Re: Secure External LDAP Query into Our Active Directory

Thank you for your response Joe. I have just one last question. The software
website is Blackboard (e-learning software). They state that they have an
..ini file where they can put an entry in for our LDAP servers (knowing that
they and us are in two separate domains) and users should be able to
authenticate to our domain via LDAP over SSL when they go to Blackboard's
Login webpage. Just to ensure I understand you correctly, you would still
recommend WS-Federation protocol?

Thank you very much for your time in this!
--
Thank you,

Brad R


"Joe Kaplan" wrote:

You would be much better off encouraging the external website to use a
federation protocol like WS-Federation to implement authentication across
organizational boundaries. Giving them access directly to your directory
exposes a significant surface area of your directory.

You can implement WS-Federation on your side using ADFS.

It is probably more work in the short term for both parties, but is a better
long term solution to this type of problem.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Brader" <Brader@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2ADCF3BF-07D0-4477-A78A-52C4D9469C7B@xxxxxxxxxxxxxxxx
I am wondering how I can configure our network to allow an external
software
to use secure LDAP to authenticate against our domain. A user will login
to
an external website, then use LDAPS and the Internet to query our AD to
authenticate against to allow them into the site. I have been thinking of
obtaining a SSL for ldap.XYZ.edu, then installing it on our ISA 2006
server
and configure a web listener to allow LDAPS from the external servers to
our
servers. Does anyone know if this will work or if there is a better way to
go?
--
Thank you,

Brad R



.

Relevant Pages

  • Re: Using Active Directory for Centralized Authentication
    ... Thanks for the reply Joe. ... We may have several applications pointing to ... LDAP and it's unlikely we'll use ASP.net or IIS. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: Service Account replaced by IUSR ??
    ... I'm not sure if the console app would help or not. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... Suddenly, without impersonation, the service account DOES authenticate! ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDAP Authentication
    ... Thanks Joe for your responses. ... LDAP auth membership provider that is coded to work with Sun One. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDAP authentication with Internet Explorer
    ... authentication to LDAP natively (unless you are trying to use the LDAP:// ... IE talks to a web server. ... something else to attempt to the authenticate the user. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.security)
  • Re: Authentication via AD
    ... Thanks Joe for the reply. ... > your application architecture (you don't specify), this may or may not be ... > Another good option is to let Windows authenticate for you. ... > LDAP should be possible if you have AD as it supports LDAP natively. ...
    (microsoft.public.dotnet.framework.aspnet.security)