locked
Sync internal AD users account with an external AD domain RRS feed

  • Question

  • Hello,

    I am looking at deploying a pair of websites that will be Internet facing and need a means of authentication. I am looking at deploying some sort of directory service to manage the user accounts that will be accessing the websites.

    Here are the requirements/configurations I am looking at:

    Site 1 - Internet Facing / Internal users (not every account from internal domain) / External users

    Site 2 - Internet Facing / All External users

    I would like to synchronize some of the Internal users accounts that will be accessing Site 1 with our pre-existing AD domain so that they can have single sign-on and synchronized password changes. I would like to manage these user accounts from our pre-existing AD domain.

    As far as the external users in both Site 1 and Site 2, I would like them to be store in the same directory service and have no visibility to the internal AD domain. And if at all possible I would like to manage these accounts from some sort of self-service portal if at all possible.

    I would like to use the native Microsoft tools/applications if at all possible.

    I have never used Active Directory Federation Services, but would it allow me to sync a subset of accounts in my internal AD with an external AD by group membership or OU? I also noticed that there is Active Directory Web Services, will that allow web based management of the external user account so that we could create new accounts, reset password and unlock accounts? If so, is that really a good idea on an Internet facing server?

    Any assistance with this would be appreciated.

    Thanks!

    Thursday, August 18, 2011 7:36 PM

All replies

  • If you want to synchronize different AD's and ensure password changes are replicated across and you need some kind of GUI to manage this and you want it to be Microsoft centric, then have a look at Forefront Identity Manager http://www.microsoft.com/forefront/identitymanager/en/us/default.aspx

     


    • Edited by nzpcmad1 Thursday, August 18, 2011 7:56 PM sp
    Thursday, August 18, 2011 7:56 PM
  • If you want to synchronize different AD's and ensure password changes are replicated across and you need some kind of GUI to manage this and you want it to be Microsoft centric, then have a look at Forefront Identity Manager http://www.microsoft.com/forefront/identitymanager/en/us/default.aspx

     



    I was thinking of using something like ADFS to support the internal users authenticating to the Site 1 with their internal domain account and password. This would also address the issue of users changing their internal domain account password and being able to use the same password to authenticate on the external site.

    As far as the external users go, would something like FIM be useful with the external domain? If this is internet facing would this be a significant risk to the users and their accounts to allow this sort of access online? I have never looked into FIM so I am not too sure what all it can do and how you can secure it.

    Any help would be appreciated.

    Thursday, August 18, 2011 9:48 PM
  • I think we are talking at cross-purposes.
    
    
    
    As I understand it, you want to have two instances of AD with no trust relationship between them. One contains internal users and the other contains external users.
    
    
    
    If you put an instance of ADFS in front of each AD instance, you don’t need to put internal users into the external AD. In essence, you are federating the ADFS instances.
    
    
    
    Internal user -> internal site -> redirected to internal ADFS and authenticates.
    
    
    
    External user -> external site -> redirected to external ADFS and authenticates.
    
    
    
    Internal user -> external site -> redirected to external ADFS – chooses internal ADFS from Home Realm Discovery screen - > redirected to internal ADFS and authenticates.
    
    
    
    Note that ADFS revolves around authentication.
    
    
    
    If for some reason, you have to have internal users in the external AD, you now have the problem of replicating and updating those users from the internal AD to the 
    external AD. This is not an authentication problem. It is rather a provisioning problem and that’s where FIM comes in.
    
    
    
    FIM sits in the intranet and is not accessible to the public. It has batch jobs that monitor the internal AD and push changes out to the external AD. It has hooks e.g. to 
    your HR system so that a new employee is automatically provisioned to the internal AD with a range of roles and possibly also to the external AD with another range of roles.
    
    
    
    Note that FIM revolves around provisioning.
    
    
    
    A useful way of looking at it is that FIM provisions the accounts that ADFS authenticates against.
    
    
    
    HTH.
    
    


    Friday, August 19, 2011 1:19 AM