none
what Directory service for external vendor to connect?

    Question

  • Dear all,

    Thanks for your help first.
    Current environment:
    -Windows server 2008 AD  (FFL and DFL is 2008r2)

    Right now we've some vendors will provide some applications to our internal users, we would like to utilize our AD user account to login their application, of course their application should support native AD connection.

    I google and find some options:
    - setup ADFS, application need to support this
    - setup Read Only AD for external application to connect
    - setup ADLDS for external application to connect
    - setup ADMT server for external application to connect

    Our requirement if possible:
    - do not want to sync all users a/c to above server, only sync specific users if possible
    - sync only some user attribute if possible
    - do not want to sync password if possible because this will have time lap between password got sync

    We prefer to use ADFS for those application support it, for those application do not support ADFS, we will provide a Directory Service for it to connect but which options is the best according to our requirement?

    Any recommendation and suggestion on our situation and requirement?

    Thanks again.

    Patrick



    Tuesday, December 27, 2016 2:35 PM

Answers

All replies

  • Hello,

    Let's start with good options. ADFS is really the recommended option here from my point of view. Usually ADLDS with account synchronization is the second best option, as you can configure the sync the way you like and limit it appropriately.

    The others are bad ones. Read Only AD server fro them is only acceptable if there is no other option as you expose too much in that case. Not sure how ADMT server may help you with reliable setup for external application access control.

    You can also have a look at Microsoft Cloud services:

    • If you are using Office 365, you already have an external Azure Active Directory you are synced with. It also provides connectors for many application and lots of developers make their apps compatible with it. So it is worth checking and looking at this option even if you don't currently use O365 as it is rather easy to setup.
    • Additionally Microsoft has introduced Azure Active Directory Domain Services (I know it is kind of confusing, as there are so many similar names) that can be a good alternative to Read Only server, as it allows you to configure granular synchronization to the directory located in the cloud and thus limit exposure of your internal resources to the application vendor.

    /Regards

    Tuesday, December 27, 2016 4:16 PM
  • Hi Avendil,

    Thanks for your reply.
    May I confirm if ADLDS can support the following requirement:

    - can filter to sync specific user a/c (not all)
    - can filter to sync some user a/c attribute
    - password will sync also? can it be no?

    Any document link can see the details?

    Thanks

    Patrick


    Thursday, December 29, 2016 12:29 AM
  • Hi,

    You can specify an LDAP filter and baseDN for the sync, so that you only sync what you want to. It is rather flexible.

    Yes, you can prepare the list of AD attributes to include/exclude from sync.

    Passwords will not sync in the common scenario. There are two best practice options here - maintain separate passwords fro AD LDS users or enable proxy bind authentication.

    Here are several good links for you:

    Very user friendly explanation of how to setup the synchronization: https://blogs.technet.microsoft.com/askds/2012/11/12/adamsync-101/

    Explanation of how proxy authentication works: https://technet.microsoft.com/en-us/library/2008.12.proxy.aspx?pr=blog

    Explanation of how proxy authentication can be configured: https://blogs.technet.microsoft.com/efleis/2005/09/23/adamsync-can-also-transform-users-in-to-proxy-users/

    Microsoft official reference for AD DS - AD LDS synchronization: https://technet.microsoft.com/en-us/library/cc753671%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396

    /Regards

    • Proposed as answer by Wendy JiangModerator Monday, January 2, 2017 1:54 AM
    • Marked as answer by Pat2323 Wednesday, January 4, 2017 8:01 AM
    Thursday, December 29, 2016 7:49 AM
  • Many thanks Avendil, very useful information.

    Patrick

    Friday, December 30, 2016 11:59 PM
  • Hi Patrick,
    If the replies as above are helpful, we would appreciate you to mark them as answers, it will be greatly helpful to others who have the same question.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 2, 2017 1:56 AM
    Moderator