Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AD Computer Account Delegation/LDAP & ASP

Status
Not open for further replies.
philzero

philzero

IS-IT--Management
Jan 9, 2009
6
GB
I'm trying to help a developer who is creating an ASP page which uses an LDAP query to return a list of members in a particular group on my AD. To be able to read the AD, the query should use the credentials of whoever launches the webpage. IIS is set to use Windows authentication.

Kerberos delegation is new to me, so I want to make sure this is as secure as possible, and doesn't open up any routes for web-based attacks on a domain controller. Based on what I've been able to pick up so far, I think I need to do the following:
[ul]
[li]Enable Trust this computer for delegation to specified services only on the IIS computer account[/li]
[li]Use Kerberos only[/li]
[li]Under Services to which this account can present delegated credentials, add a domain controller, and specify the LDAP service. [/li]
[/ul]
If I understand things correctly, this should only allow the IIS host to pass through the domain user credentials of whoever is accessing the webserver, should only authenticate them to LDAP, and will not confer any elevated security rights on the domain controller to that domain user.

Can anyone tell me if I am thinking along the right lines or am I way off base? I'd be grateful if anyone can point out any security risks in this approach too.

Thanks.
 
Sort by date Sort by votes
I think you have that pretty well covered. I am assuming that you web server is external or in a DMZ? If your web server is not in a DMZ I would highly suggest putting it there. Even most small business routers allow you to setup DMZs now.

I have a similar setup with a web application that uses domain authentication. In addition to the steps you have taken above I have added certain checks to make sure nothing malicious is being passed to my domain controller from the webserver. I am also using a firewall to block everything comming from the web server into my network except the few needed ports to web services and AD authentication.

Hope this helps,

Mike Walton
Network+ CCENT
Free Tech Articles at
 
Upvote 0 Downvote
Thanks Mike. The web server is internal, and will only be used by internal users, there's no external access at all, so no need for it to be in the DMZ.

I always try & work to the principle of least privilege, which is why I want to be sure that this method will not confer any additional rights or open up any holes that I'm not aware of. Out of interest, what checks are you making to make sure nothing else is being passed by your webserver?

Cheers
 
Upvote 0 Downvote
I added some java scripts that check to make sure that HTML, SQL, and JavaScript code aren't being sent to my domain controller that could possibly break it. If your server is totally internal there is no need for a firewall.

Mike Walton
Network+ CCENT
Free Tech Articles at
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
192
DTGMI
DTGMI
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
292
suncit
suncit
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
136
DrB0b
DrB0b
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
316
goombawaho
goombawaho
DeepuM
  • Locked
  • Question
Web Response returned Web Exception : The underlying connection was closed error | Simphony & QS
Replies
0
Views
162
DeepuM
DeepuM

Part and Inventory Search

Sponsor

Back
Top