and having your SQL database backed up still
isn't going to do you any good because you've tied authentication into AD.
Josh
einkopf1 wrote:
> Forgot to mention that we use Windows 2000 Server/IIS 5.0/ASP.NET and would
> like to keep that setup. However, if we absolutely have to use Windows 2003
> Server, we'll do that.
>
> "einkopf1" wrote:
>
>
>>Hello,
>>
>>We have a Web server in the DMZ that cannot access Active Directory (AD)
>>because it's not a member of any domain. We need to build a Web application
>>that needs to authenticate users against AD. Moreover, the users (employees)
>>need to be able to access it from any computer with Internet Explorer
>>installed. We don't want to use any security device to generate any keys,
>>etc. -- only user name/password that our people already have. Nor do we want
>>to maintain a separate access lists (in MS SQL Server). We want to use AD
>>only.
>>
>>The server should present the user a logon page (user name, password and
>>domain) and when the user enters the data, it should confirm credentials
>>(make sure they are valid in AD) and let the user into the site.
>>
>>What is the best way (tools) to achieve that?
- Next message: inge.henriksen_at_booleansoft.com: "IIS 6 WinHTTP Certificate : A security error occurred"
- Previous message: agentuser: "ASP Request Queue stays constantly high or starts to grow slowly till IIS hangs."
- In reply to: einkopf1: "RE: AD Authentication from a Web Server in DMZ"
- Next in thread: Alok Kumar: "RE: AD Authentication from a Web Server in DMZ"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
