Hi there, We recently faced the same scenario...
Do they need to use your internal AD because they require access to your staff accounts? If not they could quite happily use ADAM. If they do require access to your staff accounts you could get them to perform DEV/TST/QA on ADAM as proof of concept and then give them delegated access to the AD via a specific user or group which is what we ended up doing. We made it very clear that all code must be tested on ADAM first before we let them anywhere near our live environment. Cheers, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |---------+----------------------------------> | | | | | | | | | | | John Singler | | | <[EMAIL PROTECTED]>| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org | | | | | | | | | 20/09/2006 05:23 a.m. | | | Please respond to | | | ActiveDir | | | | |---------+----------------------------------> >--------------------------------------------------------------------------------------------------------------| | | | To: "ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org> | | cc: | | Subject: [ActiveDir] 3rd party vendor and AD for auth | >--------------------------------------------------------------------------------------------------------------| Greetings - We have a 3rd party vendor who wants to tie their web app into our AD for authentication and authorization. (This is an app that has already been purchased and is in-house but uses a local db for AAA). What, specifically, should I be asking them about their application so as to keep our environment in its secure and stable state? AFAIK, all they have 'asked' for is a U/P with read access to users and groups. Obviously, they aren't getting anything until we work out the details. Curious as to what other orgs consider when in similar circumstances. Environment (FWIW): Single forest, single domain. All DCs w2k3 SP1, FFL/DFL are w2k3. tia, john List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx