Our company is trying to implement a few single sign-on applications using Active Directory (Windows Server 2003) and LDAP. I would like to lock down the account used to make these LDAP queries as much as possible. What is the best practice for configuring this type of account?
You can restrict/allow what a user can or see/query within AD by easily using the Delegation Wizard. You can access the Delegation Wizard easily by right-clicking on an OU, and the selecting Delegation Control. You als may want to take a look at these articles:
Default security concerns in Active Directory delegation
Best practices for delegating Active Directory administration: How delegation works in Active Directory
Best practices for delegating Active Directory administration: Case study: a delegation scenario
Please see How to configure Active Directory to allow anonymous queries for minimum security.
By default, the Microsoft LDAP implementation does not support Secure LDAP. To setup secure LDAP using SSL, certificates must be installed on both the LDAP Server and the LDAP Client(s). In many cases, the LDAP Server is the domain controller running Active Directory.
The certificates required to run secure LDAP using SSL can be configured in several ways. The concept is always the same:
The Active Directory domain
controller uses a special certificate
that is issued by a trusted
certification authority.
The clent computer trusts the
certification authority that issues
the certificate to the Active
Directory domain controller.
Related
I need to support 3 way of authentication at the same time in the application: LDAP, Azure AD, Basic.
After few hours of googling i found that the best way to do it would be to implement 3 authentication providers and then register them with AuthenticationManagerBuilder. But the issue i stumbled into is, that i dont know how the make the Azure Ad provider. For LDAP i found an online example i can use, and based on the LDAP i could probably also make the Basic username and password provider, but havent found anything similar on Azure AD. All i have found is that, i need to add 2-3 dependencies to the project for the Azure AD and then it automagically works.
I dont understand spring security that much, so im stumped atm. Can i just trust the automagic to do everything correctly, or are there some resouces on how to create AzureADAuthenticationProvider i could use with AuthenticationManagerBuilder?
An authentication provider is an abstraction for accessing user information from LDAP, custom third-party source, database etc. it validates the user credentials.
Spring security with azure ad:
Firstly, azure ad is integrated with Spring security for secure your application.
User login through their credential and get validate by azure AD.
From azure graph API you have to access token and membership information.
Membership for role based authorization.
LDAP Authentication:
Unique LDAP or DN ,you can perform search in directory unless you know username to DNS is known in advance.
You can authenticate the user by binding that user.
Load the Number of authorities for the user.
Custom Authentication Provider:
Create own authentication (custom) with the help of authentication provider interface in which you can use
authenticate method and implementing it and make authentication object with username and password of user
Then after you can configure these authentication in spring security configuration.
Here is the Reference Link regarding Spring Security
The site I need to configure on our IIS server (on Win 2019) uses a certificate to communicate with an external service.
The certificate is present in the certificates plugin in category personal and trusted.
It also uses a intermediate certificate.
The correct application pool has full permission on the certificate in /personal. Also the "network service" user.
The private certificate isn't exportable.
The SSL connection works when the application pool is configured with identity "LocalSystem" but it doesn't work with "ApplicationPoolIdentity".
Changing the "Load user profile" of the application pool from false to true doesn't change anything.
The site uses libraries written for it and is only used within the company.
Is using "LocalSystem" the only solution when using libraries?
You can try different user account in Application pool identity.
Built-in user account
Select this option to use one of the predefined security accounts. Then select one of the following accounts:
LocalSystem - The Local System account has all user rights, and it is
part of the Administrators group on the Web server. Whenever
possible, avoid using the Local System account because it presents a
serious security risk for your Web server.
LocalService - The Local Service account is a member of the Users
group and has the same user rights as the Network Service account,
but limited to the local computer. Use this account when the worker
process in your application pool does not require access outside the
Web server on which it runs.
NetworkService - By default, the Network Service account is selected.
It is a member of the Users group and has user rights that are
required to run applications. It can interact throughout an Active
Directory-based network by using the computer account's credentials.
This account provides the most security against an attack that might
try to take over the Web server.
ApplicationPoolIdentity - Starting with IIS 7, application pools can
be ran as the "ApplicationPoolIdentity" account instead of the
"NetworkService" account. This is a dedicated pseudo user account for
the working process of an application pool and is the recommended
pool identity.
Custom user account
Select this option to configure a custom user account for the application pool identity.
Custom user account
Select this option to configure a custom user account for the application pool identity.
Installed user account
You can configure an installed User Account under which you want the worker process to run.
Property-based user
You can dynamically choose a username and a password under which you want the worker process to run, by using references to Windows Installer properties. By using this option you can choose the way the password is selected:
Password property
The password is stored inside a property.
Predefined password
By selecting this option you can define you own password.
Note: If you use a custom identity, make sure that the user account you specify is a member of the IIS_IUSRS group on the Web server so that the account has proper access to resources. Additionally, when you use Windows and Kerberos authentication in your environment, you might need to register a Service Principle Name (SPN) with the domain controller (DC).
We have created an SSO solution using IdentityServer4. Our public/affiliated users are authenticated by an account stored in a database and our corporate/internal users are authenticated using their Active Directory accounts.
The problem we're having is that when we host our IdentityServer solution on a DMZ (not on our domain) it cannot access Active Directory (on our domain) to verify a user's login credentials and roles/claims.
My goal is to know the best solution to this problem.
Is the best practice to implement Active Directory Federation Services?
Do we need to host IdentityServer on our domain so that it has AD access and then create a second application to host externally and call in to our actual IdentityServer?
Is there a secure solution our networking team can implement to allow the external server to access AD on our domain (ie: somehow grant AD permissions to the IIS Application Pool Identity)?
At a bit of a loss on what the best practice is here. Not sure if this is a problem for our networking/operations team or for our development team.
Thanks in advance.
IdentityServer4 supports to deploy UI (Login Pages) as a separate application. So one solution is to have UI in DMZ and other BE server in Domain.
In all other cases, you will be providing Database Access to a Server in DMZ (which is not supposed to be best thing).
Currently we are evaluating a SAML solution as a corporate user authentication system.
The goal is to have only SAML as the main system without any redundancy of user data throughout different platforms.
Even if SAML authenticates the user how can the domino server create a session without mapping it to a user in the nab.
Is it somehow possible to have domino session without having the actual entry in the NAB?
And is it possible to retrieve group membership from SAML without having the actual group document in the nab?
Even if all of that works is it still possible to use these users and groups in the ACL and in readers and author fields?
The combination of SAML, and configuring Directory Assistance on the Domino server to integrate with an LDAP service that is provided by your corporate systems would allow you to accept SAML credentials for users who do not have a Person document in the Domino Directory.
But no, you can't use SAML to retrieve group membership. You can't use SAML to retrieve anything. It's not a directory query mechanism. It's only an authentication mechanism that communicates trusted identity information. You can, however, configure Domino Directory Assistance to use an external LDAP source for groups, and your local groups, ACLs and Reader/Author fields can also refer to these users.
I want to set up a website on Azure according to the following requirements and are wondering if it is even possible?
As a internal team member, I must be able to login to the site with Windows Authentication
As a external customer, I must be able to login to the site with user name and password
As a external customer, I must not be able to access a subset of the site
As a unauthorized user, I must not be able to access anything on the site
I guess I have to set up a VPN connection between Azure and the Active Directory in my company. How do I do that?
Is it at all possible to meet my requirements?
Background Information
We are a small project with about 10 team members.
We have four large customers who need access to the site, and there are a few people in each customer who needs to have access to the site.
Customers will just have read only access to static, non-sensitive information.
The team members will have write access, and will also handle some sensitive information.
** Edit **
I have now managed to create efficient synchronization of our projects local AD to Azure, thanks user18044. Unfortunately, the accounts for the team members is located in the company's AD (corp.mycompany.com), and out AD has one-way trust with it.
We have groups in the project-AD pointing to our accounts in the company's AD, but the members in the groups is not synchronizing over to Azure.
Can this be solved?
Yes, I think what you are describing is doable.
Your first two bullet points are about authentication. As Azure Active Directory does not directly support Windows Authentication, federation is the way to go here.
When you as an internal team member log on, you land on what is called a home-realm discovery page, where you pick the realm you want to authenticate in. Picking the realm of your company, you get redirected to the STS (for example ADFS) your company has set up to authenticate you. If you are in the same Windows Active Directory network as the STS is authenticating against, you should be able to use Kerberos to be issued a token.
An external customer would be redirected to another STS that would use forms authentication against a credential store to issue security tokens.
Both security tokens are then posted back to Azure Active Directory which is configured to trust both STS's and issues a token of its own. See here for an example.
As for the second two bullets, the authorization part you can do based on roles you assign to your users. Depending on which STS authenticated your user, you assign them a certain role. Based on that role you can give access to certain parts of your website or not. How to implement this depends on what stack you are using for your web application, but a Google search should give you some leads.