After a security review, I'm splitting the tiers of a Windows 2008 Server application that is currently on a single machine in the corporate domain. I want to move the IIS 7 Web UI to a new machine in the domain so users can authenticate against it using their AD accounts and leave the rest (the application tier and database server) on the current machine but moved off the domain behind a firewall.
The app tier services need to create files on various shares on domain servers. Previously the services ran as a special domain user with access to the shares. Now that won't be possible.
Is there a way of allowing access to shared folders (and resources generally) on domain servers to non-domain users/machines?
Best Answer
You can grant access to a domain resource (i.e share) to a non-domain machine... provided the service on that machine accesses the share using as remote credentials either :
The second one is the safest way to do it (a remote attacker sitting on the app tier machine won't have access to a domain account (with access to the entire domain) but only to the domain machines it has a local account on.
BUT you won't be able to simply set such a user to run the app service under. You must have some support in your application to specify different credentials according to which server it is connecting to.
So if this is supported => say your app tier machine APPTIER is in the MSHOME workgroup and your shares are \\SERVER1\share1 and \\SERVER2\share2 in the MYDOMAIN domain :