[Last Call] Learn how to a build a cloud-first strategyRegister Now


How to authentication windows clients without Active Directory

Posted on 2011-05-02
Medium Priority
Last Modified: 2012-05-11
Short history for completeness:

I have an environment where I'm using Windows 2003 servers to create a Windows Active Directory domain that users authenticate to for access to servers/file server resources, etc. The domain is "unregistered", meaning it is not a publicly known domain (at least not mine).

I also use Windows IAS (RADIUS) to authenticate users who wish to access Remote Access VPN tunnels I create via a CIsco PIX firewall.

I am in the process of converting the environment to a publicly known domain (I've already registered the domain and have set up a DNS server). I am considering using open source alternatives to windows authentication/authorization and am considering using LDAP/FreeRADIUS.

I wanted to get feedback from the experts as to whether it's worth the switch and if so, what components I need to use.

I need windows machines to authenticate to a common source (e.g. SSO; Single Sign-On), controlled access to fileshares via Samba and NAS file servers (e.g. Snapserver and NetApp) and Remote Access VPN authentication.

So far it appears I need LDAP and FreeRADIUS bnut I'm still at the early stages of investigate.

Any detailed guidance would be greatly appreciated.


John  88{Q
Question by:tcengineer
  • 3
  • 2
  • 2

Assisted Solution

devinnoel earned 150 total points
ID: 35507703
Why are you changing the namespace of the Active Directory domain? Best practices is to use DNS namespace that does not exist on the Internet, only internally (external domain is example.com, internally all your systems use internal.example.com and internal.example.com isn't externally published). Stay with your unregistered domain, it's more secure that way. What would using external DNS space accomplish anyway? You shouldn't be connecting into normal workstations by domain name & for a server you can have a real world DNS name resolve to a system & a different internal DNS name for it.

Samba can emulate a domain controller. However I would highly recommend against using something other than Windows for a domain controller in any kind of production environment. It's not well supported, a bit buggy at times & missing features like GPO's.

I'm actually going the other way, getting rid of a Solaris LDAP server for our Solaris/Linux boxes & just authenticating Windows & *nix with Active Directory, much simpler.

Author Comment

ID: 35508120
A situation came up that required consistent name resolution/access to a server both internally and externally.

The requirements for our "production" environment are far less stringent than normal (e.g. GPO isn't needed). Also we will be providing more externally accessible services so decided to set up our own DNS server using views to support multiple network segments.

John  88{Q

Expert Comment

ID: 35509743
If you do share the namespace, be vary careful. You can leak some sensitive AD info through DNS, and as such should never have your AD DNS info accessible from the Internet.

You can use external DNS namespace internally to get the consistent namespace access.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Expert Comment

ID: 35512399
I have similar situation as your reuirement. W ehave same domain name internally and externally.
Both are maintained separately, I mean, external DNS is placed on publicly available systems and contains certain host names with appropriate public IP addresses and internal DNS is AD-integrated.

As platform to interact we used Microsoft Forefront UAG through which we are publishing content located on Sharepoint. That gives us ability to use same URL for external and internal people, however consequence of that is 2 places to maintain DNS (which is not that difficult afterall).

Also, one important point speaking for hosting public DNS outside and do not replicate whole content from internal DNS is security. We do have only required hostnames registered, nothing more nothing less, which prevents any data leak about internal infrastructure, IP schematics, etc.

I would still leave computers connected to AD as this is much simpler from administration perspective to have those in domain.

You should also consider to use some kind of presentation layer like Forefront UAG or similar, if possible (of course if possible - I don't know what exactly you need to publish).

Author Comment

ID: 35513228
I'm currently using a linux box to host the DNS server and use "views" to separate which hosts are served to which  networks (e.g. all hosts are served to the LAN with LAN IP addresses and only those machines that I want accessible from the Internet are served to the WAN with public IP addresses).

I do like the idea of using 2 DNS servers, 1 for external and one for internal and understand the need to manage names on 2 servers. but the external DNS server would be touch far less than the internal one.

I use a Cisco PIX firewall as my VPN endpoint so Forefront isn't needed.

The other interest I'd like feedback on is the A/D replacement/alternative. What are the pros and cons of moving away from A/D, what pieces would I need to replace it with (e.g. LDAP, RADIUS, etc.) considering the original requirements above?

Thanks for the feedback,

John  88{Q

Accepted Solution

qf3l3k earned 225 total points
ID: 35517343
As a replacement for AD I would say, simplest way will be to go for Samba with OpenLDAP.
That will provide AD-like environment as well as flexibility to add more services around that.
for example easy FreeRADIUS integration as you have OpenLDAP as central database.

In that situation:
 - Computers joined to Samba/OpenLDAP "domain"
 - Samba provides communication with Windows computers and allows users to logon to network
 - OpenLDAP provides directory service and database to consolidate, store and manage all objects (users, computers, etc...)
 - FreeRADIUS provides RADIUS service for VPN access. It is integrated with OpenLDAP as Samba, so allows same username and password as to access network

Having OpenLDAP you have also easy integration with potential database platform (PostgreSQL or MySQL) and web platform (Apache2).

So, I guess we have SSO achieved as we will operate on same directory database.

Author Closing Comment

ID: 35724460
Thanks for the feed back folks. You brought up some good points that need consideration.

Having 2 separate DNS servers is a point I had not considered but think is good idea.

Whether it's MS A/D or Samba/OpenLDAP,FreeRADIUS, I'll need to create that separate server and move servers/systems into that new infrastructure.

Thanks for the help!

John  88{Q

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question