Allow DMZ server to access domain server under windows identity RRS feed

  • Question

  • Hello everyone,

    I have a question regarding security between DMZ and Domain.

    Some context:

    • My knowledge of Active directory is quite basic
    • We have a DMZ and we have a private domain.
    • We have public facing web sites and mobile services on the DMZ
    • The DMZ servers are simple workstations with local security
    • We have back-office APIs in the private domain.
    • Those APIs are consumed by our LOB applications and identity is ensured by the use of windows authentication.

    The problem:

    • We would like to have the public web sites consume some of the private domain APIs not as a proxy but more as part of the business flow.
    • We of course would like to keep the windows integrated authentication approach since it is very convenient inside the domain. The best would be to have the application pool of the DMZ web site run under an account that we can authorize on the API Web Server behind the firewall.

    Some of my simple mind ideas:

    • I saw it is possible to create a separate forest for the DMZ and then create a one way trust link in between the domain forest and the DMZ forest. Is this solution applicable to my scenario? Any interesting link?
    • On my researches ADFS comes up quite often. But I have the impression it would be more appropriate for resolving issues between two public domains.

    Is there any link describing how to do a setup that covers my need?

    Any insight or strategy is more than welcome.

    Thanks in advance for your help

    Thursday, June 23, 2016 1:09 PM