I am looking for ideas on how to implement a "mixed mode" authentication. We have multiple apps to publish, some of them will be accessible to AD users only so a weblistener for these is easy.
Other applications are accessed by external customers and I would like to use FBA to authenticate these but do not want their accounts in AD. I was interested in using ADAM for this but it appears ISA only supports LDAP to the domain.
What are the best options for segregating internal/external accounts and making account management as simple as possible (ideally web based, would also be interested in a solution which would allow delegations of account management at a group level?)
All thoughts are welcome, I'm sure ISA must be used in this fashion by some of you already.
was hoping to avoid local accounts as the ISA servers are in a DMZ which is not accessible to our account administrators. I would like to keep it that way, is there no other way of pointing to an external accounts database?
Why not use local accounts on the ISA Firewall? No one is going to break into the ISA Firewall. It much more secure than your typical "hardware" firewall, so you don't need to worry about local accounts like you do with traditional "hardware" firewalls.
by "external accounts" I simply mean accounts created purely for access to specific applications. I want to use FBA to provide a layer of security and to utilise session based timouts to applications which don't natively support this.
Storing the accounts on the ISA box means we have to provide a level of access to the local accounts to junior members of staff for administration. This is not something I am terrible keen on.
I will recommend that this route be taken, might take a bit of time to convince our tech people that this is a reasonable course to take. AD does offer the simplest means of providing authentication, pity we can't use ADAM since this is perfectly fit for purpose - ISA 2007 team listening????