Domain Trusts and LDAP

Discussion in 'Active Directory' started by GMartin, Jan 13, 2005.

  1. GMartin

    GMartin Guest

    We're building an AD infrastructure to authenticate users of our
    external web via LDAP. We already use AD internally. We need a
    mechanism to allow internal users to authenticate to the external system
    without creating new credentials for them.

    My idea is to create one-way trust from the external domain to the
    internal domain. This should allow one-stop shopping for the
    authentication (vs. LDAP referral and a hole in the firewall from the
    app svr to the internal AD). I think this will work, but I have several
    questions

    1 - How do we authenticate? We typically do a search & bind to
    authenticate against LDAP. If I understand correctly, the search would
    not work as the external AD wouldn't search the internal. Would we use UPN?

    2 - When we create an account externally, how can we ensure (dow e need
    to ensure) the account is unique in both domains (I guess is we use UPN
    this wouldn't matter)

    Thought on these or other suggestion on approaching the problem?

    \\Greg
     
    GMartin, Jan 13, 2005
    #1
    1. Advertisements

  2. Another solution may could be to use ADAM (Active Directory in Application
    Mode) for the web application, and create ProxyUser Accounts that relays to
    an Account in the Active Directory but thats not really secure.

    For security reasons I recommend you to use IIFP Identify Integration
    Feature Pack for synchronize accounts between the external and internal
    domain. Trusting Domains/Forests are not secure. IIFP is free as long you
    have a copy of Windows Server 2003

    --
    Regards
    Christoffer Andersson
    Microsoft MVP - Directory Services

    No email replies please - reply in the newsgroup
     
    Chriss3 [MVP], Jan 13, 2005
    #2
    1. Advertisements

  3. GMartin

    Kiosk Guest

    I have a similar problem, where do I find more info on IIFP ??
     
    Kiosk, Jan 14, 2005
    #3
  4. GMartin

    GMartin Guest

    I'm not really interested in copying our internal credentials out to the
    DMZ. Seems risky. I was considering doing all of the trust
    communications over IPSEC with direct holes through the firewall or
    maybe using ISA to proxy the conncetion.

    \\Greg
     
    GMartin, Jan 14, 2005
    #4
  5. Chriss3 [MVP], Jan 14, 2005
    #5
  6. Hello,
    Have a look at:
    Identity Integration Feature Pack 1a for Microsoft Windows Server Active
    Directory:
    http://www.microsoft.com/downloads/...10-c04d-41c4-b7ea-6f56819769d5&DisplayLang=en

    Microsoft Identity Integration Server 2003 Frequently Asked Questions
    Get answers to frequently asked questions about Microsoft Identity
    Integration Server 2003.
    http://www.microsoft.com/windowsserver2003/techinfo/overview/miisfaq.mspx

    Download details: Microsoft® Identity Integration Server 2003 Scenarios
    The scenarios for Microsoft Identity Integration Server 2003 introduce users
    to the fundamental concepts and functionality of Microsoft Identity
    Integration Server.
    http://www.microsoft.com/downloads/...53-d78e-4d9d-9e48-6cf0ae0c369c&displaylang=en


    Download details: Resource Tool Kit 2.0 for Microsoft Identity Integration
    Server 2003
    A set of command line and UI-based tools for remote administration and
    configuration of a server running Microsoft Identity Integration Server
    2003.
    http://www.microsoft.com/downloads/...7A-E8D5-43CF-AD4D-4F1F0AE00D79&displaylang=en

    Technical Overview of Microsoft Identity Integration Server 2003 with
    Service Pack 1
    This document provides a technical overview of Microsoft Identity
    Integration Server 2003 (MIIS) with Service Pack 1, which enables the
    integration and management of identity information across multiple
    repositories, systems, and platforms.
    http://www.microsoft.com/windowsserver2003/techinfo/overview/miis.mspx


    Microsoft Identity Integration Server (MIIS) 2003 Design and Planning
    Collection
    The Microsoft Identity Integration Server (MIIS) 2003 product and
    documentation teams have prepared this series of design and planning guides
    to assist you with your deployment of MIIS 2003 or the Identity Integration
    Feature Pack for Microsoft Windows Server Active Directory.
    http://www.microsoft.com/technet/prodtechnol/miis/plan.mspx

    Windows Server 2003 Identity and Directory Services
    Search Microsoft.com for: Go Identity and Directory Services Identity and
    access management systems help reduce the cost and complexity of managing
    the lifecycle and entitlements of digital credentials. The Microsoft
    solution for identity and access management is based on Microsoft Active
    http://www.microsoft.com/windowsserver2003/technologies/directory/default.mspx


    Technical Overview of Microsoft Identity Integration Server 2003 with
    Service Pack 1
    This document provides a technical overview of Microsoft Identity
    Integration Server 2003 (MIIS) with Service Pack 1, which enables the
    integration and management of identity information across multiple
    repositories, systems, and platforms.
    http://www.microsoft.com/windowsserversystem/miis2003/techinfo/planning/miis.mspx

    Microsoft - IT Showcase: Enabling Cross-Forest Identity Management with
    Microsoft Identity Integration Server 2003
    Detailed discussion on Microsoft IT's implementation of Microsoft Identity
    Integration Server 2003.
    http://www.microsoft.com/technet/itsolutions/msit/deploy/cfimwiis.mspx

    Microsoft Identity Integration Server 2003 Classic Metadirectory
    This document describes how to build an MIIS 2003 infrastructure that will
    make the identity information in diverse data sources consistent throughout
    an enterprise. The goal of the paper is to help you ensure that all
    directory information maintained in separate systems is synchronized and
    correct.
    http://www.microsoft.com/windowsserversystem/miis2003/techinfo/planning/classicmiis.mspx

    Microsoft Identity Integration Server 2003 Global Address List
    Synchronization
    Search Microsoft.com for: Go Microsoft Identity Integration Server 2003
    Global Address List SynchronizationPublished: September 9, 2003 Updated:
    March 6, 2004 Download 698 KB Microsoft Word file Updated: Mar 3, 2004
    Related Links . . . . Summary This document describes the global
    http://www.microsoft.com/windowsserver2003/techinfo/overview/miisgalarch.mspx


    Microsoft Identity Integration Server 2003 Password Management Overview
    Search Microsoft.com for: Go Microsoft Identity Integration Server 2003
    Password Management OverviewPublished: July 2, 2003 Download 273 KB
    Microsoft Word file Updated: Apr 13, 2004 Related Links . . . . Summary
    Password resets generate numerous calls to any organization's help desk
    http://www.microsoft.com/windowsserversystem/miis2003/techinfo/planning/miispass.mspx

    Microsoft Identity Integration Server 2003 Simple Account Provisioning
    This scenario and walkthrough document explains how to manage Active
    Directory® directory service user accounts from a single authoritative data
    source by using Microsoft Identity Integration Server (MIIS) 2003.
    http://www.microsoft.com/windowsserversystem/miis2003/techinfo/planning/simpleacctprov.mspx

    Microsoft Identity Integration Server 2003 Global Address List
    Synchronization Step-By-Step
    This scenario and walkthrough document provides a procedural implementation
    of the Microsoft Identity Integration Server (MIIS) 2003 Global Address List
    (GAL) synchronization solution.
    http://www.microsoft.com/windowsserversystem/miis2003/techinfo/planning/galsynchstep.mspx


    Microsoft Identity Integration Server 2003 Classic Metadirectory Scenario
    Extension
    This document is an extension of the Microsoft Identity Integration Server
    2003 Classic Metadirectory Scenario.
    http://www.microsoft.com/windowsserversystem/miis2003/techinfo/planning/classicmiisext.mspx

    Microsoft Identity Integration Server 2003 Support
    Consider the following support options available for Microsoft Identity
    Integration Server (MIIS) 2003.
    http://www.microsoft.com/windowsserversystem/miis2003/support/default.mspx

    Microsoft Identity Integration Server 2003 Password Management Overview
    Search Microsoft.com for: Go Microsoft Identity Integration Server 2003
    Password Management OverviewPublished: July 2, 2003 Download 273 KB
    Microsoft Word file Updated: Apr 13, 2004 Related Links . . . . Summary
    Password resets generate numerous calls to any organization's help desk
    http://www.microsoft.com/windowsserver2003/techinfo/overview/miispass.mspx

    Download details: Microsoft Identity Integration Server 2003 Walkthroughs
    These walkthrough documents describe sample implementations of MIIS 2003.
    They are intended to introduce users to fundamental concepts about identity
    management and how MIIS 2003 functions as part of an identity management
    solution by walking the users through the deployment of sample solutions.
    http://www.microsoft.com/downloads/...8f-d6cf-4b6b-8b14-9a1b36959cf5&displaylang=en


    How to Move the MIIS Database and Log Files to Different Drives
    Microsoft Identity Integration Server (MIIS) and the Identity Integration
    Feature Pack (IIFP) use Microsoft SQL Server 2000 as its data store. During
    product Setup, the MicrosoftIdentityIntegrationServer database is created on
    a selected SQL...
    http://support.microsoft.com/default.aspx?scid=kb;en-us;818565

    Identity and Access Management: Fundamental Concepts
    All of the Microsoft technologies related to identity and access mangement
    http://www.microsoft.com/technet/security/topics/identity/idmanage/P1Fund_2.mspx

    Microsoft Identity Integration Server 2003 Product Overview
    Improve productivity, reduce security risk, and reduce the total cost of
    ownership associated with managing and integrating identity information
    across your enterprise.
    http://www.microsoft.com/windowsserversystem/miis2003/evaluation/overview/default.mspx

    No objects are exported when you run the export run profile for an Active
    Directory global address list management agent
    When you run export run profiles for Active Directory global address list
    (GAL) management agents to synchronize the global address lists in those
    forests, the operation displays a successful status. However, no objects are
    exported to the...
    http://support.microsoft.com/default.aspx?scid=kb;en-us;818572

    Password information is lost after you restore an MIIS 2003 or an IIFP
    database and abandon the encryption key set
    Describes an issue where you lose password information because you do not
    have a backup copy of the encryption key set when you restore an MIIS
    database from backup and you abandon the encryption key set.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;818566

    Multiple Forest Considerations in Windows 2000 and Windows Server 2003
    This paper enumerates the scenarios in which a multiforest environment might
    be necessary and analyzes the consequences of such an environment on the
    total cost of ownership of the enterprise. It is intended for architects and
    project managers who are designing an Active Directory deployment and have
    identified a potential need for multiple Active Directory forests.
    http://www.microsoft.com/technet/pr...logies/directory/activedirectory/mtfstwp.mspx

    Extranet Access Management and Single Sign On
    A variety of methods for improving extranet access management for
    business-to-business, business-to-consumer, and business-to-employee
    scenarios.
    http://www.microsoft.com/technet/security/topics/identity/idmanage/P3Extran_1.mspx


    How to build a new management agent to replace an existing management agent
    This article describes how to replace an existing management agent (MA). You
    may have to replace an existing management agent for the following are
    reasons: In Microsoft Identity Integration Server (MIIS) 2003 Cumulative Fix
    #4, there is a fix...
    http://support.microsoft.com/default.aspx?scid=kb;en-us;827117

    Microsoft Recommends That You Run a Full Import After You Restore a
    Connected Directory
    After you restore a Connected Directory from backup, Microsoft recommends
    that you perform a full discovery of the Connected Directory to re-establish
    the new watermark or delta.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;823783

    --
    Regards
    Christoffer Andersson
    Microsoft MVP - Directory Services

    No email replies please - reply in the newsgroup
     
    Chriss3 [MVP], Jan 14, 2005
    #6
  7. GMartin

    GMartin Guest

    GMartin, Jan 14, 2005
    #7
  8. GMartin

    GMartin Guest

    Chriss, we're still working on the best solution to this problem. The
    problem at this point is what's more secure? 1) a one-way trust between
    our external and internal AD servers, or 2) an IIFP replication of our
    internal accounts into our external directory.

    You had suggested the latter approach. We're hesitant to replicate all
    out internal credentials into an external directory. We'd like to
    understand the security weakness you see with the trust setup we had
    considered.

    I read the multi-forest consideration doc from MS and am still full of
    questions.

    Thanks to you or anyone else who may wish weigh in on this one.

    \\Greg
     
    GMartin, Feb 8, 2005
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.