Re: Domain registration requirement in federated web sso with fore

Thanks a lot Joe for this useful information. I would like to ask you one
more question, which is in a different topic.
We have some applications, written in non microsoft languages like Java,
Perl, Cold fusion. Those applications use active directory to authenticate
their users. Those applications are accessing AD through the AD LDAP
interface. Could this applications be called as windows NT token based
applications in terms of ADFS? Is it possible to make these applications SSO
enabled using ADFS? Apologize for my ignorance, but we really need this
information.


"Joe Kaplan" wrote:

That isn't a bad scenario for the forest trust option. I generally like to
establish the federation trust with certificates rather than via a forest
trust as I think it is more "pure", but since you are already have the
forest trust in place, it isn't so bad. What I don't like about it is that
it requires more connectivity between the two forests than you really need
in federation and it can make certain things more complicated in
Windows/token auth situations since the foreign domain SIDs can be used as
well.

I wouldn't worry about it to much though.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Anindya_TCS" <AnindyaTCS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A6A28D23-33B4-4979-8801-168B8B6DF26F@xxxxxxxxxxxxxxxx
Thanks for your reply Joe.

We have chosen Federated SSO with Forest trust, because we have some token
based applications written in ASP an we need to give access to both
internet
users and intranet users.The applications(Resources) are deployed in
external
domain located at DMZ . We have 2 active directory domains in same
organization . The external domain contains the external user credentials
and
the internal AD contains the employees credentials. Our scenario suits
exactly with the diagram for Federated SSO with Forest trust(published on
technet site as well as in the ADFS help file). Could you please let us
know
if we are choosing the wrong scenario?

"Joe Kaplan" wrote:

Why are you doing web sso with forest trust out of curiosity?

Regarding the DNS requirements, it all depends on where the web browsers
that will access those resources are. If the browsers are on the public
internet, then the DNS entries for the resources will need to be
external/public and the web sites will need to be public facing as well.

However, it is possible that some browsers may only access certain
components from within their own organization on their private network,
so
the DNS registration for those resources could be internal.

The key thing to understand is that the browser will need access to:
- The web app being federated
- The resource FS that protects the above mentioned app
- The account FS that they log in to if they do not log in via an
account
store on the resource FS

So, drawing a picture of those components and the potential locations of
the
browser clients will make the DNS requirements more obvious.

In some cases when using the proxy, you want the proxy and the FS to have
the same DNS name, but the proxy is registered externally and the FS is
registered internally. This way, clients on the public internet will get
the proxy when directed to the FS host name, but clients inside the
firewall
will get the FS directly.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Anindya_TCS" <AnindyaTCS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EE6D5109-D8CB-468B-A85E-E2F10CBFA626@xxxxxxxxxxxxxxxx
Hello,

I am going to configure Federated web sso with forest trust for one of
my
Web resource.

I have two ADFS server and two ADFS server proxy.

Can any one please tell me what is the requirement for domain name
registration?

Both account and resouce domain name should be published to internet?






.

Relevant Pages

  • Re: Using Active Directory for Centralized Authentication
    ... Thanks for the reply Joe. ... We may have several applications pointing to ... LDAP and it's unlikely we'll use ASP.net or IIS. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain registration requirement in federated web sso with fore
    ... Thanks a lot Joe for your hearty and prompt response. ... significant impacts in the existing applications, so no way to choose that. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... internet, then the DNS entries for the resources will need to be ...
    (microsoft.public.windows.server.active_directory)
  • If you will submit Moammars parliament in accordance with accidents, it will wearily consist the pro
    ... stired the cultural channels into endless bow. ... Whoever mind substantially, unless Talal acquires applications ... Joe never circulates until Penny differs the ... then Sarah instantly emerges a quaint emergence ...
    (rec.games.roguelike.nethack)
  • Re: Error setting DirecotrySearchers new ExtendedDN
    ... Thanks Joe, but now I'm worried and confused. ... 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, ... The .NET Framework does not support all versions of every platform. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.platformsdk.security)
  • Re: ADAM Authentication
    ... Only using ADAM for testing a proof-of-concept; ... "Joe Kaplan" wrote: ... Note that using S.DS for authentication may cause you scalability problems ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)