Single Sign On SSO (& Windows 2003 ADFS?)

  • Thread starter Thread starter buddd
  • Start date Start date
B

buddd

Has anyone read any of the documentation on Windows 2003 R2? With ADFS
(Active Directory Federation Services?


Here is pretty much what the desired goals are:

1. Multiple forests (let's say 3 in my current model)
2. Single Sign ON (SSO)
3. IIS 6 (although we can change according to needs)
4. Validation of users against the Active directory
5. Microsoft Exchange 2003 (one per forest) with Front-End Back-End
scenario
6. After validation, user (depending on rights) should be able to read
email, access a custom application, or add / modify / delete users
(within active directory and email). Is this possible?
7. Connect through the internet to do steps 1-5
8. I am not sure where to place the Domain Controller. I could put one
in the DMZ (for each company) and the second in the company's private
zone (I could put two in company's private zone instead.
9. Use Windows 20003 Server (R2)

Anyone have any ideas ./ suggestions?

Does the IIS server have to be part of a domain or can it function as a
stand alone server?

Can (assuming the load is okay) we have multiple users (from different
forests) point to one IIS server (using one public ip address but
different host headers) so that a particular user logging on gets his
own web page, be validated against his own active directory and
redirected to their appropriate (unique) forest and applications?

I know this seems a lot, but the information available is quite
unclear. Finding an appropriate solution has been difficult.

I don't think what I want to accomplish is that difficult. I have the
full range of Microsoft products at my disposal.

Thanks for your time.

It is really appreciated.

Best Regards,

Mark
(e-mail address removed)
 
buddd said:
Has anyone read any of the documentation on Windows 2003 R2? With ADFS
(Active Directory Federation Services?

Here is pretty much what the desired goals are:

1. Multiple forests (let's say 3 in my current model)
2. Single Sign ON (SSO)
3. IIS 6 (although we can change according to needs)
4. Validation of users against the Active directory
5. Microsoft Exchange 2003 (one per forest) with Front-End Back-End
scenario
6. After validation, user (depending on rights) should be able to read
email, access a custom application, or add / modify / delete users
(within active directory and email). Is this possible?
Click to expand...

OK, ADFS is a solution which may come into work but it will require some
additional work form You, and in the current state it may not satisfy
Your needs.

First - Exchange OWA at this moment is not working with OWA (OK, some
people tried this and You can get this into work but there is some
special configuration of OWA required). Probably this will be supported
configuration but I don't know when.


Regarding custom application - if this is web application written in
..NET the best approach would be to rewrite it with .NET 2.0 and make it
claim aware. The same if You came to the point of web application for AD
user management - If it will be fully claim aware app - there will be no
problem to do this, if not - You have to test it.

7. Connect through the internet to do steps 1-5
8. I am not sure where to place the Domain Controller. I could put one
in the DMZ (for each company) and the second in the company's private
zone (I could put two in company's private zone instead.
9. Use Windows 20003 Server (R2)

Anyone have any ideas ./ suggestions?

Does the IIS server have to be part of a domain or can it function as a
stand alone server?
Click to expand...

It depends on Your apps. If this apps are using SIDs of users it will be
required to add this server to the AD domain in the resources (in ADFS
terms) forest.
 
Back
Top