We don't mix authentication schemes. Internal is internal, and external is external.
We require VPN access to internal resources- nothing is published externally. I'd be really leery of doing it any other way. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Fugleberg, David A [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 11, 2004 11:14 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Managing accounts for 'outsiders' > > I'm curious what y'all do with those situations where you > have to manage credentials for 'outsiders' - in other words, > users from some business partner, vendor, etc. who must have > access to some resource in your company. For example, say > you have some intranet web app that you make available on the > Internet via ISA Server/reverse proxy. This works for > employees, but soon some 'outsiders' (contractors, outsourced > service providers) need to use it. > > Do you put them someplace in your existing AD so they can use > the same proxy ? Do you set up an alternate way for them to > get to the resource ? What steps do you take to ensure that > those credentials are restricted to the resource you intend ? > > I'm a tad uncomfortable with people outside the organization > running around with valid credentials to the internal NOS > directory, but maybe that's just me. I realize it's a > business decision, and that there's hopefully some level of > trust in these individuals since they've been contracted to > perform some service, but the more I can control it the better. > > Rants, flames, war stories are welcome (I can take it:). > Even more welcome is some discussion of how you deal with > external users in general, and specific steps you take to > protect your AD from misuse by them. > > Dave > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
