Thursday, 7 March 2013

Authenticating users using an intranet on a public website.


I have in the past had to authenticate members of staff on a website that is in an external facing server.

First things to know is that its possible for a server to have more than one network card. For the example that we are going to discuss we will state that NIC#1 is used for visitors to access the server and NIC#2 is the card that people inside the company’s network would travel through if visiting the site. Since we know that staff will be on a internal network IP Range 10.*.*.* we can use the php server variables to detect the visitors IP we can work out that they are a member of staff and let them in but wait thats probably rather insecure. As a hacker could probably fake the IP address.

So how do we allow staff to login with single sign on (SSO) ie the login account they used to logon to their computer. Turns out its quite simple.

You need a webserver that is inside the corporate network to have a page that requires user authentication NTLM this will specify that a user has been authenticated via a trusted system.

So you have now got two servers

Server A : in an external location (DMZ)
Server B : a corporate server located in local LAN (Intranet)

All you need to do is redirect a user from Server A to Server B and have Server B then redirect back to Server A. Server B can then send your Authentication details (username) to the Website on Server A.

Now for added security you should have a password on server A that is used to encrypt the information that is sent to server B then have server B decrypt in the authentication page and then encrypt the information you will send back to server A

This means that if a hacker tried to trick the website on server A that they have authenticated correctly then they would have to find the encryption key on A, The Encryption Key on B to work out what information is being transmitted to truly authenticate a user.