Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Single sign-on to remotely hosted web site

Posted on 2011-03-11
3
Medium Priority
?
818 Views
Last Modified: 2012-05-11
We are planning to move our main web service to a remotely hosted site whichwill use drupal.  We want to enable users in our local Active Directory domain to have single sign-on to the site i.e. no further login required to access secure resources, their profiles etc.

Our main office AD servers are in the backend, behind 2 levels of Windows Forefront TMG servers and using an LDAP enquiry for SSO authentication through this seems both daunting and to fly in the face of good security.

I've been told we could place a read-only copy of the LDAP directory in a more accessible place ( e.g. our DMZ) but feel this is still vulnerable.

Could anyone comment if this is an acceptable solution and if so, how we would implement it?
Or if not a good plan, how else we might achieve our aim?

Many thanks in advance
0
Comment
Question by:OwenParry
3 Comments
 
LVL 5

Accepted Solution

by:
tiago_aviz earned 2000 total points
ID: 35107861
Thought on some solutions:

1- You could implement an RODC on your DMZ and make your Drupal site query there, as advised. It seems to me a great possibility, since the RODC won't be able to make modifications to AD by itself.

2- Create an account with limited LDAP Query possibilities, and make the Drupal site query your AD using only this account. No need for RODC here.

3- Security could be hardened establishing an IPSec VPN against the outer TMG. On the TMG, limit protocols that the Drupal Server can see on your DMZ.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35115557
Use of the RODC is one way.
Another would be to have a VPN between your site and the hosting organisation so that internal users would ostensibly just be accessing remote content similar to a branch office. If external users need access to the web service then they can come in through standard ports.
0
 

Author Closing Comment

by:OwenParry
ID: 35229658
Sorry for the delay in closing this.  I'm marking this as partially solved because although it is a good solution, my team are not convinced it's workable for us.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question