|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
3rd Party Hosting IntegrationWe have a 3rd party vendor with a custom app they will host. We would like
them to authenticate using our Active Directory model based on a group membership. The app is asp/.net and will be accessed over the internet (SSL). What are my options? Is there a way to replicate our AD to them on some frequency? if so, any risk in doing that? Is another option having them code a page that actually authenticates from our corp AD since the user will be running the app from our corp network? Thanks in advance, Steve You don't want anyone authenticating over the internet to your Active
Directory, this is a huge security risk. Although I have only used it briefly, I believe this would be much better suited for AD/AM - Active Directory Application Mode. ADAM is an LDAP database that can be used to store user and groups as well as other objects. The db itself is a single .dit file with the capability to run multiple instances on one machine. This can be run on Windows XP (Doesn't need to be run on a Domain Controller) so there isn't the need for expensive hardware. For further details check out the link below: http://www.microsoft.com/downloads/details.aspx?FamilyID=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4&DisplayLang=en -- Show quoteHide quotePaul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA http://www.pbbergs.com/ This posting is provided "AS IS" with no warranties, and confers no rights. "StevoReno" <StevoR***@discussions.microsoft.com> wrote in message news:FC58F22C-EDF6-49F7-8A3F-B5107DB54B53@microsoft.com... > We have a 3rd party vendor with a custom app they will host. We would like > them to authenticate using our Active Directory model based on a group > membership. The app is asp/.net and will be accessed over the internet > (SSL). What are my options? Is there a way to replicate our AD to them > on > some frequency? if so, any risk in doing that? Is another option having > them code a page that actually authenticates from our corp AD since the > user > will be running the app from our corp network? > > Thanks in advance, > Steve Thanks for the input. On the surface, I like the approach, but am concerned
about vulnerability to passwords. Have you used ADAM? If so, I assume the ..dit is binary, but is it easily hacked? If I understand the architecture, we'd have to create the .dit, send it to the ISV and they would re-load it on some frequency. Some questions: 1.) Can we control what we send? I really only want to send them the list of users that belong to a certain group that would have access to this app. The application would authenticate the user using ADAM, but internal application sub-security (roles/responsibilities within the app) would be proprietary to their app. I just want to limit exposure (just in case passwords are compromised) and the size of the file transferred. 2.) Can I engrypt (PGP) the .dit before tranferring to the ISV? 3.) Is this SOX compliant? 4.) Is it widelys used by ISVs? 5.) If we had a secure VPN connection or WAN link directly to the ISV (no open interent), is straight AD a better route? Again, thanks for the feedback and I look forward to your response. Steve Show quoteHide quote "Paul Bergson" wrote: > You don't want anyone authenticating over the internet to your Active > Directory, this is a huge security risk. Although I have only used it > briefly, I believe this would be much better suited for AD/AM - Active > Directory Application Mode. > > ADAM is an LDAP database that can be used to store user and groups as well > as other objects. The db itself is a single .dit file with the capability > to run multiple instances on one machine. > > This can be run on Windows XP (Doesn't need to be run on a Domain > Controller) so there isn't the need for expensive hardware. > > > For further details check out the link below: > http://www.microsoft.com/downloads/details.aspx?FamilyID=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4&DisplayLang=en > > > -- > > > Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA > http://www.pbbergs.com/ > > This posting is provided "AS IS" with no warranties, and confers no rights. > > > "StevoReno" <StevoR***@discussions.microsoft.com> wrote in message > news:FC58F22C-EDF6-49F7-8A3F-B5107DB54B53@microsoft.com... > > We have a 3rd party vendor with a custom app they will host. We would like > > them to authenticate using our Active Directory model based on a group > > membership. The app is asp/.net and will be accessed over the internet > > (SSL). What are my options? Is there a way to replicate our AD to them > > on > > some frequency? if so, any risk in doing that? Is another option having > > them code a page that actually authenticates from our corp AD since the > > user > > will be running the app from our corp network? > > > > Thanks in advance, > > Steve > > > I have little to know experience with AD/AM, I have it in my lab and am
working on it. So I'm not the one that should be answering these questions but I will give you what I can. 1) Can we control what we send? Yes, you should be able to do this. Not only can you, you should only provide what is needed. Don't provide anthing that can contain secrets of your enterprise. It is an LDAP engine, I believe you can write an LDAP query to populate the DB. 2) I would assume this would work. Why wouldn't it. It is just a file to pgp. 3) Don't know 4) This is a relatively new product, it is being used but I have no idea on the number ofd users. I would guess it is low. 5) I would never give someone else the ability to gain access to my domain. This is a bad idea. -- Show quoteHide quotePaul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA http://www.pbbergs.com This posting is provided "AS IS" with no warranties, and confers no rights. "StevoReno" <StevoR***@discussions.microsoft.com> wrote in message news:26B193B4-E2A2-431D-8E42-3024F3FAFEAC@microsoft.com... > Thanks for the input. On the surface, I like the approach, but am > concerned > about vulnerability to passwords. Have you used ADAM? If so, I assume > the > .dit is binary, but is it easily hacked? > > If I understand the architecture, we'd have to create the .dit, send it to > the ISV and they would re-load it on some frequency. Some questions: > > 1.) Can we control what we send? I really only want to send them the list > of users that belong to a certain group that would have access to this > app. > The application would authenticate the user using ADAM, but internal > application sub-security (roles/responsibilities within the app) would be > proprietary to their app. I just want to limit exposure (just in case > passwords are compromised) and the size of the file transferred. > 2.) Can I engrypt (PGP) the .dit before tranferring to the ISV? > 3.) Is this SOX compliant? > 4.) Is it widelys used by ISVs? > 5.) If we had a secure VPN connection or WAN link directly to the ISV (no > open interent), is straight AD a better route? > > Again, thanks for the feedback and I look forward to your response. > > Steve > > "Paul Bergson" wrote: > >> You don't want anyone authenticating over the internet to your Active >> Directory, this is a huge security risk. Although I have only used it >> briefly, I believe this would be much better suited for AD/AM - Active >> Directory Application Mode. >> >> ADAM is an LDAP database that can be used to store user and groups as >> well >> as other objects. The db itself is a single .dit file with the >> capability >> to run multiple instances on one machine. >> >> This can be run on Windows XP (Doesn't need to be run on a Domain >> Controller) so there isn't the need for expensive hardware. >> >> >> For further details check out the link below: >> http://www.microsoft.com/downloads/details.aspx?FamilyID=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4&DisplayLang=en >> >> >> -- >> >> >> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA >> http://www.pbbergs.com/ >> >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> >> >> "StevoReno" <StevoR***@discussions.microsoft.com> wrote in message >> news:FC58F22C-EDF6-49F7-8A3F-B5107DB54B53@microsoft.com... >> > We have a 3rd party vendor with a custom app they will host. We would >> > like >> > them to authenticate using our Active Directory model based on a group >> > membership. The app is asp/.net and will be accessed over the internet >> > (SSL). What are my options? Is there a way to replicate our AD to >> > them >> > on >> > some frequency? if so, any risk in doing that? Is another option >> > having >> > them code a page that actually authenticates from our corp AD since the >> > user >> > will be running the app from our corp network? >> > >> > Thanks in advance, >> > Steve >> >> >> See responses inline.
-- Show quoteHide quoteJeffrey Harris, MCSE W2K. Please remove the '1's from the e-mail address before sending. "StevoReno" wrote: Yes, you can control what you send, by controlling what you replicate to > Thanks for the input. On the surface, I like the approach, but am concerned > about vulnerability to passwords. Have you used ADAM? If so, I assume the > .dit is binary, but is it easily hacked? > > If I understand the architecture, we'd have to create the .dit, send it to > the ISV and they would re-load it on some frequency. Some questions: > > 1.) Can we control what we send? I really only want to send them the list > of users that belong to a certain group that would have access to this app. > The application would authenticate the user using ADAM, but internal > application sub-security (roles/responsibilities within the app) would be > proprietary to their app. I just want to limit exposure (just in case > passwords are compromised) and the size of the file transferred. ADAM from AD. > 2.) Can I engrypt (PGP) the .dit before tranferring to the ISV? Not directly. You need to send a backup of the data using Windows Backup, and you can encrypt that for transmission. Microsoft does not support direct copy of .dit files, but does support restoration from Windows Backup. > 3.) Is this SOX compliant? I do not know.> 4.) Is it widelys used by ISVs? I do not think so, but my knowledge of its adoption is limited.> 5.) If we had a secure VPN connection or WAN link directly to the ISV (no No, for reasons stated in other posts. You leave your whole network open to > open interent), is straight AD a better route? attack and access. Show quoteHide quote > > Again, thanks for the feedback and I look forward to your response. > > Steve > > "Paul Bergson" wrote: > > > You don't want anyone authenticating over the internet to your Active > > Directory, this is a huge security risk. Although I have only used it > > briefly, I believe this would be much better suited for AD/AM - Active > > Directory Application Mode. > > > > ADAM is an LDAP database that can be used to store user and groups as well > > as other objects. The db itself is a single .dit file with the capability > > to run multiple instances on one machine. > > > > This can be run on Windows XP (Doesn't need to be run on a Domain > > Controller) so there isn't the need for expensive hardware. > > > > > > For further details check out the link below: > > http://www.microsoft.com/downloads/details.aspx?FamilyID=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4&DisplayLang=en > > > > > > -- > > > > > > Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA > > http://www.pbbergs.com/ > > > > This posting is provided "AS IS" with no warranties, and confers no rights. > > > > > > "StevoReno" <StevoR***@discussions.microsoft.com> wrote in message > > news:FC58F22C-EDF6-49F7-8A3F-B5107DB54B53@microsoft.com... > > > We have a 3rd party vendor with a custom app they will host. We would like > > > them to authenticate using our Active Directory model based on a group > > > membership. The app is asp/.net and will be accessed over the internet > > > (SSL). What are my options? Is there a way to replicate our AD to them > > > on > > > some frequency? if so, any risk in doing that? Is another option having > > > them code a page that actually authenticates from our corp AD since the > > > user > > > will be running the app from our corp network? > > > > > > Thanks in advance, > > > Steve > > > > > >  
Thread options
Other interesting topics
Problem creating DFS roots
using windows2003 R2 to be a domain controller in exsiting w2k3 do Managing Access to Resources by Using Groups Another 2003 and Exchange 2003 Server upgrade question Please help Promote NT 4.0 BDC to Windows 2000 Active Directory Event 1000 and AD inconsistencies firewall rule via GP PDC and Exchange - [WildPacket] Laptop configuration via GPO ADAM VSS Backup/Permissions As a Scheduled Task |
|||||||||||||||||||||||
