[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

LDAPS config with alternate domain

Posted on 2011-09-21
5
Medium Priority
?
616 Views
Last Modified: 2012-05-12
Hello,
we have a Windows AD domain, let's call it domain.com.
We now have a requirement to allow a 3rd party web app to access LDAPS, so our users can authenticate against AD from this 3rd party app.

To do this, we need to install a certificate on our DC for LDAPS.
The 3rd party requires a certificate from a trusted root CA (i.e. VeriSign)

PROBLEM: Our internal domain, "domain.com" exists in the real world and does not belong to us, so we cannot get a cert for it.

How can I make LDAPS available on my domain controller using MYdomain.com externally, but access domain.com internally?

Info :

- we have exchange 2010 so no (easy) domain rename possible
- Self-signed cert is not accepted
- DC is Windows 2003


Thanks,
SG
0
Comment
Question by:TNetworks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 13

Expert Comment

by:khairil
ID: 36572623
Hi,

You should explore AD Federation Service for this. It is what AD FS build for, here is info what AD FS is, http://msdn.microsoft.com/en-us/library/windows/desktop/ms674895(v=vs.85).aspx

And how to set it up, http://technet.microsoft.com/en-us/library/cc731443(WS.10).aspx

Those articles are for Windows 2008 DC, AD FS 1.0 exist in Windows 2003 R2.

If you are using AD FS then you just need to create valid cert for AD FS web front end only.

IF IN CASE you are not using DC that at least Windows 2003 R2, then you have choice:

1.  To upgrade it to Windows 2008 R2 - with proper migration plan of course.
Or
2. Using Indentity Lifecycle Management (currently know as Forefront Life Cycle), it manages and consolidate login.
Or
3. Have a look on OAuth architecture. OAuth is design to allow 3rd party to use your credetial to access resources. Your credential can be anything, including AD.
Or
4. You need to programme it yourself. Using token passing and web service - it actually depend on how you programme it.

0
 

Author Comment

by:TNetworks
ID: 36573297

The external service will be accessing LDAPS directly, that is, there will be a firewall rule allowing inbound access to port 636 on the DC.

ADFS looks like it's a single sign on architecture that validates tokens across a homogeneous security landscape.  Not sure if that's what is necessary here, but I will read more.

0
 
LVL 13

Expert Comment

by:khairil
ID: 36577908
Frankly, I not really suggest you to open your ldap server to the outsider, it's really dangerous as other people can access  it as well and do the brute force to gain user creadetial.

If you really need them to authenticate your user then the best way to do is to ask them to setup their own AD infrastucture then do Forest Level trust relation between your forest and domains. So that they can call their own server to validate your user. It is what we do when integrating our AD between 2 organizations.
0
 

Author Comment

by:TNetworks
ID: 36578822
The LDAPS connection will only be allowed from networks we configure (at the firewall level) so please don't concern yourself with that.  Having the 3rd party make any infrastructure or topology changes is not possible.
0
 
LVL 13

Accepted Solution

by:
khairil earned 2000 total points
ID: 36578855
emm.. then do the changes on your side. Create another forest with proper naming, make your other forest to trust each other. For authentication from third party just publish the new forest.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question