DMZ Standalone Server using LDAP Authentication

Posted on 2012-08-16
Medium Priority
Last Modified: 2014-03-26
How do I set up a DMZ Standalone Server with AD Authentication via LDAP?
Question by:cruz_s

Expert Comment

ID: 38314135
Is this websphere application server standalone Server?

You have DMZ between WAS and LDAP?

if so first you need to make sure open LDAP ports in network default port is 389 for non-ssl and 636 for ssl

Author Comment

ID: 38316048
No it is not a websphere application server.     It is currently a domain controller, but I do not want to have a DC on the DMZ and was reading that it should be a standalone server with LDAP authentication.   I do not much experience in this area and wanted to obtain procedures on how to go about setting up server.    Currently have 3 other servers on DMZ that is using AD on this DC to authenticate.  Any help is greatly appreciated :)
LVL 35

Expert Comment

by:Cris Hanna
ID: 39603440
It would be helpful to a clearer picture of what you're trying to accomplish and why all these servers in the dmz that are part of the AD
LVL 65

Accepted Solution

btan earned 1500 total points
ID: 39603478
DMZ will normally have those presentation layer type servers and if FW is protecting the internal network which will consist of AD then you need to add in rule. Likely at the client end, it needs to be authenticated via AD before grant access...e.g.
-Users are prompted for credentials on the client machine.
-401.X Errors returned to the browser

If that is so, in general LDAP calls to AD required setting the credential login account to make the LDAP request, this is quite norm for servers. Setting the DNS server is important for the server. I am assuming Windows for now and on the below...

The challenge is if the login account used by the server should not be your super admin account but rather a service account (SPN). This is typical for Negotiation type authentication. And you need to perform Kerberos delegation (either KCD for within same domain access or KPT for cross domain access). For NTLM, it is the actual account needed with server as member of the AD and client is in the same domain. Article below


At times, there can be proxy to make this transparent and do all the work while stil managing the load balancing of it e.g.


There are also deployment using ADAM or LDS for application specific account rather than exposing the whole Enterprise AD in the same DMZ.

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question