I have a few websites for work that live outside of the corporate LAN -- and, therefore, out of direct-communication range of Active Directory (A/D) -- but for which I would like to be able to authenticate users against the corporate A/D servers as well as a secondary repository of users/roles***. The pseudo code for this activity is this:
我有一些网站用于公司局域网以外的工作 - 因此,在直接通信范围的Active Directory(A / D)之外 - 但我希望能够针对该网站对用户进行身份验证。企业A / D服务器以及用户/角色的辅助存储库***。此活动的伪代码是:
- User enters username/password into the login form of the external website.
- External website calls a webservice inside the LAN that can talk to A/D.
- The webservice checks to see if username/password can be authenticated mapped to a user in A/D. If so, return the list of A/D roles of which the user is a member.
- If the username/password cannot be found/authenticated against A/D, check a database/service that is the secondary repository of user/role information. Return all roles the use is in if they authenticate against the secondary auth server.
- Return the a list of roles the user is in to the calling website.
用户在外部网站的登录表单中输入用户名/密码。
外部网站在局域网内调用可与A / D通信的Web服务。
Web服务检查是否可以将用户名/密码映射到A / D中的用户。如果是,则返回用户所属的A / D角色列表。
如果无法通过A / D找到/验证用户名/密码,请检查作为用户/角色信息的辅助存储库的数据库/服务。如果他们针对辅助身份验证服务器进行身份验证,则返回所使用的所有角色。
将用户所在角色列表返回给调用网站。
*** The idea is that we don't want to put dozens -- potentially hundreds -- of contractors and affiliates into Active Directory when all they will only be logging into our external web servers. Hence the secondary auth scheme.
***我们的想法是,当他们只登录我们的外部Web服务器时,我们不希望将数十个(可能是数百个)承包商和附属机构放入Active Directory。因此,二次授权方案。
3 个解决方案
#1
1
I think there are a couple of layers here, each one its own question:
我认为这里有几层,每一层都有自己的问题:
How can I get to a web service inside my LAN from the DMZ?
This is a tough one as it really breaks the concept of a DMZ/LAN seperation. Generally connections between LAN and DMZ are only allowed (and on a limited basis) from the LAN side - this way a comprimised DMZ can't initiate contact with the LAN, and is extremely restricted in what it can do (it's can't issue arbitrary requests, only respond to requests from the LAN).
如何从DMZ访问局域网内的Web服务?这是一个艰难的,因为它真正打破了DMZ / LAN分离的概念。通常LAN和DMZ之间的连接只允许(并且在有限的基础上)从LAN侧 - 这样一个被压缩的DMZ无法启动与LAN的联系,并且在它可以做的事情上受到极大的限制(它不能发出任意请求,仅响应来自LAN的请求)。
How can I use a service on another computer to authenticate a username/password?
Again this is a sticky problem - you are passing passwords over a network - is it possible for them to be intercepted. With AD this is solved with kerberos - a system of challenge/response that ensure the password is never actually transmitted. Of course kerberos and similar protocals are quite complex - you should never try to roll your own as it will likely be less secure then using something existing - for example your webservice could operate on https, so that at least the passwords are only plaintext on the two servers, and not the communications link inbetween. Certificates can also be used to prevent traffic intended for your LAN webservice from being rerouted to a comprimised DMZ machine (the comprimised DMZ machine won't be able to fake the certificate, and so your system can determine it is connected to a fake server before sending details for authentication)
如何在另一台计算机上使用服务来验证用户名/密码?同样,这是一个棘手的问题 - 您通过网络传递密码 - 它们是否可能被截获。使用AD,这可以通过kerberos解决 - kerberos是一个挑战/响应系统,可确保密码永远不会实际传输。当然kerberos和类似的protocals是相当复杂的 - 你永远不应该尝试自己动手,因为它可能不那么安全,然后使用现有的东西 - 例如你的web服务可以在https上运行,所以至少密码只是明文密码两台服务器,而不是中间的通信链路。证书还可用于防止用于LAN Web服务的流量被重新路由到已编译的DMZ计算机(被压缩的DMZ计算机将无法伪造证书,因此您的系统可以确定它之前已连接到虚假服务器发送验证详细信息)
In my own experience these issues result in AD outside the LAN just not being done. Companies opt to either get outside people on the LAN using VPN authenticated with RSA keys (those little keychains that show a constantly changing set of numbers), or they use an entirely seperate set of logins for the DMZ area services.
根据我自己的经验,这些问题导致局域网外的AD没有完成。公司选择使用通过RSA密钥验证的VPN(显示不断变化的数字组的小钥匙链)来获取LAN上的外部人员,或者他们使用完全独立的登录集来进行DMZ区域服务。
#2
1
You might want to take a look @ these two resources. The first will provide you with everything you want to know about active directory, and the second will show you how to connect.
你可能想看看这两个资源。第一个将为您提供有关活动目录的所有信息,第二个将向您展示如何连接。
- http://www.codeproject.com/KB/system/everythingInAD.aspx
- http://msdn.microsoft.com/en-us/library/aa302397.aspx
You might have challenges connecting to the remote AD server though. So as a potential work around, I would consider having the web application call an authentication webservice that resides on the corporate network.
您可能遇到了连接到远程AD服务器的挑战。因此,作为潜在的解决方案,我会考虑让Web应用程序调用驻留在公司网络上的身份验证Web服务。
#3
0
You may be able to simplify this by giving a different login portal to contractors/affiliates.
您可以通过为承包商/附属公司提供不同的登录门户来简化此操作。
#1
1
I think there are a couple of layers here, each one its own question:
我认为这里有几层,每一层都有自己的问题:
How can I get to a web service inside my LAN from the DMZ?
This is a tough one as it really breaks the concept of a DMZ/LAN seperation. Generally connections between LAN and DMZ are only allowed (and on a limited basis) from the LAN side - this way a comprimised DMZ can't initiate contact with the LAN, and is extremely restricted in what it can do (it's can't issue arbitrary requests, only respond to requests from the LAN).
如何从DMZ访问局域网内的Web服务?这是一个艰难的,因为它真正打破了DMZ / LAN分离的概念。通常LAN和DMZ之间的连接只允许(并且在有限的基础上)从LAN侧 - 这样一个被压缩的DMZ无法启动与LAN的联系,并且在它可以做的事情上受到极大的限制(它不能发出任意请求,仅响应来自LAN的请求)。
How can I use a service on another computer to authenticate a username/password?
Again this is a sticky problem - you are passing passwords over a network - is it possible for them to be intercepted. With AD this is solved with kerberos - a system of challenge/response that ensure the password is never actually transmitted. Of course kerberos and similar protocals are quite complex - you should never try to roll your own as it will likely be less secure then using something existing - for example your webservice could operate on https, so that at least the passwords are only plaintext on the two servers, and not the communications link inbetween. Certificates can also be used to prevent traffic intended for your LAN webservice from being rerouted to a comprimised DMZ machine (the comprimised DMZ machine won't be able to fake the certificate, and so your system can determine it is connected to a fake server before sending details for authentication)
如何在另一台计算机上使用服务来验证用户名/密码?同样,这是一个棘手的问题 - 您通过网络传递密码 - 它们是否可能被截获。使用AD,这可以通过kerberos解决 - kerberos是一个挑战/响应系统,可确保密码永远不会实际传输。当然kerberos和类似的protocals是相当复杂的 - 你永远不应该尝试自己动手,因为它可能不那么安全,然后使用现有的东西 - 例如你的web服务可以在https上运行,所以至少密码只是明文密码两台服务器,而不是中间的通信链路。证书还可用于防止用于LAN Web服务的流量被重新路由到已编译的DMZ计算机(被压缩的DMZ计算机将无法伪造证书,因此您的系统可以确定它之前已连接到虚假服务器发送验证详细信息)
In my own experience these issues result in AD outside the LAN just not being done. Companies opt to either get outside people on the LAN using VPN authenticated with RSA keys (those little keychains that show a constantly changing set of numbers), or they use an entirely seperate set of logins for the DMZ area services.
根据我自己的经验,这些问题导致局域网外的AD没有完成。公司选择使用通过RSA密钥验证的VPN(显示不断变化的数字组的小钥匙链)来获取LAN上的外部人员,或者他们使用完全独立的登录集来进行DMZ区域服务。
#2
1
You might want to take a look @ these two resources. The first will provide you with everything you want to know about active directory, and the second will show you how to connect.
你可能想看看这两个资源。第一个将为您提供有关活动目录的所有信息,第二个将向您展示如何连接。
- http://www.codeproject.com/KB/system/everythingInAD.aspx
- http://msdn.microsoft.com/en-us/library/aa302397.aspx
You might have challenges connecting to the remote AD server though. So as a potential work around, I would consider having the web application call an authentication webservice that resides on the corporate network.
您可能遇到了连接到远程AD服务器的挑战。因此,作为潜在的解决方案,我会考虑让Web应用程序调用驻留在公司网络上的身份验证Web服务。
#3
0
You may be able to simplify this by giving a different login portal to contractors/affiliates.
您可以通过为承包商/附属公司提供不同的登录门户来简化此操作。