5

I got a web DMZ server, that hosts an "Extranet" ASP.NET application. I want that users should authenticate to this application using the same user and password that they use on their Windows at work. (we are using Active Directory)

I want to know what the best way is -the most secure way - to connect from the DMZ web server to the Active Directory.

For now I saw two possibilities:
- RODC
- LDAP Over SSL (LDAPS)

Are there any other option you recommend? What other options should I consider? Any limitation, or potential problems with any of those solution?

Lea Cohen
  • 7,990
  • 18
  • 73
  • 99
Bestter
  • 877
  • 1
  • 12
  • 29
  • 1
    I am not sure if I am understanding this question. Any LDAP server which you connect should support SSL or the StartTLS extended operation. LDAP clients should not use LDAP where SSL or TLS with a strong cipher is not supported. – Terry Gardner Mar 29 '12 at 21:28
  • Ok... The thing is that up to two weeks ago, we thought that the best way to authenticate user was to connect from the web server directly to the domain controller. But my network admin discover a potential flaw... Then I'm trying to know what's the best way to do it: LDAP over SSL directly from the web server to the DC or create a RODC... – Bestter Mar 30 '12 at 12:32

1 Answers1

2

It exist a Microsoft document talking about that :

Active Directory Domain Services in the Perimeter Network (Windows Server 2008)

You can also take inspiration from Microsoft consideration on installing an Exchange Front-end computer into a DMZ

Front-End and Back-End Server Topology Guide for Exchange Server 2003 and Exchange 2000 Server

JPBlanc
  • 70,406
  • 17
  • 130
  • 175
  • But, I still have a question: if some ports are open between the DMZ and the Intranet, to allow the RODC to "talk" to the DC, how could it be more secure than a direct connection from the web server to the DC? – Bestter Mar 30 '12 at 12:34