Hi,
I'm doing some initial thinking about hosting a sharepoint services 3.0 website using IIS 6.0 in our DMZ. This site will feature multiple websites (using host headers and) for extranet and intranet based applications (all on one server). The question of authentication came up and I wanted to get opinions on how best to do this ?
I was thinking of setting up a new Windows 2003 AD forest for the DMZ webserver and then create a one-way trust between the DMZ webserver and the trusted Active Directory forest (Internal Trusted LAN). We would be opening a lot of ports between the webserver and the internal network in order for the Trust relationship to function. We have firewalls between internet and DMZ and DMZ and Trusted network (the Trusted network also is firewalled from the internet) all of this by way of hardware based firewall solution.
We also want to run SSL to the server for both internal and external clients (a wildcard SSL certificate).
Assuming our Trusted Internal network had a namespace of internal.local and our internet provider was hosting our
company.net domain name, could we also then create company.net again in the DMZ and use that ? what implications does namespace play on the authentication part ? What has to take place as far as the SSL certificate for namespace (matching ?) ?
Also, I would want internal users and external users to access the site from internally and externally using SSL but have internal users also be able to have kerberos work when internal so that the user does not have to log in everytime.
Would the user be prompted to entire their domain as format of "DOMAIN\username" ? Can this be defaulted to a particular domain ? Is there any thing to know when working with 2 different forests as far as authentication on IIS 6 ?
Any insights would be appreciated.
Kevin.
I'm doing some initial thinking about hosting a sharepoint services 3.0 website using IIS 6.0 in our DMZ. This site will feature multiple websites (using host headers and) for extranet and intranet based applications (all on one server). The question of authentication came up and I wanted to get opinions on how best to do this ?
I was thinking of setting up a new Windows 2003 AD forest for the DMZ webserver and then create a one-way trust between the DMZ webserver and the trusted Active Directory forest (Internal Trusted LAN). We would be opening a lot of ports between the webserver and the internal network in order for the Trust relationship to function. We have firewalls between internet and DMZ and DMZ and Trusted network (the Trusted network also is firewalled from the internet) all of this by way of hardware based firewall solution.
We also want to run SSL to the server for both internal and external clients (a wildcard SSL certificate).
Assuming our Trusted Internal network had a namespace of internal.local and our internet provider was hosting our
company.net domain name, could we also then create company.net again in the DMZ and use that ? what implications does namespace play on the authentication part ? What has to take place as far as the SSL certificate for namespace (matching ?) ?
Also, I would want internal users and external users to access the site from internally and externally using SSL but have internal users also be able to have kerberos work when internal so that the user does not have to log in everytime.
Would the user be prompted to entire their domain as format of "DOMAIN\username" ? Can this be defaulted to a particular domain ? Is there any thing to know when working with 2 different forests as far as authentication on IIS 6 ?
Any insights would be appreciated.
Kevin.
