- How to setup AD authentication when IIS in in the DMZ?

- How to setup AD authentication when IIS in in the DMZ?

am 19.07.2006 16:06:40 von dan

I need to be able to access AD to authenticate users coming to a .NET
application running on an IIS which is in the DMZ...

Here are the details:

My .NET app resides on a Win 2003 Server with IIS6 in the DMZ of the
firewall
Win 2000 AD tree can be accessed through a dedicated server via IP +
nonstandard port (not 389) + username + password (read-only permissions)...
By accessing AD I mean I can see the tree via LDAP browser

So far I was able to authenticate only users with local machine accounts...
I also tried setting up Digest authentication (by entering IP of the AD
server) to no avail...

Could someone help me out with this please... I am totally stuck here...

Re: - How to setup AD authentication when IIS in in the DMZ?

am 20.07.2006 04:20:28 von Ken Schaefer

What you want to do isn't really a recommended solution security wise.

Two alternate methods I would suggest:
a) use ISA Server in your DMZ to publish your IIS server, which is located
inside your network. ISA Server needs port 443 (or port 80) access to your
internal IIS Server. IIS Server can communicate with AD fine internally

b) put a DC in your external DMZ, as another domain in your forest. Create a
one-way trust between your two domains (since you have Win2000, you can't
use forest trusts IIRC)

Cheers
Ken

"Dan" wrote in message
news:u$SVQyzqGHA.4960@TK2MSFTNGP04.phx.gbl...
>I need to be able to access AD to authenticate users coming to a .NET
>application running on an IIS which is in the DMZ...
>
> Here are the details:
>
> My .NET app resides on a Win 2003 Server with IIS6 in the DMZ of the
> firewall
> Win 2000 AD tree can be accessed through a dedicated server via IP +
> nonstandard port (not 389) + username + password (read-only
> permissions)... By accessing AD I mean I can see the tree via LDAP browser
>
> So far I was able to authenticate only users with local machine
> accounts... I also tried setting up Digest authentication (by entering IP
> of the AD server) to no avail...
>
> Could someone help me out with this please... I am totally stuck here...
>