Re: AD & ADAM together in harmony

Makes sense, but I think the main idea behind us wanting to keep the two
separate is mainly one of admin - the external ADAM could potentially host an
infinite number of users, especially if we start allowing for payroll members
to connect and view stuff like payslips etc.
We don't want to expose the whole of AD to the outside world just so they
can access an ASP page - there are other security mechanisms in SQL that will
handle application level security such as access to payroll data and so on.
The problem is really of initial entry-point authentication.
We've already decided on a reverse-proxied ISA SSL publication of the
internal web server - this will handle encryption and host verification.

Please bear in mind I'm new to the ADAM concept and have never implemented
it, so I may be basing assumptions on preconceptions that don't apply.
I wanted to keep this away from our internal AD to ensure its integrity and
keep internal AD administration to typically "daily admin stuff" - not a 24x7
user accounts management nightmare which could theoretically happen with ADAM.

We've thought about the other alternative with another domain but the admin
overhead would rival managing a single AD with all users.

Again, perhaps I need to reconsider the entire design architecture, I'm
basing this on assumptions...

"Anthony" wrote:

This is a really interesting problem, how to authenticate users on an
extranet application. I don't have a fix for you, but a few thoughts.
If you are authenticating internal users to the AD, then you are exposing
the AD to that host. Once you have done that, you may as well give external
users an acount on your AD as well. I can't see the point of having a
separate user database for external connections to an internal host.
If you are worried about exposing the AD to the host, then you can use LDAPS
to limit the risk. Using LOGIN authentication would achieve the same thing.
You can also use authentication on the firewall or SSL VPN to authenticate
external users safely before they get to the application.
The most elaborate method is to have a separate domain for the DMZ, using
Federation Services to keep the usernames and passwords in sync, but this is
excessively complex.
Anthony


"GrITMan" <GrITMan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0654A1BF-CA02-4D21-B929-BEE67E005CCE@xxxxxxxxxxxxxxxx
We are planning on building an Intranet/Extranet for our payroll
application.
The idea is to use AD integrated IIS security for internal users to
automatically identify and authenticate them on IE access, and use ADAM
for
clients.

The architecture will involve an internally hosted web server that will be
available to internal users, plus we will publish these pages via ISA
reverse
proxy and SSL externally to the outside world.

The problem we have is figuring out how we go about switching from AD to
ADAM during the authentication process? If, for example, the user does
not
authenticate automatically, how do we get it to check ADAM instead of
popping
up a username and password dialogue for AD?
We have been told to use Forms authentication instead of IIS, but no
indication of actually how this would work or how to develop it.

The second option I have suggested to the dev team is to split the
authentication physically into two separate pages, one for internal, one
for
external access. Thus we authenticate at the point of entry and then
converge on single site content keeping that authentication in the
session.
Again though, if we enable windows integrated security for the site, it
applies to the whole site, so even if we authenticate external users up
front
with ADAM, further down the the line they will hit AD security somewhere
and
we're back to square one (even this is a guess, we're not sure how this
will
pan out)

What I want to know is a) are we going about this the right way? and b) if
we are, how do we do this?

Any suggestions or advice will be welcome

Thanks

GrITMan



.

Relevant Pages

  • Re: AD & ADAM together in harmony
    ... You can use a separate OU in the AD for external users. ... So if the web host is compromised, ... separate is mainly one of admin - the external ADAM could potentially host ... The problem is really of initial entry-point authentication. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Querying Active Directory Application Mode (ADAM)...
    ... but when I try to enumerate the children (same ... application working with ADAM? ... I have never used that ADAM but sounds like you have a security ... What authentication mode do you have in your web.config and what what ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: adam bind-redirect
    ... a third party doing authentication) then the proxy-redirect isnt an option. ... could benefit from bind redirect/User Proxy Object ... >> Our Adam will have a user store where we put custom user attributes. ... > Integrated authentication gives you a Windows security context ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM - SSO and provisioning considerations
    ... single credential store. ... > that app will launch our app, so it can pass the username or SID on the ... ADAM doesn't simplify your architecture from what I can tell in your posts. ... LDAP bind is not an authentication process. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Use of Active Directory vs Database (e.g. SQL server)
    ... the main reason to use ADAM for authentication is that it ... If you go with SQL for the user store, you have to build all that. ... the app going to have its own SQL server database for OLTP ...
    (microsoft.public.windows.server.active_directory)