2

This might sound like a stupid and unsecure question, but we're front-end web delopers and don't know that much about these things. So here goes..

We're creating a web app where we want to log in using credentials from Active Directory. Only read access though, we just need to log on with AD credentials, and get a callback indicating success or not.

I know this much that passwords in AD are encrypted, so we can't have a replica of the username and password in our database, syncing once a day or so. So, we've concluded so far that a solution like this should be inside the customer's network. So, in order for it to access both Active Directory AND the internet, it needs to be inside a DMZ zone?

Or maybe this all sounds stupid? Because we only pull username and password from AD anyway, we don't need anything else. So perhaps the extra gain the end user get is that he/she doesn't have to remember one extra password? And that may not be worth it?

Edit: All users that would use this already exist in Active Directory. So it's basically a tool that the sales department would use when traveling from their client to the next.

Feel free to downvote this question if it sounds extremely stupid :)

user216357
  • 33
  • 3
  • Have you considered putting a Read Only Domain Controller in the DMZ? – MichelZ Apr 14 '14 at 10:55
  • I don't have access to the domain like that. I'm just trying to gather enough information to make a recommendation for the client, who doesn't know much about anything technical – user216357 Apr 14 '14 at 11:13
  • An RODC isn't a great mitigation for this - you'd probably have to have the entire AD copied into it. And you still have to have all the AD replication ports opened. An AD LDS copy would be better. – mfinni Apr 14 '14 at 12:41
  • Yes, but at least you don't have to open the connection directly from the webserver to the DC's. – MichelZ Apr 14 '14 at 13:28
  • Will the users be connecting to the web site from their AD joined computers or from non-AD joined computers? – joeqwerty Apr 14 '14 at 13:38
  • Since with an RODC, you're still putting a copy of every user into the local database, which is in the DMZ, and you need the same ports for replication that you'd need for an actual DC, you've improved security very little. – mfinni Apr 14 '14 at 13:57

1 Answers1

2

You could do this about 30 ways. It would help us to know what OS/language/framework you're using on the web servers - some or many of them will have a module to do some or all of these methods.

You could use LDAP. You could use Kerberos. You could use NTLM. Hell, you could use SMTP if there's an Exchange or other AD-integrated mail server that you can query - I've seen that done.

The web server could be configured to point to a domain controller, or a member server, or an AD LDS (formerly ADAM) server. If using the latter, you can put it in a DMZ. You generally won't want to put any of the other options in a DMZ.

The traffic could be encrypted using a protocol-specific encryption layer - if using LDAP, use LDAPS instead. If you were using SMTP, I'd say to use IPSec or TLS.

FYI - if you were my vendor, I'd want to know that you were doing this securely and that I wasn't your guinea pig. Consider hiring someone who knows what they're doing for this part of the project. Don't half-ass this and then get the customer's network exploited.

mfinni
  • 36,144
  • 4
  • 53
  • 86
  • Yes, we wouldn't want to do anything that might compromize the network of the customer. And quite frankly, we don't want this responsibility either, because it's not our fortè at all. I think we would have to hire some experts on this for this part of the project, as you say. That way, we're not held responsible for anything that may or may not happen. Thank you for your insight! :) It really helps :) – user216357 Apr 15 '14 at 07:03