Re: AD Authentication in a DMZ (up) ?

Hi Jorge,

thank you for your answer.

My principal question is "Generally, what kind of architecture is choosen when we want that an application in a DMZ zone can use AD authentication ?"

Thomas told me about ADAM, ADFS or a specific forest only for Applications ressources.

I have then two questions.

1. Why a specific forest in a DMA should be less secure than ADAM, or ADFS ?

2. Can we use a RADIUS proxy in the DMZ that will sned authentication request from DMZ to DCs (in the LAN) ? Is it secure ?

Thank you !


Hi
- You'll need to open the necessary ports between DMZ and internal to allow authentication.



--
===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================

"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message news:mn.5ac07d7ae674d1fa.70874@xxxxxxxxxxxxxxxxxxxxx
Hi,

anybody has ideas or documentations about this classical question please ?

Thank you

Hi,

we have an application in our DMZ that needs to use Active Directory database for authentication.

Of course our AD domain controllers are in our LAN.

Is there a secure way to use AD Authentication for applications localized in a DMZ ?

Thanks a lot.

Regards,

Pascal


One option is to use ADAM with userProxy objects which will forward authentication requests to Your AD in LAN.

Other option is to use ADFS, but your application will have to be tested if it will work with ADFS.

Third option is AD forest in Your DMZ which will have trust relationship with Your main AD (I don't like such solution but this is also an option)

Thank you Thomas,

Why the third option is less secure than ADFS or ADAM ?

Is there another solution with a radius in the DMZ that will forward the authentication request to the DC in the LAN ?

Thanks

-- Pascal



--
Pascal


.

Relevant Pages

  • Re: AD Authentication in a DMZ (up) ?
    ... You'll need to open the necessary ports between DMZ and internal to allow ... database for authentication. ... Other option is to use ADFS, but your application will have to be tested ... Why the third option is less secure than ADFS or ADAM? ...
    (microsoft.public.windows.server.active_directory)
  • RE: AD in the DMZ . . . OK?
    ... If the only thing needed is authentication with userid/password, ... If I were to expose any AD domain to the DMZ, ... > interaction with one of our expert instructors. ... > Attend a course taught by an expert instructor with years of ...
    (Security-Basics)
  • Re: [SLE] cyrus configuration
    ... >>(I really don't want plaintext passwords unless it's between my LAN and DMZ) ... I have plaintext authentication against my /etc/passwd file. ... email server and since IMAP is only from the LAN it might be OK. ... I'm still not sure how to limit a DMZ service to a LAN subnet only. ...
    (SuSE)
  • Re: AD Authentication in a DMZ ?
    ... Is there a secure way to use AD Authentication for applications localized in a DMZ? ... One option is to use ADAM with userProxy objects which will forward authentication requests to Your AD in LAN. ... Other option is to use ADFS, but your application will have to be tested if it will work with ADFS. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Authentication on a DMZ ?
    ... How can I publish an application that is on my DMZ and that is using Active Directory authentication? ... The ports listed in our article only refers to ports needed to be open for replication, ... I dont want to put a domain controller on the DMZ for security reason. ... I would prefer to let the DC on the LAN and to configure my IIS Webserver in the DMZ to use "AD Authentication". ...
    (microsoft.public.windows.server.active_directory)