Secure Active Directory Authentication thru ASA

Unanswered Question
Oct 9th, 2009

I am working at a client site whom wants to use his Windows Domain Controllers on his Inside interface on the ASA to Authenticate Domain users whom log into a Web Server on the DMZ interface. This Web Server in the DMZ is configured to use Active Directory as its authentication method. What is the best way to accomplish this? What ports need to be open? The client needs the authentication traffic between the Web server in the DMZ and the Active Directory Domain Controllers on the Inside to be encrypted.

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Fri, 10/09/2009 - 16:38

1) You can use kerberos --->Server port number 88, or the UDP port number over which the security appliance communicates with the Kerberos server.

2) LDAP over SSL ----> SSL secures communications between the security appliance and the LDAP server. Also called secure LDAP (LDAP-S). TCP port 636 for secure authentication (LDAP-S).

Kevin Melton Mon, 10/12/2009 - 05:39

Thanks for your response. In item 2, you discuss using LDAP-S and indicate that this will "secure communications between the security appliance and the LDAP server". What about securing the communications from the Web Server to the Securit appliance? If that communication is not secured, would it not be possible if our DMZ had been compromised to read the Authentication traffic from the security appliance to the Web Server?

Jagdeep Gambhir Mon, 10/12/2009 - 17:39

Hi Melton,

PIX Firewall version 6.3 introduces a secured method to exchange usernames and passwords between a web client and a PIX Firewall. This version uses HTTP over the Secure Socket Layer (SSL) (HTTPS). HTTPS encrypts the username and password, and makes the transmission secure.

When you authenticated a web browser using a AAA server on earlier versions of PIX Firewall, the username and password were obtained from the HTTP client in clear text.

Add this keyword to the aaa command to enable this feature:

pix(config)#aaa authentication secure-http-client

The keyword secure-http-client enables this feature so the username and password are exchanged securely between HTTP clients and the PIX Firewall.

You must configure AAA authentication and issue this command in order to enable this feature:

pix(config)#aaa authentication include authen_service if_name 0 0 0 0

See the Configure AAA in PIX section for the syntax of this command.

This feature also supports authentication of clients that access secure (HTTPS) websites.

Note: When you enable AAA authentication, secure-http-client is not required to authenticate HTTPS sessions.



Do rate helpful posts

Kevin Melton Mon, 10/12/2009 - 05:44

If Kerberos is used, is the authentication method encrypted when it leaves the Web Server on the DMZ interface of the security appliance and travels ingress on the inside interface of the security appliance to the Domain Controller?


This Discussion