Using local AD Credentials for Public Site

[timberdoodle]

We have a production website that we have a generic login for all internal users. We would like to start using their internal domain credentials to be able to login to this public facing site. What is the best way to go about this from an authentication standpoint.

From what I can tell we could either have an RODC in our webfarm that performs the authentication requests or we could do something more elaborate like Federation Services or Trust relationship. Anyone have any experience with this?

 

[Jay_2]

this is what AD LDS is normally for. I wouldn't normally allow direct LDAP into AD for a public site unless there is no other choice.

Federation Services is a nightmare to setup and even then I would stil use AD LDS for the account store

 

[timberdoodle]

What about dealing with password updates?

 

[Jay_2]

What about dealing with password updates?

you sync AD and AD LDS (one way AD --> AD LDS)

I think it used to be called ADAMSync (not sure what its called now)

 

[x_cyc_x]

The best solution for authenticating internal users that are attempting to access an externally facing web site is to use PKI authentication.

To eliminate passwords force smart card login.

I work for a VERY LARGE enterprise and we use PKI for everything, it is especially helpful for tracking employee training.

 

[Jay_2]

PKI needs Certificate Services and that is also a nightmare! Also waht if they need access to the site from outside the current network?

 

[x_cyc_x]

Sure you may need cert services, but the only nightmare is implementation, once its up, it is very transparent.

Access from outside the network would also require PKI, that can be handled by either soft certs - non smart card based - or - usb token - or smart card.

If you go here - http://iase.disa.mil/ you should have access - until you hit one it the areas that say "PKI required," when you click those links it will ask you for a PKI.

 

[timberdoodle]

We would not be able to do the PKI infrastructure. Although a thorough solution we don't have the man power to set it up and most of our clients are on non bound Macs so administratively it would be an ongoing pain in the butt.

 

[x_cyc_x]

PKI does not require bound workstations, only that the user have a domain account.

Our entire web portal team uses mac's that are not member computers.

 

[timberdoodle]

Server-wise what does that consist of on the back end?

We have a small certificate infrastructure set up here, a VPN connection to our web server location.

We would need to have certificate server out with the web servers?

 

[Jay_2]

you normaly have a on-line responder server that is public facing.