• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 543
  • Last Modified:

SSL VPN combined with MS AD Domain Login

I have a challenge which I hope anyone can help me solve..
Our company uses a CRM-system which requires users to be logged on as MS AD domain users.
This works perfectly well when the users are on our internal LAN, but it is a challenge to make this work over an SSL VPN-connection.

To be able to do a login on the domain you must have network access to the domain server, but you cannot set up an SSL VPN-connection before you have logged in (locally) and started your web browser.

Anyone who can help me out on this ??
0
toyman61
Asked:
toyman61
  • 5
  • 4
  • 3
  • +1
1 Solution
 
dfxdeimosCommented:
Do all the users that would be logging in via VPN have a physical workstation at your location? If so, they could just establish the VPN then open a Remote Desktop Connection to their workstation and work that way.

If not you could setup an additional server that functions as a Terminal Server and allows the users to get a desktop in your domain that way.
0
 
CompuzedCommented:
Typically, a VPN SSL connection, you run a client software of some kind on the off site resource ( Laptop or whatever) .  When the client software creates the SSL - VPN connection, the DNS is put in place on a "virtual" NIC ( adaptor).  This new IP ( lets say 10.10.10.100) is then on the same subnet as you LAN back in the office.  By virture of being on the same subnet, when the user logs in, they are in fact authentication to the DC, thus being a MS AD domain user.    Now your CRM is the issue..... somehow you will have to tell the local copy of your database that it needs to sync with the Remote Database..... Maximizer does a good job of this, but not sure what you might be using.
Obviously , only one set of data should be in play here.
0
 
dfxdeimosCommented:
@ Compuzed:

It is not correct to say that just because someone is logged in via VPN that they are "Authenticat[ed]ion to the DC". Just because they have passed their credentials once to whatever the authentication mechanism of the VPN connection does not mean they can browse the network at will and authenticate with integrated windows authentication (based upon the connection account).

When they try to access a resource they are by default still going to be passing their login information from their LOCAL PC to whatever they are accessing.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
CompuzedCommented:
Correction noted....my mistake.

0
 
toyman61Author Commented:
dfxdeimos: No, my users will not have a physical workstation at our location. All have laptops, which they use both in office and i.e. at home (or on travel or...).

Compuzed: The problem is that although our users are authenticated with their AD credentials to our SSL VPN-solution they are still not authenticated to AD as such. Our CRM-solution requires full AD authentication....

 
0
 
CompuzedCommented:
Try looking at the ports that AD uses for authentication....I think the term is LDAP, and I think it is port 53??
0
 
dfxdeimosCommented:
@ Compuzed:

Knowing those ports won't make any difference. The issue here is that integrated Windows authentication will not work to pass your creds to the AD enabled application (CRM) unless you are actually logged in to something that creates the proper token.

@ ToyMan61:

Are these laptops members of the domain?
0
 
toyman61Author Commented:
Compuzed: LDAP uses port 389. This information is found in your /etc/services-file (or windows\system32\drivers\etc for Windows-users). Port 53 is DNS - Domain Name Server.

dfxdeimos: Some of them are, but not all. I But they will be in the near future.

Today we have used a VB6-application to authenticate users with the AD, and map the necessary shared directories and printers. But that is not enough for our CRM-application... :-(

So the problem is still unsolved..



0
 
dfxdeimosCommented:
What is going to have to happen here (as far as I can see) is that you are going to have to set up a Terminal Server that exists inside of the domain at all times. Users will be able to establish their VPN connection and then RDP to the server, which will give them a desktop and the ability to authenticate within the domain.
0
 
tigerbamCommented:
Yes this is possible...have had similar scenario and it was working using Aventail SSL VPN box and juniper SA 's. Can you tell me which SSL VPN box you are using with its version number also mentioned.
0
 
toyman61Author Commented:
We are using ZyWall SSL 10 as SSL VPN-box with firmware-version 1.00(AQH.6).
How did you solve this challenge ?
0
 
tigerbamCommented:
Its quite simple...its more to do with the functionality of the box. In case of Juniper for the particular role, we should configure the web bookmark for the particular URL that you want the end user to access.
When the user tries to access the link, the authentication will be prompted.

Going thru the Zywall doc ....will comeback to you later as to whether it will work or not.
0
 
toyman61Author Commented:
tigerbam: That might work - but our customers already have to authenticate themselves to the SSL VPN-solution, and if they have to authenticate once again to be able to use the application it will not be used (trust me, we have tried this before..).  ZyWall SSL does not gives me the ability to take the credentials from the first authentication session and use it seamlessly to authenticate into another system/application. At least not as far as I know.



0
 
toyman61Author Commented:
tigerbam: I use the term "customers". It shall be "employees" - of course..
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 5
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now