Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.
Sync of AD DS to AD LDS
Hi experts,
here`s my situation:
- We have ActiveDirectory domain called test.local
- We have an Internet Application called www.test.net
- We want this application to use our internal AD User-Accounts in a specified OU or Authentication and SingleSign On.
What I would do:
- Setup a Windows Server 2012 with AD LDS on the Internet
- Connect the web application to use that LDAP
Now my question:
Can I use ADAMSync from my internal DC to synchronize user data to the LDS Server on the internet?
Would it be possible that the AD LDS server recognizes password-changes?
I read sth. about UserProxy objects in AD LDS.
Do my suggestions nake sense, or isn`t it possible to sync an internal DC with an external AD LDS?
How do you implement SSO features?
Thanks in advance!
Roland
here`s my situation:
- We have ActiveDirectory domain called test.local
- We have an Internet Application called www.test.net
- We want this application to use our internal AD User-Accounts in a specified OU or Authentication and SingleSign On.
What I would do:
- Setup a Windows Server 2012 with AD LDS on the Internet
- Connect the web application to use that LDAP
Now my question:
Can I use ADAMSync from my internal DC to synchronize user data to the LDS Server on the internet?
Would it be possible that the AD LDS server recognizes password-changes?
I read sth. about UserProxy objects in AD LDS.
Do my suggestions nake sense, or isn`t it possible to sync an internal DC with an external AD LDS?
How do you implement SSO features?
Thanks in advance!
Roland
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
And why not AD LDS?
I read that AD FS needs the web application to be AD FS SSO ready.
My Web application has needs a LDAP-Directory to authenticate to.
I read that AD FS needs the web application to be AD FS SSO ready.
My Web application has needs a LDAP-Directory to authenticate to.
Because ADLDS, has not built-in functionality to sync credentials. You cannot get SSO which is what you stated you want. If you want auth and SSO, you want ADFS, not ADLDS.
And what if my Web App is not able to use AD FS for SSO?
Is it not possible to synch some users from my internal DC with ADAMSync to an external AD LDS? I would then user Proxy objects to have the passwords in synch.
Any other suggestion how to get SSO working for webapps that support LDAP as authentication provider?
Is it not possible to synch some users from my internal DC with ADAMSync to an external AD LDS? I would then user Proxy objects to have the passwords in synch.
Any other suggestion how to get SSO working for webapps that support LDAP as authentication provider?
Bind redirection does nit sync passwords. It actually redirects the authentication, hence the reason they are called "proxy" objects. Thus requires that the ADLDS server be joined to or have full trust with the domain. In which case you'd usually just have the app use ADDS directly. Using ADLDS is an edge case scenario where you *don't* need security isolation (which it sounds like you do) *and* you want to have a custom schema and store custom app-specific object properties without extending ADDS. And here's the crux, if any of that were the case, that integration would be on the app developer. They'd have to know how to set that up as it is app specific, so a sysadmin would never be asking. As Will said, based on what you've shared, ADLDS isn't the right choice. As far as what *is* ...you should discuss that with your app developer.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Hi,
what about if I create a new AD-Domain on an Internet site.
Is there a way to synchronize internal AD User from OU "xx" to the external ActiveDirectory?
What I need is an external LDAP directory that is periodically synced with an OU of my internal Active Directory.
Any suggestions?
what about if I create a new AD-Domain on an Internet site.
Is there a way to synchronize internal AD User from OU "xx" to the external ActiveDirectory?
What I need is an external LDAP directory that is periodically synced with an OU of my internal Active Directory.
Any suggestions?
There is not a way to to do what you propose, whether it is ADDS or ADLDS that will sync credentials. Passwords are protected differently that the rest of the object metadata in AD If you want true SSO or even "same password" type functionality, ADFS is your only reasonable choice.
But do I understand right:
I can not use any Web Application with AD FS?
AD FS is not an LDAP, correct?
I`m talking about an PHP-application called ILIAS elearning, that supports "LDAP", "CAS"and so on.
I can not use any Web Application with AD FS?
AD FS is not an LDAP, correct?
I`m talking about an PHP-application called ILIAS elearning, that supports "LDAP", "CAS"and so on.
There are plenty of web applications that work with ADFS. ADFS uses standards such as SAML, so it is up to the app developer to use those standards. If they do, it can use ADFS.
ADFS is not LDAP.
If the app does not support any of the protocols that ADFS supports and you are (understandably) unwilling to allow the app to authenticate against your internal domain controllers then you cannot have SSO at all. And if you want any sort of password syncing (which is not SSO), you'd need to invest in additional solutions such as forefront identity manager, configure PCNS, and define the custom data source. FIM is not free, nor is implementing PCSN in FIM a trivial task. If you aren't willing to spend TBe money purchasing FIM and learning how to implement a custom solution, you'll have to forego synced passwords as well.
You can use ADLDS as an LDAP back end for you app. But you can't have SSO or same passwords. Those are the requirements you seem to be getting stuck on.
ADFS is not LDAP.
If the app does not support any of the protocols that ADFS supports and you are (understandably) unwilling to allow the app to authenticate against your internal domain controllers then you cannot have SSO at all. And if you want any sort of password syncing (which is not SSO), you'd need to invest in additional solutions such as forefront identity manager, configure PCNS, and define the custom data source. FIM is not free, nor is implementing PCSN in FIM a trivial task. If you aren't willing to spend TBe money purchasing FIM and learning how to implement a custom solution, you'll have to forego synced passwords as well.
You can use ADLDS as an LDAP back end for you app. But you can't have SSO or same passwords. Those are the requirements you seem to be getting stuck on.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MCSE Microsoft Certified Systems Engineer - Securing… 324 lessons
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
https://msdn.microsoft.com/en-us/library/bb897402.aspx
Will.