I'm currently building a new company website. (asp.Net) Our web server is a
stand-alone in the DMZ. On the website, I'd like to have a place for
employees to logon
using their same internal, network username/password, so they don't need
additional logon information. (We do expire passwords regularly) Is it
possible to securly authenticate to the internal active directory? We have 1
forest with 3 domains (1 local & 2 across VPN's). Users from all domains
would need to authenticate. We use a hardware firewall, not ISA. I'd
appreciate it if someone can steer me in the right direction.

Not really an IIS/Security question.

I have never done this sort of thing, but I suspect you would install
an Active Directory in the DMZ, set up a one way trust between the AD
in the DMZ and your Intranet, and punch holes in your Intranet Firewall
to only allow the AD in DMZ machine to talk to your AD in your
Intranet.

This way, IIS can talk to the AD in the DMZ, which has the one-way
relationship with the AD in your Intranet, and Intranet users can
authenticate through IIS. Without exposing your Intranet AD to the
Internet.

I would suggest that you pose the question in an Active Directory
oriented newsgroup because they would be better suited. IIS just tags
along as a member server of a domain.


//David
http://w3-4u.blogspot.com
//


Mike wrote:
Show quoteHide quote

Web Applications located on a FileDiskImage not accessable with Internet Information Server ? (Delph
Switching from http to https
IIS 5.0 Manage for non-admin rights
URL Authentication IIS 6.0
Monitor IIS for http and https ussage!
Webservice to an Out of process server
IIS 6 Directory Services Mapping ACL Problems
403 Forbidden
Web Site Access requires UserID and Password - Resolved
Import Cert without pfx or pending request