Extranet Authentication

I'm currently building a new company website. (asp.Net) Our web server is a
stand-alone in the DMZ. On the website, I'd like to have a place for
employees to logon
using their same internal, network username/password, so they don't need
additional logon information. (We do expire passwords regularly) Is it
possible to securly authenticate to the internal active directory? We have 1
forest with 3 domains (1 local & 2 across VPN's). Users from all domains
would need to authenticate. We use a hardware firewall, not ISA. I'd
appreciate it if someone can steer me in the right direction.

--
Mike

Re: Extranet Authentication

Not really an IIS/Security question.

I have never done this sort of thing, but I suspect you would install
an Active Directory in the DMZ, set up a one way trust between the AD
in the DMZ and your Intranet, and punch holes in your Intranet Firewall
to only allow the AD in DMZ machine to talk to your AD in your
Intranet.

This way, IIS can talk to the AD in the DMZ, which has the one-way
relationship with the AD in your Intranet, and Intranet users can
authenticate through IIS. Without exposing your Intranet AD to the
Internet.

I would suggest that you pose the question in an Active Directory
oriented newsgroup because they would be better suited. IIS just tags
along as a member server of a domain.


//David
http://w3-4u.blogspot.com
//


Mike wrote:
> I'm currently building a new company website. (asp.Net) Our web server is a
> stand-alone in the DMZ. On the website, I'd like to have a place for
> employees to logon
> using their same internal, network username/password, so they don't need
> additional logon information. (We do expire passwords regularly) Is it
> possible to securly authenticate to the internal active directory? We have 1
> forest with 3 domains (1 local & 2 across VPN's). Users from all domains
> would need to authenticate. We use a hardware firewall, not ISA. I'd
> appreciate it if someone can steer me in the right direction.
>
> --
> Mike