Solved

Validate Users in IIS by using Active Directory Users on a different network

Posted on 2004-08-09
11
263 Views
Last Modified: 2013-12-04
Quick Overview:
  We have two servers.
   - 1 IIS Server With a T1 Line
   - 1 Windows 2000 Active Directory Server on another network with a T1 Line.

These two servers ARE NOT CONNECTED in anyway except for over the internet.

Is there a way so that users can log into IIS using "Basic Authentication" with user accounts that are on the Active Directory Server?  I guess in other words - can user account information be validated over the internet?

Let me know if you need any more information!

Thanks,
Scott
0
Comment
Question by:ScottFcasni
11 Comments
 
LVL 9

Accepted Solution

by:
jdeclue earned 500 total points
ID: 11753114
User account information can be validated over the Internet. But... using Basic Authentication to IIS, is very insecure, and it becomes much worse if you capture that information and forward it to the Domain to validate and have it authorize back. If you attempted to authenticate this way, you would become an extremely easy target.
0
 
LVL 3

Expert Comment

by:hvdhelm
ID: 11753491
Build a VPN between them, that's secure and simpel, after you set up the vpn, you can simply use Basic Authentication like you are in a LAN.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11754498
Even in that Scenario the VPN will, essentially encrypt the basic authentication between the web server and domain. But, and it is a big one, the domain, username and password will be sent in clear text between the user and the web server. If you wish to do this, here are the details.

1) First and formost, use SSL between the client and webserver (in order to encrypt the client session).
2) Configure a secure point to point connection between the web server and the Domain. In all cases the IIS server will have to be joined to the Domain.
   a) VPN tunnel between web server and domain.
   b) Point to Point via a Frame, T-1, ISDN etc.
3) The web server will need to have 2 network cards, One connected to the Internet side, and one connected to the connection to the Domain.
4) The web server, must Not be allowed to Route traffic between the interfaces.
5) Configure your security on the Internet side to only allow port 80 and 443 for SSL, when a user connects direct them to port 443 and authenticate them.

Background.

1) User connect over SSL to provide Domain\Username and password, SSL encrypts communications.
2) Web Server, connect through back-end to Domain and authenticates User.
3) If user is present in domain they are authenticated and allowed access.
4) In this configuration you are about as secure as you can be. I would consider this a minimum for your installation.

J
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 4

Expert Comment

by:tenacium
ID: 11756834
You could also setup an AD/AM server on the IIS network.  You'd need to figure out a way to secuely replicate from AD to the ADAM server, maybe using a secure VPN as described above.  But, the auth can take place without travelling across the net in clear text.  

This is one of the reasons Microsoft introduced ADAM.  If they were on the same network, ADAM allows pass-through authentication to AD, but that's not going to work in your environment.  Nor will using IIFP to replicate, which would be ideal.  But, you could export text files from AD and use SSH to secure FTP the files to the ADAM server and import -- all with some fairly simple scripting.

It's not super-easy to set this up, but I think worth consideration.
0
 
LVL 22

Expert Comment

by:Paka
ID: 11757584
jdclue is correct.  This is a standard problem with Exchange Front-end/Back-end configurations.  Standard configs for Exchange installs is to setup SSL between client and front-end and use IPSec from front-end to back-end - it works like a charm.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11761554
Scott, let us know how you are doing and if you have any questions regarding the above ;)

J
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11911780
Could you please give us an update as to the question, and/or close it please. Thank You ;)

J
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 13970439
1081791 ... fairly elegant response ;) I believe the response answers the question as asked.

Joel
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Low-cost /freeware IOC tools 4 69
Move Event Log in windows 2012 3 109
Server 2008-R2 lost password 19 104
Using icacls to block access to mstsc, cmd & PowerShell 4 154
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question