TNetworks
asked on
LDAPS config with alternate domain
Hello,
we have a Windows AD domain, let's call it domain.com.
We now have a requirement to allow a 3rd party web app to access LDAPS, so our users can authenticate against AD from this 3rd party app.
To do this, we need to install a certificate on our DC for LDAPS.
The 3rd party requires a certificate from a trusted root CA (i.e. VeriSign)
PROBLEM: Our internal domain, "domain.com" exists in the real world and does not belong to us, so we cannot get a cert for it.
How can I make LDAPS available on my domain controller using MYdomain.com externally, but access domain.com internally?
Info :
- we have exchange 2010 so no (easy) domain rename possible
- Self-signed cert is not accepted
- DC is Windows 2003
Thanks,
SG
we have a Windows AD domain, let's call it domain.com.
We now have a requirement to allow a 3rd party web app to access LDAPS, so our users can authenticate against AD from this 3rd party app.
To do this, we need to install a certificate on our DC for LDAPS.
The 3rd party requires a certificate from a trusted root CA (i.e. VeriSign)
PROBLEM: Our internal domain, "domain.com" exists in the real world and does not belong to us, so we cannot get a cert for it.
How can I make LDAPS available on my domain controller using MYdomain.com externally, but access domain.com internally?
Info :
- we have exchange 2010 so no (easy) domain rename possible
- Self-signed cert is not accepted
- DC is Windows 2003
Thanks,
SG
ASKER
The external service will be accessing LDAPS directly, that is, there will be a firewall rule allowing inbound access to port 636 on the DC.
ADFS looks like it's a single sign on architecture that validates tokens across a homogeneous security landscape. Not sure if that's what is necessary here, but I will read more.
Frankly, I not really suggest you to open your ldap server to the outsider, it's really dangerous as other people can access it as well and do the brute force to gain user creadetial.
If you really need them to authenticate your user then the best way to do is to ask them to setup their own AD infrastucture then do Forest Level trust relation between your forest and domains. So that they can call their own server to validate your user. It is what we do when integrating our AD between 2 organizations.
If you really need them to authenticate your user then the best way to do is to ask them to setup their own AD infrastucture then do Forest Level trust relation between your forest and domains. So that they can call their own server to validate your user. It is what we do when integrating our AD between 2 organizations.
ASKER
The LDAPS connection will only be allowed from networks we configure (at the firewall level) so please don't concern yourself with that. Having the 3rd party make any infrastructure or topology changes is not possible.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You should explore AD Federation Service for this. It is what AD FS build for, here is info what AD FS is, http://msdn.microsoft.com/en-us/library/windows/desktop/ms674895(v=vs.85).aspx
And how to set it up, http://technet.microsoft.com/en-us/library/cc731443(WS.10).aspx
Those articles are for Windows 2008 DC, AD FS 1.0 exist in Windows 2003 R2.
If you are using AD FS then you just need to create valid cert for AD FS web front end only.
IF IN CASE you are not using DC that at least Windows 2003 R2, then you have choice:
1. To upgrade it to Windows 2008 R2 - with proper migration plan of course.
Or
2. Using Indentity Lifecycle Management (currently know as Forefront Life Cycle), it manages and consolidate login.
Or
3. Have a look on OAuth architecture. OAuth is design to allow 3rd party to use your credetial to access resources. Your credential can be anything, including AD.
Or
4. You need to programme it yourself. Using token passing and web service - it actually depend on how you programme it.