I wanted to use Active Directory Mapping (Users have a one to one mapping with a corresponding client certificate in the AD) because the web app will be accessible only to users with smart cards that are already stored in their Active Directory account. Our web app users will come throught the Internet. Our AD server will only used to store web app users. Active Directory Mapping seemrf like the easy and secure way to limit access.
But I just learned that the IIS 7 server on Windows Server 2008 R2 must not be joined to any domain. Am I correct in assuming that the Active Directory Mapping will not work on a standalone server?
DMZ: IIS server
Internal: SQL Server and Domain Controller
Our security guy says that the secure way is to make an authentication web service in the intenal network to do the lookup when the DMZ IIS passes the credentials via SSL on port443. He also suggested I make two local service accounts on the DMZ IIS local machine that have the same user name and password as domain accounts in the Internal AD and use them to communicate with the authentication web service and the database in the Internal network. Even if this works, why would it be more secure?
I read through these resources and, while informative, I still don't know if the Active Directory Mapping will work on a standalone IIS or why the standalone server would be more secure.
Active Directory Domain Services in the Perimeter Network
security-best-practices-using-ad-for-server-process-identity-in-a-public-facing-web-application-post