Re: Query AD from DMZ via LDAP?

You don't really need ADAM for this unless you need LDAP simple bind, as you
can bind to the DC that trusts the internal DC to do the authentication.
Getting group membership is likely going to be hard no matter what.

If you can do secure LDAP through the firewall, that simplifies things
greatly. Having a separate forest for this when you don't need it for
anything else doesn't make a lot of sense. Of course, if you are going to
use that forest as your hub for policy and patch management in the DMZ, then
maybe you need it anyway.

Remember that ADAM isn't an LDAP proxy, in that it doesn't forward general
queries to AD. It can do pass through authentication and bind proxy
authentication and it can also build a logon token for the pass through
authentication user that you can query to get group SIDs (read tokenGroups
constructed attribute from the "rootDSE" object), but it might not give you
exactly what you want.

Keeping it simple sounds good to me too.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"emde" <emdeusenet@xxxxxxxxx> wrote in message
news:1176148924.407651.29750@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Joe:

I plan on having ADAM installed in a domain controler where there is a
forest trust to the internal domain. Would this work with the
passthrough authentication? If so, it looks like this is my best
option. Although the secure ldap thru the firewall is looking very
attractive at the moment :)


On Apr 9, 11:35 am, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
You could use ADAM with passthrough authentication or bind proxy objects,
but the ADAM server would need to be a member of the domain, so that may
or
may not be viable from a firewall perspective. Whether or not you use
bind
proxy objects depends on the type of authentication your app can perform.
If it is limited to LDAP simple bind, then bind proxies would be needed
(and
a sync mechanism to populate them and keep them synced with the AD). If
your app can do a Windows secure (GSS-SPNEGO SASL) bind, then pass
through
authentication will work.

ADAM might allow you get the group memberships as well, but it may be
difficult to resolve the SIDs that ADAM would give you into friendly
names
unless you can actually query the source AD directory, so that might not
help very much.

Another thing you might consider would be to poke a hole in the firewall
to
allow LDAP traffic through, perhaps limiting the traffic to port 636
(with
SSL enabled on the AD server). That is probably the easiest way to go if
it
is an option.

ADFS could also be used to solve this problem, as it can provide
authentication to apps on the public internet (among many other things),
but
it might be more than you want to chew off if you don't need federation
services or don't need to integrate multiple directories (or you app
can't
use federation services easily due to how it is designed).

This is a pretty broad area here with multiple possible solutions, so my
response is pretty broad too. However, I can hit more details on some of
this stuff if you have more specific questions.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"http://www.directoryprogramming.net
--"emde" <emdeuse...@xxxxxxxxx> wrote in message

news:1176141873.353113.161020@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



I have an application that sits in our DMZ that needs to query our
internal AD domain. I'd like to keep things as secure as possible. I
tried configuring a new domain in the DMZ in a sperate forest,
creating a one way trust, but I am unable to use LDAP to locate the
internal domain user from the DMZ domain.

The next step I thought I would try is to use ADAM. Would this be a
viable solution (using the proxy class)? My requirements are that I
can simply use LDAP (in the DMZ) to authenticate a user in our
internal AD domain. Determining group memberships would be a bonus.

Thanks for any ideas.

-emde




.

Relevant Pages

  • Re: using userPrincipleName for ADAM login
    ... If you specify credentials in a bind, the bind will fail if he credentials ... You are likely doing LDAP simple bind with ADAM. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: How Redirect ADAM to AD ?
    ... If you wish to authenticate your users in AD against ADAM using a simple ... LDAP bind, then a bind proxy is what you want to create. ... In order to be able to authenticate my users with their account AD I ...
    (microsoft.public.windows.server.active_directory)
  • Re: How Redirect ADAM to AD ?
    ... To use a simple bind, you must create bind proxy objects in ADAM for your AD ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... LDAP bind, then a bind proxy is what you want to create. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Query AD from DMZ via LDAP?
    ... I plan on having ADAM installed in a domain controler where there is a ... proxy objects depends on the type of authentication your app can perform. ... If it is limited to LDAP simple bind, then bind proxies would be needed (and ... authentication to apps on the public internet, ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM
    ... Since simple bind is actually defined in the LDAP ... The only times you generally have problems querying AD or ADAM with non-MS ... I have an application running on a Unix server and I have an ADAM server. ...
    (microsoft.public.windows.server.active_directory)