Solved

Single sign-on to remotely hosted web site

Posted on 2011-03-11
3
808 Views
Last Modified: 2012-05-11
We are planning to move our main web service to a remotely hosted site whichwill use drupal.  We want to enable users in our local Active Directory domain to have single sign-on to the site i.e. no further login required to access secure resources, their profiles etc.

Our main office AD servers are in the backend, behind 2 levels of Windows Forefront TMG servers and using an LDAP enquiry for SSO authentication through this seems both daunting and to fly in the face of good security.

I've been told we could place a read-only copy of the LDAP directory in a more accessible place ( e.g. our DMZ) but feel this is still vulnerable.

Could anyone comment if this is an acceptable solution and if so, how we would implement it?
Or if not a good plan, how else we might achieve our aim?

Many thanks in advance
0
Comment
Question by:OwenParry
3 Comments
 
LVL 5

Accepted Solution

by:
tiago_aviz earned 500 total points
ID: 35107861
Thought on some solutions:

1- You could implement an RODC on your DMZ and make your Drupal site query there, as advised. It seems to me a great possibility, since the RODC won't be able to make modifications to AD by itself.

2- Create an account with limited LDAP Query possibilities, and make the Drupal site query your AD using only this account. No need for RODC here.

3- Security could be hardened establishing an IPSec VPN against the outer TMG. On the TMG, limit protocols that the Drupal Server can see on your DMZ.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35115557
Use of the RODC is one way.
Another would be to have a VPN between your site and the hosting organisation so that internal users would ostensibly just be accessing remote content similar to a branch office. If external users need access to the web service then they can come in through standard ports.
0
 

Author Closing Comment

by:OwenParry
ID: 35229658
Sorry for the delay in closing this.  I'm marking this as partially solved because although it is a good solution, my team are not convinced it's workable for us.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Read about achieving the basic levels of HRIS security in the workplace.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question