Web app authenticate against customer AD?
-
@pete-s said in Web app authenticate against customer AD?:
I have an enterprise customer who uses web applications on the net where the users log in with their regular login / password from the customers AD.
How is this done?
Depending of the environment it can be a SSO setup or LDAP Connector to your AD systems.
-
But is it likely that an enterprise would expose ldap to the internet? Or is there something else inbetween?
-
@pete-s said in Web app authenticate against customer AD?:
But is it likely that an enterprise would expose ldap to the internet? Or is there something else inbetween?
You can do this, using ldaps and some certificates.
But likely you want to use SSO which is done over http/https. Many sites support SSO using SAML2.0 compliant implementations, like ADFS.
For example the MS CRM system has you setup an ADFS by default, you dont have to but is recommended, and i think required if you want remote users to use it without vpn.
This consists of the CRM, ADFS servers to provide access to people outside lan.
CRM homepage exposed to internet on 443, ADFS server on 443 exposed as well.Someone on outside network, they sign into CRM homepage with AD creds. The login request gets sent to public IP of your ADFS server over https, which then connects to you AD server on the LAN, it does its checks and responds with yay or nay to CRM.
-
@momurda said in Web app authenticate against customer AD?:
@pete-s said in Web app authenticate against customer AD?:
But is it likely that an enterprise would expose ldap to the internet? Or is there something else inbetween?
You can do this, using ldaps and some certificates.
But likely you want to use SSO which is done over http/https. Many sites support SSO using SAML2.0 compliant implementations, like ADFS.
For example the MS CRM system has you setup an ADFS by default, you dont have to but is recommended, and i think required if you want remote users to use it without vpn.
This consists of the CRM, ADFS servers to provide access to people outside lan.
CRM homepage exposed to internet on 443, ADFS server on 443 exposed as well.Someone on outside network, they sign into CRM homepage with AD creds. The login request gets sent to public IP of your ADFS server over https, which then connects to you AD server on the LAN, it does its checks and responds with yay or nay to CRM.
Thanks, I'll look more into this.
-
@pete-s said in Web app authenticate against customer AD?:
that an enterprise would expose ldap to the inter
Very unlikely, there must be a VPN or a LDAP open externally only allowed from certain IP addresses from said Cloud vendor.
-
@dbeato said in Web app authenticate against customer AD?:
@pete-s said in Web app authenticate against customer AD?:
that an enterprise would expose ldap to the inter
Very unlikely, there must be a VPN or a LDAP open externally only allowed from certain IP addresses from said Cloud vendor.
LDAP can be secured the same way HTTP traffic can be. In fact, it's the default in Active Directory.
-
@travisdh1 said in Web app authenticate against customer AD?:
@dbeato said in Web app authenticate against customer AD?:
@pete-s said in Web app authenticate against customer AD?:
that an enterprise would expose ldap to the inter
Very unlikely, there must be a VPN or a LDAP open externally only allowed from certain IP addresses from said Cloud vendor.
LDAP can be secured the same way HTTP traffic can be. In fact, it's the default in Active Directory.
What do you mean LDAP secured? you mean LDAPS?
-
@dbeato said in Web app authenticate against customer AD?:
@travisdh1 said in Web app authenticate against customer AD?:
@dbeato said in Web app authenticate against customer AD?:
@pete-s said in Web app authenticate against customer AD?:
that an enterprise would expose ldap to the inter
Very unlikely, there must be a VPN or a LDAP open externally only allowed from certain IP addresses from said Cloud vendor.
LDAP can be secured the same way HTTP traffic can be. In fact, it's the default in Active Directory.
What do you mean LDAP secured? you mean LDAPS?
Yes.
-
@travisdh1 said in Web app authenticate against customer AD?:
@dbeato said in Web app authenticate against customer AD?:
@travisdh1 said in Web app authenticate against customer AD?:
@dbeato said in Web app authenticate against customer AD?:
@pete-s said in Web app authenticate against customer AD?:
that an enterprise would expose ldap to the inter
Very unlikely, there must be a VPN or a LDAP open externally only allowed from certain IP addresses from said Cloud vendor.
LDAP can be secured the same way HTTP traffic can be. In fact, it's the default in Active Directory.
What do you mean LDAP secured? you mean LDAPS?
Yes.
LDAPS still not the default as far as I know in AD .
-
@dbeato said in Web app authenticate against customer AD?:
@travisdh1 said in Web app authenticate against customer AD?:
@dbeato said in Web app authenticate against customer AD?:
@travisdh1 said in Web app authenticate against customer AD?:
@dbeato said in Web app authenticate against customer AD?:
@pete-s said in Web app authenticate against customer AD?:
that an enterprise would expose ldap to the inter
Very unlikely, there must be a VPN or a LDAP open externally only allowed from certain IP addresses from said Cloud vendor.
LDAP can be secured the same way HTTP traffic can be. In fact, it's the default in Active Directory.
What do you mean LDAP secured? you mean LDAPS?
Yes.
LDAPS still not the default as far as I know in AD .
Really? That's just bad. I thought they had Kerberos by default.
-
@travisdh1 said in Web app authenticate against customer AD?:
@dbeato said in Web app authenticate against customer AD?:
@travisdh1 said in Web app authenticate against customer AD?:
@dbeato said in Web app authenticate against customer AD?:
@travisdh1 said in Web app authenticate against customer AD?:
@dbeato said in Web app authenticate against customer AD?:
@pete-s said in Web app authenticate against customer AD?:
that an enterprise would expose ldap to the inter
Very unlikely, there must be a VPN or a LDAP open externally only allowed from certain IP addresses from said Cloud vendor.
LDAP can be secured the same way HTTP traffic can be. In fact, it's the default in Active Directory.
What do you mean LDAP secured? you mean LDAPS?
Yes.
LDAPS still not the default as far as I know in AD .
Really? That's just bad. I thought they had Kerberos by default.
-
@dbeato said in Web app authenticate against customer AD?:
@travisdh1 said in Web app authenticate against customer AD?:
@dbeato said in Web app authenticate against customer AD?:
@travisdh1 said in Web app authenticate against customer AD?:
@dbeato said in Web app authenticate against customer AD?:
@travisdh1 said in Web app authenticate against customer AD?:
@dbeato said in Web app authenticate against customer AD?:
@pete-s said in Web app authenticate against customer AD?:
that an enterprise would expose ldap to the inter
Very unlikely, there must be a VPN or a LDAP open externally only allowed from certain IP addresses from said Cloud vendor.
LDAP can be secured the same way HTTP traffic can be. In fact, it's the default in Active Directory.
What do you mean LDAP secured? you mean LDAPS?
Yes.
LDAPS still not the default as far as I know in AD .
Really? That's just bad. I thought they had Kerberos by default.
Wow, just, wow. Haven't they figured this out by now?
-
@travisdh1 said in Web app authenticate against customer AD?:
@dbeato said in Web app authenticate against customer AD?:
@travisdh1 said in Web app authenticate against customer AD?:
@dbeato said in Web app authenticate against customer AD?:
@travisdh1 said in Web app authenticate against customer AD?:
@dbeato said in Web app authenticate against customer AD?:
@travisdh1 said in Web app authenticate against customer AD?:
@dbeato said in Web app authenticate against customer AD?:
@pete-s said in Web app authenticate against customer AD?:
that an enterprise would expose ldap to the inter
Very unlikely, there must be a VPN or a LDAP open externally only allowed from certain IP addresses from said Cloud vendor.
LDAP can be secured the same way HTTP traffic can be. In fact, it's the default in Active Directory.
What do you mean LDAP secured? you mean LDAPS?
Yes.
LDAPS still not the default as far as I know in AD .
Really? That's just bad. I thought they had Kerberos by default.
Wow, just, wow. Haven't they figured this out by now?
It would be nice if it was on by default.
