User List from Active Directory, even if IIS is NOT in the domain?

We have a set of 4 servers running our external web system. These
machines are NOT on our domain for security and performance reasons.
We have a seperate (5th) machine which runs our local office network,
Active Directory, etc.

Normaly, we've had no problem keeping this particular intranet site
internal, and hence IP security was fine. However, we have now
recently merged with another company, and some of our staff have
migrated to the other office. We do not have any plans to establish a
VPN, because aside from this site, we have no need to share data.

The staff that have moved to the other office will still be maintained
in our Active Directory, and have internet access. So the plan was to
open this site up and remove IP restrictions, and use an access
control list instead. My plan, hopefully, is to use Active Directory
and a combination of windows auth & basic auth.

Windows auth will allow the people in this office to continue
seamlessly accessing the site, and basic auth would allow the staff
who move to log in with a password.

It seems if the Active Directory & IIS were on the one machine, or
indeed, even in the domain together, this would not be a problem. But
they are not .. Does anyone know of a way to get IIS on one non-
domain machine to use the ACL from an Active Directory?

Thanks in advance for any advice!

Re: User List from Active Directory, even if IIS is NOT in the domain?

On Feb 15, 3:25 pm, vidgu...@gmail.com wrote:
> We have a set of 4 servers running our external web system. These
> machines are NOT on our domain for security and performance reasons.
> We have a seperate (5th) machine which runs our local office network,
> Active Directory, etc.
>
> Normaly, we've had no problem keeping this particular intranet site
> internal, and hence IP security was fine. However, we have now
> recently merged with another company, and some of our staff have
> migrated to the other office. We do not have any plans to establish a
> VPN, because aside from this site, we have no need to share data.
>
> The staff that have moved to the other office will still be maintained
> in our Active Directory, and have internet access. So the plan was to
> open this site up and remove IP restrictions, and use an access
> control list instead. My plan, hopefully, is to use Active Directory
> and a combination of windows auth & basic auth.
>
> Windows auth will allow the people in this office to continue
> seamlessly accessing the site, and basic auth would allow the staff
> who move to log in with a password.
>
> It seems if the Active Directory & IIS were on the one machine, or
> indeed, even in the domain together, this would not be a problem. But
> they are not .. Does anyone know of a way to get IIS on one non-
> domain machine to use the ACL from an Active Directory?
>
> Thanks in advance for any advice!

Or alternatively, a combination of Basic Auth and IP Restrictions?
Ie, can I set it up to:
If IP is 10.100.*.*, grant access
*AND*
If not, Use basic auth, rather than flat out deny. This way we could
just have a single user/pass for external access. (this level of
security would be fine, even tho it does not provide user logging/
tracking)

Re: User List from Active Directory, even if IIS is NOT in the domain?

On Feb 15, 3:28 pm, vidgu...@gmail.com wrote:
> On Feb 15, 3:25 pm, vidgu...@gmail.com wrote:
>
>
>
>
>
> > We have a set of 4 servers running our external web system. These
> > machines are NOT on our domain for security and performance reasons.
> > We have a seperate (5th) machine which runs our local office network,
> > Active Directory, etc.
>
> > Normaly, we've had no problem keeping this particular intranet site
> > internal, and hence IP security was fine. However, we have now
> > recently merged with another company, and some of our staff have
> > migrated to the other office. We do not have any plans to establish a
> > VPN, because aside from this site, we have no need to share data.
>
> > The staff that have moved to the other office will still be maintained
> > in our Active Directory, and have internet access. So the plan was to
> > open this site up and remove IP restrictions, and use an access
> > control list instead. My plan, hopefully, is to use Active Directory
> > and a combination of windows auth & basic auth.
>
> > Windows auth will allow the people in this office to continue
> > seamlessly accessing the site, and basic auth would allow the staff
> > who move to log in with a password.
>
> > It seems if the Active Directory & IIS were on the one machine, or
> > indeed, even in the domain together, this would not be a problem. But
> > they are not .. Does anyone know of a way to get IIS on one non-
> > domain machine to use the ACL from an Active Directory?
>
> > Thanks in advance for any advice!
>
> Or alternatively, a combination of Basic Auth and IP Restrictions?
> Ie, can I set it up to:
> If IP is 10.100.*.*, grant access
> *AND*
> If not, Use basic auth, rather than flat out deny. This way we could
> just have a single user/pass for external access. (this level of
> security would be fine, even tho it does not provide user logging/
> tracking)- Hide quoted text -
>
> - Show quoted text -

While i'm still interested in a solution to do it as mentioned above
(ie, keeping the same name) i have found and implemented a temporary
solution by redirecting external requests through to the other server.
This isnt ideal, but it works for now. :)

Thanks

Re: User List from Active Directory, even if IIS is NOT in the domain?

If your webserver is not in the domain it cannot make use
of the domain's accounts and ACL based on them (short
of trusts, or some form of mapping such as from a local
ADAM+code or from use of ADFS - all of which seem
out of scope for your situation).

Question: if the intranet web was isolated to protect
the internal domain, the intranet web content, etc.
but now the decision has been made to break down
that barrier (AD accounts used over the internet to
access the intranet web), perhaps it is time to rethink
whether there is any longer advantage to not having
a domain joined webserver hanging on the outside
(well protected of course, such as by allowing only
tcp 80/443 with external IPs and allowing authenticated
access only).


wrote in message
news:1171516025.480815.302310@p10g2000cwp.googlegroups.com.. .
> On Feb 15, 3:28 pm, vidgu...@gmail.com wrote:
>> On Feb 15, 3:25 pm, vidgu...@gmail.com wrote:
>>
>>
>>
>>
>>
>> > We have a set of 4 servers running our external web system. These
>> > machines are NOT on our domain for security and performance reasons.
>> > We have a seperate (5th) machine which runs our local office network,
>> > Active Directory, etc.
>>
>> > Normaly, we've had no problem keeping this particular intranet site
>> > internal, and hence IP security was fine. However, we have now
>> > recently merged with another company, and some of our staff have
>> > migrated to the other office. We do not have any plans to establish a
>> > VPN, because aside from this site, we have no need to share data.
>>
>> > The staff that have moved to the other office will still be maintained
>> > in our Active Directory, and have internet access. So the plan was to
>> > open this site up and remove IP restrictions, and use an access
>> > control list instead. My plan, hopefully, is to use Active Directory
>> > and a combination of windows auth & basic auth.
>>
>> > Windows auth will allow the people in this office to continue
>> > seamlessly accessing the site, and basic auth would allow the staff
>> > who move to log in with a password.
>>
>> > It seems if the Active Directory & IIS were on the one machine, or
>> > indeed, even in the domain together, this would not be a problem. But
>> > they are not .. Does anyone know of a way to get IIS on one non-
>> > domain machine to use the ACL from an Active Directory?
>>
>> > Thanks in advance for any advice!
>>
>> Or alternatively, a combination of Basic Auth and IP Restrictions?
>> Ie, can I set it up to:
>> If IP is 10.100.*.*, grant access
>> *AND*
>> If not, Use basic auth, rather than flat out deny. This way we could
>> just have a single user/pass for external access. (this level of
>> security would be fine, even tho it does not provide user logging/
>> tracking)- Hide quoted text -
>>
>> - Show quoted text -
>
> While i'm still interested in a solution to do it as mentioned above
> (ie, keeping the same name) i have found and implemented a temporary
> solution by redirecting external requests through to the other server.
> This isnt ideal, but it works for now. :)
>
> Thanks
>

Re: User List from Active Directory, even if IIS is NOT in the domain?

On Feb 16, 1:29 pm, "Roger Abell [MVP]" wrote:
> If your webserver is not in the domain it cannot make use
> of the domain's accounts and ACL based on them (short
> of trusts, or some form of mapping such as from a local
> ADAM+code or from use of ADFS - all of which seem
> out of scope for your situation).
>
> Question: if the intranet web was isolated to protect
> the internal domain, the intranet web content, etc.
> but now the decision has been made to break down
> that barrier (AD accounts used over the internet to
> access the intranet web), perhaps it is time to rethink
> whether there is any longer advantage to not having
> a domain joined webserver hanging on the outside
> (well protected of course, such as by allowing only
> tcp 80/443 with external IPs and allowing authenticated
> access only).
>
> wrote in message
>
> news:1171516025.480815.302310@p10g2000cwp.googlegroups.com.. .
>
>
>
> > On Feb 15, 3:28 pm, vidgu...@gmail.com wrote:
> >> On Feb 15, 3:25 pm, vidgu...@gmail.com wrote:
>
> >> > We have a set of 4 servers running our external web system. These
> >> > machines are NOT on our domain for security and performance reasons.
> >> > We have a seperate (5th) machine which runs our local office network,
> >> > Active Directory, etc.
>
> >> > Normaly, we've had no problem keeping this particular intranet site
> >> > internal, and hence IP security was fine. However, we have now
> >> > recently merged with another company, and some of our staff have
> >> > migrated to the other office. We do not have any plans to establish a
> >> > VPN, because aside from this site, we have no need to share data.
>
> >> > The staff that have moved to the other office will still be maintained
> >> > in our Active Directory, and have internet access. So the plan was to
> >> > open this site up and remove IP restrictions, and use an access
> >> > control list instead. My plan, hopefully, is to use Active Directory
> >> > and a combination of windows auth & basic auth.
>
> >> > Windows auth will allow the people in this office to continue
> >> > seamlessly accessing the site, and basic auth would allow the staff
> >> > who move to log in with a password.
>
> >> > It seems if the Active Directory & IIS were on the one machine, or
> >> > indeed, even in the domain together, this would not be a problem. But
> >> > they are not .. Does anyone know of a way to get IIS on one non-
> >> > domain machine to use the ACL from an Active Directory?
>
> >> > Thanks in advance for any advice!
>
> >> Or alternatively, a combination of Basic Auth and IP Restrictions?
> >> Ie, can I set it up to:
> >> If IP is 10.100.*.*, grant access
> >> *AND*
> >> If not, Use basic auth, rather than flat out deny. This way we could
> >> just have a single user/pass for external access. (this level of
> >> security would be fine, even tho it does not provide user logging/
> >> tracking)- Hide quoted text -
>
> >> - Show quoted text -
>
> > While i'm still interested in a solution to do it as mentioned above
> > (ie, keeping the same name) i have found and implemented a temporary
> > solution by redirecting external requests through to the other server.
> > This isnt ideal, but it works for now. :)
>
> > Thanks- Hide quoted text -
>
> - Show quoted text -

The web server serves a number of web-based applications, this is
unfortunately only one of the 4 applications that it serves (all use
the single datasource tho, so can't be easily seperated)

I udnerstand what your saying, and it could definitly work, but
unfortunatly is outside of my power to make those changes. I believe
the solution listed will do me for now, was just wondering if it could
have been done, given the situation.