none
LDAP Authentication from remote website?

    Question

  • Hi:

    Our website is moving from our internal servers to an external host. Users want to be able to login to the external host using the same AD user/pass that they are used to. How do I get the external host to authenticate to AD?

    From what I've been reading, we'll want to use LDAPS, and I can write a firewall rule to only allow incoming from the host's IP. But beyond that, I'm not sure how to set this up on our domain. Can anyone point me in the right direction?

    Thanks,

    Tony

    Friday, July 15, 2011 8:01 PM

Answers

  • There are multiple methods that can be used to make an external server or application authenticate to AD. LDAP is preferred if you want to do more than just authentication, like reading user specific attributes stored in AD or what groups the user is member of etc. 

    LDAP is already enabled on all your DCs and you nedd to enable LDAPS on one or more of your DCs that will be used by your webaite to authenticate.

    To enable LDAP over SSL (LDAPS) you need to install a certificate on your DC, a good overview of the steps needed and other related information are available in this article http://social.technet.microsoft.com/wiki/contents/articles/2980.aspx.

    LDAP over SSL provides a good level of security but it is still recommended to user IPSec externally to additionally authenticate and authorize the communication. 

    /Hasain

    Monday, July 18, 2011 4:36 PM