Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Single sign-on to remotely hosted web site

Posted on 2011-03-11
3
Medium Priority
?
820 Views
Last Modified: 2012-05-11
We are planning to move our main web service to a remotely hosted site whichwill use drupal.  We want to enable users in our local Active Directory domain to have single sign-on to the site i.e. no further login required to access secure resources, their profiles etc.

Our main office AD servers are in the backend, behind 2 levels of Windows Forefront TMG servers and using an LDAP enquiry for SSO authentication through this seems both daunting and to fly in the face of good security.

I've been told we could place a read-only copy of the LDAP directory in a more accessible place ( e.g. our DMZ) but feel this is still vulnerable.

Could anyone comment if this is an acceptable solution and if so, how we would implement it?
Or if not a good plan, how else we might achieve our aim?

Many thanks in advance
0
Comment
Question by:OwenParry
3 Comments
 
LVL 5

Accepted Solution

by:
tiago_aviz earned 2000 total points
ID: 35107861
Thought on some solutions:

1- You could implement an RODC on your DMZ and make your Drupal site query there, as advised. It seems to me a great possibility, since the RODC won't be able to make modifications to AD by itself.

2- Create an account with limited LDAP Query possibilities, and make the Drupal site query your AD using only this account. No need for RODC here.

3- Security could be hardened establishing an IPSec VPN against the outer TMG. On the TMG, limit protocols that the Drupal Server can see on your DMZ.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35115557
Use of the RODC is one way.
Another would be to have a VPN between your site and the hosting organisation so that internal users would ostensibly just be accessing remote content similar to a branch office. If external users need access to the web service then they can come in through standard ports.
0
 

Author Closing Comment

by:OwenParry
ID: 35229658
Sorry for the delay in closing this.  I'm marking this as partially solved because although it is a good solution, my team are not convinced it's workable for us.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about achieving the basic levels of HRIS security in the workplace.
Spectre and Meltdown, how it affects me and my clients?
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question