Iis – Can iis authenticate against two separate AD without trust

authenticationiis

First of all, I have poor experience on IIS, I'm more a linux/apache/nginx guy.

Now I have a proprietary app running on an old IIS (w2003, I know is out of support) which is currently authenticating against domainA using integrated windows authentication.

I need to make it authenticate against a completely separate w2003 AD, too. I can route between the two networks. This works all on internal networks.

The app currently maps each domainA user to its personal account & details, the same should happen for domainB users. Obviously I can't change the app in any way.

I guess I could set a trust between domainA and domainB, but if possible it would be best to avoid this. Long story.

I wonder if there could be other methods, eg: make IIS authenticate users also against a LDAP, and make domainB AD act as that LDAP. Or else. Anything that works could be interesting.

Best Answer

Without a trust, you're almost definitely out of luck unless the app explicitly supports adding a second domain identity source (that would need to involve providing credentials for the second domain).

Even with a trust, you might still be out of luck depending on how well the app was written and whether it made any assumptions about only ever existing in a single-domain forest. A lot of app authors are just short sighted when it comes to that sort of thing.

If it magically does work with a trust, you might still ultimately run into edge cases where things break randomly. Like what happens if two users from the different domains happen to have the same username? They might get mapped to the same "account" within the app. It might just throw an error.

When you start talking about LDAP and other authentication protocols, you start to blur the line between what is IIS's responsibility and what is the application's responsibility. For LDAP specifically, the web server doesn't care anything about that. Apps that use LDAP authentication typically configure the web server for Basic authentication (hopefully over SSL) and all of the LDAP connectivity is handled within the application logic.

I hate to be a downer. But with a proprietary app and a legacy environment like this, your outlook is not so good.

Related Solutions

Samba – Joining Samba to Active Directory with local user authentication

You can do this fairly easily. You need to preform all the steps for configuring users to authenticate to linux via AD (KRB config, joining the domain), up to bot NOT including the PAM changes. Then you just set SAMBA to use winbind as the authentication source. Here is an old copy of an smb.conf I've used to achieve this same effect:

#======================= Global Settings =====================================

[global]

# Domain Authntication Settings
        workgroup = <my domain>
        server string = <Sever String>
        security = ads
        passdb backend = tdbsam
        realm = <mydomain.com>
        client use spnego = yes
        ldap ssl = no
# logging
        log level = 5
        max log size = 50
        # logs split per machine
        log file = /var/log/samba/%m.log
        # max 50KB per log file, then rotate
;       max log size = 50

# User settings
        username map =  /etc/samba/smbusers
        idmap uid = 10000-20000000
        idmap gid = 10000-20000000
        idmap backend = ad
;       template primary group = <ad group>
        template shell = /sbin/nologin

# Winbind Settings
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups  = Yes
        winbind netsted groups = Yes
        winbind nested groups = Yes
        winbind use default domain = Yes

#Other Globals
        unix charset = LOCALE
        server string = <my server name>
        load printers = no
        printing =  cups
        cups options = raw

;       printcap name = /etc/printcap
        #obtain list of printers automatically on SystemV
;       printcap name = lpstat
;       printing = cups


#============================ Share Definitions ==============================


[share]
comment = <share comment>
path = /srv/smb/share
guest ok = yes
valid users = "DOMAIN+testUser"
read only = yes

Also, if you are using Ubuntu there is a bug in the version that was in the 10.04LTS up to a few months ago that just completely broke this setup (nobody can auth) - grab a version from the SAMBA site if this is the case

Windows – Authenticate CentOS against AD without Samba/Winbind

First off, don't forget to install the "Identity Management for UNIX" windows component under "Active Directory Services", in the "Add/Remove Windows Components" window.

An Active Directory DC will supply you with 2 services:

User enumeration (UID/GID/Home Dir/etc.) via LDAP
User Authentication via Kerberos

On CentOS servers, you will need to configure LDAP user enumeration through /etc/ldap.conf, your Kerberos configuration goes in /etc/krb5.conf and to make use of the users, you need to update /etc/nsswitch.conf.

To enable Kerberos authentication, you will need to edit the /etc/pam.d/system-auth file.

A few gottachs:

Make sure your time is synced from a reliable source, on the DC and clients
Make sure you have proper resolving and back resolving
Must guides will show you how to bind to the DC with a user/pass, a more secure way will be using a Kerberos ticket for DC authentication (For user enumeration/authentication)
It will probably not work on the first shot, leave a root user logged in as long as possible to allow for quick fixes without needing to go into Rescue mode (after you've blocked yourself out of a machine).

A quick search came up with the following guide. After that works, I would try Kerberos binding to the DC. The guide is for RHEL5, but will work all the same on CentOS5

Best Answer

Related Solutions

Samba – Joining Samba to Active Directory with local user authentication

Windows – Authenticate CentOS against AD without Samba/Winbind

Related Topic