Single sign-on to remotely hosted web site

We are planning to move our main web service to a remotely hosted site whichwill use drupal.  We want to enable users in our local Active Directory domain to have single sign-on to the site i.e. no further login required to access secure resources, their profiles etc.

Our main office AD servers are in the backend, behind 2 levels of Windows Forefront TMG servers and using an LDAP enquiry for SSO authentication through this seems both daunting and to fly in the face of good security.

I've been told we could place a read-only copy of the LDAP directory in a more accessible place ( e.g. our DMZ) but feel this is still vulnerable.

Could anyone comment if this is an acceptable solution and if so, how we would implement it?
Or if not a good plan, how else we might achieve our aim?

Many thanks in advance
OwenParryAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tiago_avizCommented:
Thought on some solutions:

1- You could implement an RODC on your DMZ and make your Drupal site query there, as advised. It seems to me a great possibility, since the RODC won't be able to make modifications to AD by itself.

2- Create an account with limited LDAP Query possibilities, and make the Drupal site query your AD using only this account. No need for RODC here.

3- Security could be hardened establishing an IPSec VPN against the outer TMG. On the TMG, limit protocols that the Drupal Server can see on your DMZ.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith AlabasterEnterprise ArchitectCommented:
Use of the RODC is one way.
Another would be to have a VPN between your site and the hosting organisation so that internal users would ostensibly just be accessing remote content similar to a branch office. If external users need access to the web service then they can come in through standard ports.
0
OwenParryAuthor Commented:
Sorry for the delay in closing this.  I'm marking this as partially solved because although it is a good solution, my team are not convinced it's workable for us.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocols

From novice to tech pro — start learning today.