Looking for ways-to-integrate in premise ad-with-saas-apps

Hello,

We are looking for ways to integrate our local AD with a saas application (Zixs). This is a mail filter solution that will be used to filter inbound/outbound mail flow. The users will have a site that they will use to authenticate to release their spam. We want them to use their AD user and password to authenticate to the site and get to their spam. The vendor mentioned they support LDAP and secure LDAP but I am not sure what my options are to get this integration done.

We use on premise AD running on windows 2012 DCs.

Thank you!
llaravaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical SpecialistCommented:
You can use an external site and connect your local DS to AD Azure or deploy an AD FS server on-premise

You can alternatively use an internal site (which you can publish externally with something like WAP) and change authentication method of the site to LDAP similarily to My Free/Open-Source Self-Service Password Reset tool for Active Directory (Look at the web.config)
https://www.experts-exchange.com/articles/31477/Free-Open-Source-Self-Service-Password-Reset-tool-for-Active-Directory.html
llaravaAuthor Commented:
I am looking for a way to avoid Azure. I would like to use secure ldap and read only DC in the DMZ. Anyone has done this setup before?
llaravaAuthor Commented:
The customer would like to leverage their existing DMZ and infrastructure.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Shaun VermaakTechnical SpecialistCommented:
I am looking for a way to avoid Azure.
Second part of my comment is not Azure

I would like to use secure ldap and read only DC in the DMZ
Like published externally? Don't do that
llaravaAuthor Commented:
Sorry for the editing zixs saas  supports  secure LDAP.
llaravaAuthor Commented:
Shaun VermaakTechnical SpecialistCommented:
Kerberos/LDAP is not intended to be used like that and is against best practices. MS developed a whole new DS to work on the public internet, they do not use LDAPS

Rather follow the advice of the first comment which is basically my recommendation above.

The general rule of the Internet is you can Google anything and you will find someone that says it is a good idea, doesn't mean that it actually is.

My guess is that he was too lazy to setup ADFS or didn't know about it

If you have Active Directory on site, or for that matter, any directory server that supports the LDAP protocol, you can use your directory for most cloud services
No proper cloud services user LDAP over the internet

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yo_beeDirector of Information TechnologyCommented:
I have Mimecast for my solution and I use LDAP setup between the my on-prem AD and mimecast.

I have my firewall ACL to only allow communication from Mimecast subnet.

LDAPS is a preferred method if you can support.

If your service does support ADFS for SSO I would look into setting it up.
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs
Shaun VermaakTechnical SpecialistCommented:
I have Mimecast for my solution and I use LDAP setup between the my on-prem AD and mimecast.
Correct, but their main integration points are ADFS and Azure AD. I will never run LDAP(S) over the Internet.
yo_beeDirector of Information TechnologyCommented:
I will look into this. Thanks Shaun.
llaravaAuthor Commented:
Why LDAPs is discouraged? Just asking to understand the cons
btanExec ConsultantCommented:
LDAPS is secure by default as long as proper ciphers are negotiated. Even SSL has weak ciphers. But the whole idea is to reduce exposure of your entire AD DS to the Internet.

Nothing is silver bullet so if the AD is compromised due to lapsea or misconfigurations, the privileged access gained will give chance to penetrate through the internal. It is all about risk acceptance. When something really happened and user ia alright to manage the aftermath it is fine but most if the time they are not.

Connection to Internet from remote should always consider VPN and expose portion of the internal AD that really need to be use rather the entire AD DS. External threat to DDOS attack against LDAP/S is viable and service outage may be part of it.
Shaun VermaakTechnical SpecialistCommented:
LDAPS is secure by default as long as proper ciphers are negotiated. Even SSL has weak ciphers. But the whole idea is to reduce exposure of your entire AD DS to the Internet.
There is a big difference between transport security, protocol security and exposure. With HTTPS you can reverse proxy the HTTPS traffic. With LDAPS you are literally exposing your DCs to the world. No one will ever be able to convince me to use it when technologies such as AD-FS, OAuth, AD Azure etc. exist
btanExec ConsultantCommented:
Indeed the known port for LDAPS is an obvious target. Web proxy or broker is needed and it should even be application aware to manage the access using the SAML or OAuth token. These are preferred for online identity federation with more API interfaces released for greater application eservice method call.
llaravaAuthor Commented:
Could you please advise on a a good ADFS implementation document that I can use to test it?
yo_beeDirector of Information TechnologyCommented:
My link walks you through the steps.
This is what I used to implement my ADFS and Web Application Proxy.
yo_beeDirector of Information TechnologyCommented:
yo_beeDirector of Information TechnologyCommented:
llaravaAuthor Commented:
Ok
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cloud Services

From novice to tech pro — start learning today.