Exchanging AD user groups with an external -not trusted- server for authentication and authorization

PJ87

4/20/24, 12:56 PM

I'm not really sure how to short and precisely describe my problem. Thus, I was unable to find a solution or at least a hint via google.

We have a Microsoft AD domain and are currently planning to use an external developed software on a third party managed server. It is planned to utilize our AD for authentication and authorization, but our information security department does not like the idea of opening our firewall for ldaps, ldap-ssl and kerberos for access through the third party managed server.

My question is: Are there other , ore secure ways, to utilize our AD for authentication and authorization?

Thanks in advance, PJ

0 + 3

active-directory

authentication

domain-controller

authorization

joeqwerty

4/20/24, 1:43 PM

See if AD FS can be used for this. - https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-overview

Greg Askew

4/20/24, 3:46 PM

`information security department does not like the idea of opening our firewall for ldaps, ldap-ssl and kerberos for access through the third party managed server.` Fortunately they stopped that. 99% of cases organizations use federation, such as ADFS or Ping. In the small number of cases that cannot, there are other third party identity management products that don't use federation, but requests for solutions are off-topic.

LeeM

4/21/24, 5:21 AM

And just to chime in, it should be a *prerequisite* for any enterprise product today that it use federated or "modern authentication" methods (e.g. SAML via AzureAD, which I'd suggest over a new ADFS environment), when users need to authenticate outside the business network. You should give your IT Sec dept a box of chocolates for saving you a lot of angst - and you should leverage their expertise in advance in future if some architect/PM/boss comes up with other creative ideas for external auth. I'd also wonder about data security *inside* the product, if that was their auth solution.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Exchanging AD user groups with an external -not trusted- server for authentication and authorization

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.