Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 470
  • Last Modified:

AD LDS, AD FS, RODC, LDAP access for 3rd party vendors?


We have had a request to allow LDAP lookups from a couple of external applications to our network. Moving forward with this what would be the best scenario? I have scaled the "google" and getting mix things come up and tbh got a bit lost with it all.

So the solution I am thinking of going down:

AD LDS - for LDAP lookup
AD FS   -  for single sign on services (future proof for office 365)

These systems..........

Can I install both systems on the same server?

Do I put a server in the DMZ and then open the ports required back to the network through firewall A.

Then allow this server firewall B access to the outside world?

Or is it a NAT passthrough to the server on the internal network?

there doesn't seem to be a clear guide on a good solution, and what I found is going back to server 2003.

I might be looking in the wrong place but I definitely need some advice from the pros on this one.

3 Solutions
Adam BrownSr Solutions ArchitectCommented:
I would not recommend putting ADFS and AD LDS on the same system. Best practice for AD LDS is to put it on a non-domain server, and ADFS won't work if it's not on the domain.

The way you would allow access to an AD LDS instance is to place it in a location that is accessible by the third party, preferably over Secure LDAP, which uses port 636. You would then grant that server the ability to read AD over port 636. By default, Secure LDAP isn't enabled on AD, but all you have to do to enable it is install a certificate on your DCs. It doesn't have to be a valid certificate, so you can use a self-signed cert on the DCs, but it's more secure if you have a CA Server in your environment issue the certs.

The reason for setting this up to use Secure LDAP is because LDAP sends data more or less in the clear, so it's pretty important to make sure that data is encrypted, which requires Secure LDAP to accomplish.

Once you have communication between AD LDS and AD allowed, https://windorks.wordpress.com/2014/09/02/syncing-lds-to-ad-ds/ will tell you how to set up the AD LDS instance to sync data out of AD. You should be able to limit the attributes the third party vendor has access to.
Colchester_InstituteAuthor Commented:
Hi Adam,

Thanks for the reply!

I have installed AD LDS on a server in the DMZ.  

I have also installed AD LDS on a domain controller and setup an instance for it to talk to. What I did notice is that the DC already has an NTDS instance running on 389 and 636.

I added the ldap ports to TMG and when replicating the AD LDS to the DMZ server it says the port already in use so I cannot use the NTDS instance

So I created the TCP ports 6389 & 6636, created a new instance, the dmz server can see the instance but I cannot get the service started on it.

I have a wildcart certificate for the company could I use this for secure SSL.

thanks so far.
Wildcard certificates work well for HTTPS, but not for STARTTLS on SMTP, or LDAPS

AD LDS is great for adding a layer of isolation, but it can sometime be simpler to just allow LDAPS (only port 636, not LDAP on 389) from a 3rd party (tied down by specific address, or over a VPN tunnel) to a RoDC, or in a small environment, direct to a DC.

It's all about trust, if its a hosted provider of Financial/HR software, then you might have a higher level of trust than a a hosted WiKi provider...

ADFS is a completely different beast
Jian An LimSolutions ArchitectCommented:
I would not complex your issue.

I will enable LDAPS on DC then, just NAT it via firewall and protected with known IP address.
you should never expose LDAPS to any source.

With known IP address, you can even go with LDAP.

Technically, you can complex it with AD LDS or something else, but i always ask what is your purpose, because technology keep changing, today it might be ADFS but in future, you might port all of these functions to Azure AD. who knows.
Colchester_InstituteAuthor Commented:
Thanks for you help much appreciated.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now