We are planning to move our main web service to a remotely hosted site whichwill use drupal. We want to enable users in our local Active Directory domain to have single sign-on to the site i.e. no further login required to access secure resources, their profiles etc.
Our main office AD servers are in the backend, behind 2 levels of Windows Forefront TMG servers and using an LDAP enquiry for SSO authentication through this seems both daunting and to fly in the face of good security.
I've been told we could place a read-only copy of the LDAP directory in a more accessible place ( e.g. our DMZ) but feel this is still vulnerable.
Could anyone comment if this is an acceptable solution and if so, how we would implement it?
Or if not a good plan, how else we might achieve our aim?
Many thanks in advance