Domain joined WAP in DMZ

Steve

2/2/23, 9:26 AM

To date, I've only ever used ADFS for claims aware applications.

I'm now looking at using it for some non-claims aware applications.

I've read that the WAP server must be domain joined for this so that it can perform Kerberos constrained delegation.

I've previously been told that domain joined servers shouldn't be in the DMZ. Assuming that advice is still best practice, what is the most secure way of deploying domain joined WAP servers in a DMZ? ..... And are there any alternative configurations that would still allow authentication for non-claims aware applications

Thanks for your help

0 + 0

domain

dmz

adfs

network-security

Score:0

Server

Jevgenij Martynenko

2/2/23, 5:29 PM

what is the most secure way of deploying domain joined WAP servers in a DMZ?

If you absolutely must have domain joined servers in DMZ, don't put writeable domain controllers in DMZ - only read-only domain controllers. Generally, domain-joined servers in DMZ increase security risks, so in terms of security this should be avoided if possible.

And are there any alternative configurations that would still allow authentication for non-claims aware applications

Azure AD Application Proxy would be a good alternative. It supports various SSOs, including Kerberos, and advanced security rules (with Azure AD Conditional Access). Aside advanced security controls, the main benefit is - you wouldn't have to put any servers inside DMZ or open any incoming ports on your firewall. It has its own considerations and limitations, which may or may not apply to your case. It depends on the application itself, user geography and some other factors

0 + 0

Steve

2/3/23, 9:46 AM

Thanks Jevgenji It seems weird that it's a standard Microsoft deployment given the compromise in security, but I'll build a proof of concept with a rodc

Jevgenij Martynenko

2/3/23, 3:25 PM

@Steve RODC in DMZ needs network access into LAN, so it raises a risk, because it increases a breach landscape. But it also brings additional features, like Kerberos SSO. Productivity always impacts security (and vice versa). I'm afraid, in case of AD, this is by design. Modern technology solutions, like Azure AD, mitigate these risks much better. AD as a technology was created for a different world than the one we are living in right now

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Domain joined WAP in DMZ

TH: โดเมนเข้าร่วม WAP ใน DMZ

RO: Domeniul s-a alăturat WAP în DMZ

RU: Домен присоединился к WAP в DMZ

VI: Tên miền đã tham gia WAP trong DMZ

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.