AD LDS, AD FS, RODC, LDAP access for 3rd party vendors?

Posted on 2016-08-03
Medium Priority
Last Modified: 2016-08-09

We have had a request to allow LDAP lookups from a couple of external applications to our network. Moving forward with this what would be the best scenario? I have scaled the "google" and getting mix things come up and tbh got a bit lost with it all.

So the solution I am thinking of going down:

AD LDS - for LDAP lookup
AD FS   -  for single sign on services (future proof for office 365)

These systems..........

Can I install both systems on the same server?

Do I put a server in the DMZ and then open the ports required back to the network through firewall A.

Then allow this server firewall B access to the outside world?

Or is it a NAT passthrough to the server on the internal network?

there doesn't seem to be a clear guide on a good solution, and what I found is going back to server 2003.

I might be looking in the wrong place but I definitely need some advice from the pros on this one.

Question by:Colchester_Institute
LVL 44

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 41741532
I would not recommend putting ADFS and AD LDS on the same system. Best practice for AD LDS is to put it on a non-domain server, and ADFS won't work if it's not on the domain.

The way you would allow access to an AD LDS instance is to place it in a location that is accessible by the third party, preferably over Secure LDAP, which uses port 636. You would then grant that server the ability to read AD over port 636. By default, Secure LDAP isn't enabled on AD, but all you have to do to enable it is install a certificate on your DCs. It doesn't have to be a valid certificate, so you can use a self-signed cert on the DCs, but it's more secure if you have a CA Server in your environment issue the certs.

The reason for setting this up to use Secure LDAP is because LDAP sends data more or less in the clear, so it's pretty important to make sure that data is encrypted, which requires Secure LDAP to accomplish.

Once you have communication between AD LDS and AD allowed, https://windorks.wordpress.com/2014/09/02/syncing-lds-to-ad-ds/ will tell you how to set up the AD LDS instance to sync data out of AD. You should be able to limit the attributes the third party vendor has access to.

Author Comment

ID: 41742218
Hi Adam,

Thanks for the reply!

I have installed AD LDS on a server in the DMZ.  

I have also installed AD LDS on a domain controller and setup an instance for it to talk to. What I did notice is that the DC already has an NTDS instance running on 389 and 636.

I added the ldap ports to TMG and when replicating the AD LDS to the DMZ server it says the port already in use so I cannot use the NTDS instance

So I created the TCP ports 6389 & 6636, created a new instance, the dmz server can see the instance but I cannot get the service started on it.

I have a wildcart certificate for the company could I use this for secure SSL.

thanks so far.
LVL 37

Assisted Solution

ArneLovius earned 500 total points
ID: 41744616
Wildcard certificates work well for HTTPS, but not for STARTTLS on SMTP, or LDAPS

AD LDS is great for adding a layer of isolation, but it can sometime be simpler to just allow LDAPS (only port 636, not LDAP on 389) from a 3rd party (tied down by specific address, or over a VPN tunnel) to a RoDC, or in a small environment, direct to a DC.

It's all about trust, if its a hosted provider of Financial/HR software, then you might have a higher level of trust than a a hosted WiKi provider...

ADFS is a completely different beast
LVL 38

Accepted Solution

Jian An Lim earned 1000 total points
ID: 41745937
I would not complex your issue.

I will enable LDAPS on DC then, just NAT it via firewall and protected with known IP address.
you should never expose LDAPS to any source.

With known IP address, you can even go with LDAP.

Technically, you can complex it with AD LDS or something else, but i always ask what is your purpose, because technology keep changing, today it might be ADFS but in future, you might port all of these functions to Azure AD. who knows.

Author Closing Comment

ID: 41748341
Thanks for you help much appreciated.

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

If you need to implement application level security in an Access database application or other VBA code, I strongly encourage you to take advantage of Active Directory groups.
In this article, we will discuss how you can secure Active Directory using free tools, and how you can choose a safe and secure Active Directory security auditing tool.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question