Announcement

Collapse
No announcement yet.

Install IIS for internal auth script on Domain Controller (Win 2008R2)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Install IIS for internal auth script on Domain Controller (Win 2008R2)

    I understand that it's not recommended to install IIS on a Domain Controller for performance and security reasons. But in this particular case I still think it makes sense.

    Our DC is only addressable internally and serves about 200 users. The reason I am even considering this is that the IIS site I would like to run is a single ASP script that just uses IIS to provide AD authentication over HTTP. This allows domain users to login to a particular externally hosted service without requiring the creation of an external account.

    The user flow is this:
    • User visits signin.hostedservice.com and gets an HTTP redirect to our internal IIS AD auth script
    • The IIS website prompts for the user's AD credentials using basic HTTP auth
    • If credentials are valid the signin.asp script runs, creating a hashed value
    • signin.asp redirects back to signin.hostedservice.com with a hash and a secret token
    • signin.hostedservice.com verifies the hash and secret token and starts the user session


    Performance impact on the DC
    This single ASP script will receive a maximum of 200 HTTP requests per day. Most likely it will be 20-100 HTTP requests as this hosted service is not something that all users are using all the time. I would say the performance impact on this is negligable.

    Security impact on the DC
    Because the IIS AD auth script will be in our internal DNS zone, anyone outside of our network trying to go to signin.hostedservice.com will just get a DNS error as the HTTP redirect will fail. This is fine as this hosted service should be available to internal users only. Though it would expose the internal DNS hostname of our DC.
    The other point is that the purpose of this script is to authenticate internal users against AD. It's not like we would be allowing non-domain users access to this IIS redirect script.

    Is this still a bad idea?
    Does installing IIS on a DC fundamentally break anything?

    It would be disappointing to have a VM dedicated to running IIS to service a maximum of 200 HTTP requests daily.

    Cheers, B

  • #2
    Re: Install IIS for internal auth script on Domain Controller (Win 2008R2)

    No it doesn't.

    We have IIS running on one of our DC's at the moment and it causes no problems for us. BTW it is internally serviced as well.

    Comment


    • #3
      Re: Install IIS for internal auth script on Domain Controller (Win 2008R2)

      If you install IIS prior to making a server a DC, you probably would have an issue. As it is already a DC, it will run ok.

      Comment

      Working...
      X