Re: Query AD from DMZ via LDAP?
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 9 Apr 2007 13:35:35 -0500
You could use ADAM with passthrough authentication or bind proxy objects,
but the ADAM server would need to be a member of the domain, so that may or
may not be viable from a firewall perspective. Whether or not you use bind
proxy objects depends on the type of authentication your app can perform.
If it is limited to LDAP simple bind, then bind proxies would be needed (and
a sync mechanism to populate them and keep them synced with the AD). If
your app can do a Windows secure (GSS-SPNEGO SASL) bind, then pass through
authentication will work.
ADAM might allow you get the group memberships as well, but it may be
difficult to resolve the SIDs that ADAM would give you into friendly names
unless you can actually query the source AD directory, so that might not
help very much.
Another thing you might consider would be to poke a hole in the firewall to
allow LDAP traffic through, perhaps limiting the traffic to port 636 (with
SSL enabled on the AD server). That is probably the easiest way to go if it
is an option.
ADFS could also be used to solve this problem, as it can provide
authentication to apps on the public internet (among many other things), but
it might be more than you want to chew off if you don't need federation
services or don't need to integrate multiple directories (or you app can't
use federation services easily due to how it is designed).
This is a pretty broad area here with multiple possible solutions, so my
response is pretty broad too. However, I can hit more details on some of
this stuff if you have more specific questions.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"emde" <emdeusenet@xxxxxxxxx> wrote in message
news:1176141873.353113.161020@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have an application that sits in our DMZ that needs to query our
internal AD domain. I'd like to keep things as secure as possible. I
tried configuring a new domain in the DMZ in a sperate forest,
creating a one way trust, but I am unable to use LDAP to locate the
internal domain user from the DMZ domain.
The next step I thought I would try is to use ADAM. Would this be a
viable solution (using the proxy class)? My requirements are that I
can simply use LDAP (in the DMZ) to authenticate a user in our
internal AD domain. Determining group memberships would be a bonus.
Thanks for any ideas.
-emde
.
- Follow-Ups:
- Re: Query AD from DMZ via LDAP?
- From: emde
- Re: Query AD from DMZ via LDAP?
- References:
- Query AD from DMZ via LDAP?
- From: emde
- Query AD from DMZ via LDAP?
- Prev by Date: Re: Authenitcating against ADAM
- Next by Date: Re: instituting ad password policy
- Previous by thread: Query AD from DMZ via LDAP?
- Next by thread: Re: Query AD from DMZ via LDAP?
- Index(es):
Relevant Pages
|
Loading
