I'm not sure where your aversion to external domains comes from. It is a pretty reasonable way to authenticate external users while keeping them off your internal domain. Also, if you have any kind of auditing requirements, you'll quickly find the auditing an app with its own internal authentication is a PITA that just increases with the number of similar apps you have to manage.
Malcolm From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Thursday, 15 May, 2008 12:05 To: NT System Admin Issues Subject: RE: AD in the DMZ, good idea? Well, my initial thought was that there has to be another way to authenticate the contractors coming in. I personally don't really want to setup another domain, but that's what one of the developers wants to do. My personal idea is to have some process like when you sign up for a web forum, where the contractor would create their own username and password, then someone internally could go in, and assign the proper rights to that contractor, or have some default rights assigned automatically. Joe Heaton ________________________________ From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, May 15, 2008 8:33 AM To: NT System Admin Issues Subject: RE: AD in the DMZ, good idea? Obviously, you haven't yet thought about licensing. Why not use application authentication instead of a/d authentication? Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Thursday, May 15, 2008 11:13 AM To: NT System Admin Issues Subject: RE: AD in the DMZ, good idea? It would be a single server, running all functions necessary. There would be another server that would have the actual web front end. The databases for the web apps would still be inside the firewall. As far as access for internal staffers, they would need to get to the web app itself, but I'm wondering if we could setup an internal front end for them to access, that would then access the same data that the outside contractors would be updating. I appreciate all the responses, I'm not as against the idea now, it just really seemed like a bad idea at first. Joe Heaton ________________________________ From: Andy Shook [mailto:[EMAIL PROTECTED] Sent: Thursday, May 15, 2008 8:03 AM To: NT System Admin Issues Subject: RE: AD in the DMZ, good idea? Joe, I've done this on a number of occasions and while a pain in the buttocks up front, its not the worst thing. Just isolate it, i.e. no 2 way trust with internal AD, and let it sit. I don't know how big of an implementation your talking about but you could start with one server for AD, DNS, WINS, DHCP, file serving and one for the web apps. My only question is what type of access with internal staffers need to this domain? Shook ________________________________ From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Thursday, May 15, 2008 10:59 AM To: NT System Admin Issues Subject: AD in the DMZ, good idea? I'm thinking not, but one of our developers is wanting to setup a separate domain in the DMZ, so that we can create AD accounts for contractors that need to login to web apps. My brain, gut and every fiber of my being is saying that this is definitely NOT the way to do this. I am right here, aren't I? Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [EMAIL PROTECTED] This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~