Is it possible for IIS7.5 on DMZ network to have Active Directory/LDAP integration

Posted on 2011-10-04
Last Modified: 2013-12-24
Hi, I have just set up a new IIS server on my Windows 2008 R2 server.  My IIS7.5 server is on a publically routable IP network.  Is it possible to in some way link it to our Active Directory (through LDAP maybe?) so that our internal users can be given access to FTP sites using their AD usernames and password?  I have created a couple of local users on the server and they can connect to the FTP sites no problem, but when I try and connect with an AD user i get error "530 user cannot login" and "530 user cannot login, home directory inaccessible."
Question by:carbonbase
    LVL 6

    Expert Comment


    The whole point of a DMZ is to keep it seperated. You can open up this up but i would not recommend it.

    If you really must i would proberbly go for a one way trust between the domain and the DMZ, but as i said before... really your defeating the perpous of having it by opening it up.

    Author Comment

    Hi, I am hoping there is a way to integrate using Lightweight Directory Services (LDAP integration), I've had some success doing this with Cerberus FTP server, but I'm looking for a way to do with IIS as there is no extra costs involved.
    LVL 20

    Accepted Solution

    LVL 5

    Assisted Solution

    I'd seriously not compromise your internal AD by opening it up to a DMZ system.

    If anything, create local accounts on the IIS box.  We've got many users in this scenario, without complaint.
    The one thing that we do in addition to this is record the ID's and PW's we've created for the users and store them in the event a user forgets a piece of the info... locked down of course.   No password policies assigned to the DMZ, Stand Alone FTP server.

    Just remember: security almost always comes at some kind of cost.  Looking for ways around it really defeats the purpose (of a DMZ)... may as well have it on the inside, on the domain, and open it up to the world if you are going to open it up.

    Author Closing Comment

    Hi thanks for the advice and answers.  I decided to abandon using IIS to configure our FTP sites and used Cerberus FTP server instead which has build in LDAP integration

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Shouldn't all users have the same email signature?

    You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will give a short introduction and overview of Backup Exec 2014 and the additional features that have been added over its predecessor Backup Exec 2012. As with Backup Exec 2012, the Backup Exec button in the upper left corner. From her…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now