• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 619
  • Last Modified:

LDAPS config with alternate domain

Hello,
we have a Windows AD domain, let's call it domain.com.
We now have a requirement to allow a 3rd party web app to access LDAPS, so our users can authenticate against AD from this 3rd party app.

To do this, we need to install a certificate on our DC for LDAPS.
The 3rd party requires a certificate from a trusted root CA (i.e. VeriSign)

PROBLEM: Our internal domain, "domain.com" exists in the real world and does not belong to us, so we cannot get a cert for it.

How can I make LDAPS available on my domain controller using MYdomain.com externally, but access domain.com internally?

Info :

- we have exchange 2010 so no (easy) domain rename possible
- Self-signed cert is not accepted
- DC is Windows 2003


Thanks,
SG
0
TNetworks
Asked:
TNetworks
  • 3
  • 2
1 Solution
 
khairilCommented:
Hi,

You should explore AD Federation Service for this. It is what AD FS build for, here is info what AD FS is, http://msdn.microsoft.com/en-us/library/windows/desktop/ms674895(v=vs.85).aspx

And how to set it up, http://technet.microsoft.com/en-us/library/cc731443(WS.10).aspx

Those articles are for Windows 2008 DC, AD FS 1.0 exist in Windows 2003 R2.

If you are using AD FS then you just need to create valid cert for AD FS web front end only.

IF IN CASE you are not using DC that at least Windows 2003 R2, then you have choice:

1.  To upgrade it to Windows 2008 R2 - with proper migration plan of course.
Or
2. Using Indentity Lifecycle Management (currently know as Forefront Life Cycle), it manages and consolidate login.
Or
3. Have a look on OAuth architecture. OAuth is design to allow 3rd party to use your credetial to access resources. Your credential can be anything, including AD.
Or
4. You need to programme it yourself. Using token passing and web service - it actually depend on how you programme it.

0
 
TNetworksAuthor Commented:

The external service will be accessing LDAPS directly, that is, there will be a firewall rule allowing inbound access to port 636 on the DC.

ADFS looks like it's a single sign on architecture that validates tokens across a homogeneous security landscape.  Not sure if that's what is necessary here, but I will read more.

0
 
khairilCommented:
Frankly, I not really suggest you to open your ldap server to the outsider, it's really dangerous as other people can access  it as well and do the brute force to gain user creadetial.

If you really need them to authenticate your user then the best way to do is to ask them to setup their own AD infrastucture then do Forest Level trust relation between your forest and domains. So that they can call their own server to validate your user. It is what we do when integrating our AD between 2 organizations.
0
 
TNetworksAuthor Commented:
The LDAPS connection will only be allowed from networks we configure (at the firewall level) so please don't concern yourself with that.  Having the 3rd party make any infrastructure or topology changes is not possible.
0
 
khairilCommented:
emm.. then do the changes on your side. Create another forest with proper naming, make your other forest to trust each other. For authentication from third party just publish the new forest.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now