I have a internet-facing application server that I want to use AD authentication. This is my first time doing this for a none MS application or without some sort of proxy. I already have a idea in my mind as to how to perform this. I wanted to make sure i wasn't missing a obvious security hole.
My current idea is for Internet traffic to go to a DMZ web-app server allowing only HTTPS/443 traffic and denying all others, including outgoing traffic (not including LDAPS).
Inside the DMZ have a Read-Only domain controller that will deny all in-out traffic beside that required for LDAPS and ports required for RODC (based on MS RODC DMZ best practices). RODC will not have any direct internet traffic.
Internal network I will have a regular domain controller.
All communication between WebApp and RODC will be LDAPS. All IP communication between the 3 servers will use IPSEC to authenticate and encrypt IP traffic.
The RODC will be filtered to only contain username data no password or other data. It will query the internal DC every-time per demand. Both the WebApp and RODC will be a Server Core installation and no GUI.
WebApp ----|IPSEC/LDAPS|--->RODC-----|IPSEC/LDAPS|--->Internal DC
Obviously all server will be locked down to only allow direct ip traffic with port needed and nothing else.
Am I missing something?
