DMZ Standalone Server using LDAP Authentication

Posted on 2012-08-16
Last Modified: 2014-03-26
How do I set up a DMZ Standalone Server with AD Authentication via LDAP?
Question by:cruz_s
    LVL 8

    Expert Comment

    Is this websphere application server standalone Server?

    You have DMZ between WAS and LDAP?

    if so first you need to make sure open LDAP ports in network default port is 389 for non-ssl and 636 for ssl

    Author Comment

    No it is not a websphere application server.     It is currently a domain controller, but I do not want to have a DC on the DMZ and was reading that it should be a standalone server with LDAP authentication.   I do not much experience in this area and wanted to obtain procedures on how to go about setting up server.    Currently have 3 other servers on DMZ that is using AD on this DC to authenticate.  Any help is greatly appreciated :)
    LVL 35

    Expert Comment

    by:Cris Hanna
    It would be helpful to a clearer picture of what you're trying to accomplish and why all these servers in the dmz that are part of the AD
    LVL 60

    Accepted Solution

    DMZ will normally have those presentation layer type servers and if FW is protecting the internal network which will consist of AD then you need to add in rule. Likely at the client end, it needs to be authenticated via AD before grant access...e.g.
    -Users are prompted for credentials on the client machine.
    -401.X Errors returned to the browser

    If that is so, in general LDAP calls to AD required setting the credential login account to make the LDAP request, this is quite norm for servers. Setting the DNS server is important for the server. I am assuming Windows for now and on the below...

    The challenge is if the login account used by the server should not be your super admin account but rather a service account (SPN). This is typical for Negotiation type authentication. And you need to perform Kerberos delegation (either KCD for within same domain access or KPT for cross domain access). For NTLM, it is the actual account needed with server as member of the AD and client is in the same domain. Article below

    At times, there can be proxy to make this transparent and do all the work while stil managing the load balancing of it e.g.

    There are also deployment using ADAM or LDS for application specific account rather than exposing the whole Enterprise AD in the same DMZ.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now