Solved

Single sign-on to remotely hosted web site

Posted on 2011-03-11
3
814 Views
Last Modified: 2012-05-11
We are planning to move our main web service to a remotely hosted site whichwill use drupal.  We want to enable users in our local Active Directory domain to have single sign-on to the site i.e. no further login required to access secure resources, their profiles etc.

Our main office AD servers are in the backend, behind 2 levels of Windows Forefront TMG servers and using an LDAP enquiry for SSO authentication through this seems both daunting and to fly in the face of good security.

I've been told we could place a read-only copy of the LDAP directory in a more accessible place ( e.g. our DMZ) but feel this is still vulnerable.

Could anyone comment if this is an acceptable solution and if so, how we would implement it?
Or if not a good plan, how else we might achieve our aim?

Many thanks in advance
0
Comment
Question by:OwenParry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 5

Accepted Solution

by:
tiago_aviz earned 500 total points
ID: 35107861
Thought on some solutions:

1- You could implement an RODC on your DMZ and make your Drupal site query there, as advised. It seems to me a great possibility, since the RODC won't be able to make modifications to AD by itself.

2- Create an account with limited LDAP Query possibilities, and make the Drupal site query your AD using only this account. No need for RODC here.

3- Security could be hardened establishing an IPSec VPN against the outer TMG. On the TMG, limit protocols that the Drupal Server can see on your DMZ.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35115557
Use of the RODC is one way.
Another would be to have a VPN between your site and the hosting organisation so that internal users would ostensibly just be accessing remote content similar to a branch office. If external users need access to the web service then they can come in through standard ports.
0
 

Author Closing Comment

by:OwenParry
ID: 35229658
Sorry for the delay in closing this.  I'm marking this as partially solved because although it is a good solution, my team are not convinced it's workable for us.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question