Re: AD in the DMZ

[Non Proprio <non () synaxis org>]

Wow, great minds think alike. My developers have the exact same thing in mind.

I'm torn between getting 'business done" and demanding a better form of identity management. The problem is that 
there's not time to really implement a full solution, so what I'm faced with is having to get customers connected in a 
world of Microsoft AD. 

Since the development team has bitten into Microsoft hook, line and sinker we're faced with a real business issue.

What about Microsoft's "identity management" application? Has anyone fiddled with this in reference to web apps?



On Oct 28, 2004 04:26 PM, Jeffrey Gorton <jpgorton () swbell net> wrote:

> I am aware of an internet-facing web application that is running on
> Microsoft SharePoint and using an Active Directory forest (that resides in a
> separate firewalled network segment) for user authentication.  There is also
> a one-way trust relationship with the AD forest on the internal network (the
> DMZ AD trusts the internal AD) so that internal users can access DMZ
> resources.  There is a firewall between the two AD forests, but the LDAP and
> necessary Windows ports are open.
>
> An Internet user authenticates with a DMZ AD account.  An internal user
> authenticates into the internal AD and then accesses DMZ resources (the DMZ
> AD contacts the internal AD for authentication).
>
> It seems to me that, if the SharePoint server is compromised, the attacker
> will be able to enumerate users on the internal AD.  Is this so?  What are
> the problems with this design?
>
> Thanks.