Solved

LDAPS config with alternate domain

Posted on 2011-09-21
5
598 Views
Last Modified: 2012-05-12
Hello,
we have a Windows AD domain, let's call it domain.com.
We now have a requirement to allow a 3rd party web app to access LDAPS, so our users can authenticate against AD from this 3rd party app.

To do this, we need to install a certificate on our DC for LDAPS.
The 3rd party requires a certificate from a trusted root CA (i.e. VeriSign)

PROBLEM: Our internal domain, "domain.com" exists in the real world and does not belong to us, so we cannot get a cert for it.

How can I make LDAPS available on my domain controller using MYdomain.com externally, but access domain.com internally?

Info :

- we have exchange 2010 so no (easy) domain rename possible
- Self-signed cert is not accepted
- DC is Windows 2003


Thanks,
SG
0
Comment
Question by:TNetworks
  • 3
  • 2
5 Comments
 
LVL 13

Expert Comment

by:khairil
ID: 36572623
Hi,

You should explore AD Federation Service for this. It is what AD FS build for, here is info what AD FS is, http://msdn.microsoft.com/en-us/library/windows/desktop/ms674895(v=vs.85).aspx

And how to set it up, http://technet.microsoft.com/en-us/library/cc731443(WS.10).aspx

Those articles are for Windows 2008 DC, AD FS 1.0 exist in Windows 2003 R2.

If you are using AD FS then you just need to create valid cert for AD FS web front end only.

IF IN CASE you are not using DC that at least Windows 2003 R2, then you have choice:

1.  To upgrade it to Windows 2008 R2 - with proper migration plan of course.
Or
2. Using Indentity Lifecycle Management (currently know as Forefront Life Cycle), it manages and consolidate login.
Or
3. Have a look on OAuth architecture. OAuth is design to allow 3rd party to use your credetial to access resources. Your credential can be anything, including AD.
Or
4. You need to programme it yourself. Using token passing and web service - it actually depend on how you programme it.

0
 

Author Comment

by:TNetworks
ID: 36573297

The external service will be accessing LDAPS directly, that is, there will be a firewall rule allowing inbound access to port 636 on the DC.

ADFS looks like it's a single sign on architecture that validates tokens across a homogeneous security landscape.  Not sure if that's what is necessary here, but I will read more.

0
 
LVL 13

Expert Comment

by:khairil
ID: 36577908
Frankly, I not really suggest you to open your ldap server to the outsider, it's really dangerous as other people can access  it as well and do the brute force to gain user creadetial.

If you really need them to authenticate your user then the best way to do is to ask them to setup their own AD infrastucture then do Forest Level trust relation between your forest and domains. So that they can call their own server to validate your user. It is what we do when integrating our AD between 2 organizations.
0
 

Author Comment

by:TNetworks
ID: 36578822
The LDAPS connection will only be allowed from networks we configure (at the firewall level) so please don't concern yourself with that.  Having the 3rd party make any infrastructure or topology changes is not possible.
0
 
LVL 13

Accepted Solution

by:
khairil earned 500 total points
ID: 36578855
emm.. then do the changes on your side. Create another forest with proper naming, make your other forest to trust each other. For authentication from third party just publish the new forest.
0

Join & Write a Comment

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now