| Author | Messages | |
RickSheikh
Posts:373
 | | 02/05/2010 9:45 PM |
| Hello,
I am wondering if any of you have deployed ADAM (or LDS) in DMZ with syncs
to internal prod AD, to cater an IdP for SAML authenication for a SaaS
provider. If so, what guide did you use for ADAM deployment ? This
particular situation calls for a POC (from a well known IdP) which simply
asks for a port 636 access to AD from the outside. I have reservations
against it and would like to see what your stance is on this scenario. I am
also surprised to see that they have don't have a documented use case for an
ADAM deployment. If the client had atleast one 08 DC, then I would lean
towards deploying a RODC in the perimeter network and be done with it.
Your thoughts are appreciated.
P.S I am trying to avoid MIIS/IIFP.
Regards,
| | | |
| laurahcomputing
Posts:148
| | 02/05/2010 10:12 PM |
| Is the application in question claims-aware? (I would assume so based
on the use of the words SAML and SaaS in that sentence, but you know
what they say about assuming.)
If so, ADFS2 proxy in the DMZ, ADFS2 server in the internal network,
and put the users in an internal AD. SSL traffic terminates at the
proxy, the proxy talks back to the internal ADFS2 box via client auth
certs to do user auths and spit tokens out to the SaaS app, and your
directory data is never directly exposed to an external network.
That's one 5-second back-of-the-napkin design, anyway.
On Fri, Feb 5, 2010 at 4:45 PM, Rick Sheikh <ricksheikh@gmail.com> wrote:
> Hello,
>
> I am wondering if any of you have deployed ADAM (or LDS) in DMZ with syncs
> to internal prod AD, to cater an IdP for SAML authenication for a SaaS
> provider. If so, what guide did you use for ADAM deployment ? This
> particular situation calls for a POC (from a well known IdP) which simply
> asks for a port 636 access to AD from the outside. I have reservations
> against it and would like to see what your stance is on this scenario. I am
> also surprised to see that they have don't have a documented use case for an
> ADAM deployment. If the client had atleast one 08 DC, then I would lean
> towards deploying a RODC in the perimeter network and be done with it.
>
> Your thoughts are appreciated.
>
> P.S I am trying to avoid MIIS/IIFP.
>
> Regards,
>
--
-----------------------
Laura E. Hunter
Principal, LHA Consulting Incorporated (http://www.lhaconsulting.com)
Microsoft MVP, Directory Services
(https://mvp.support.microsoft.com/profile/laura)
Author, Active Directory Consultant's Field Guide (http://tinyurl.com/7f8ll)
Author, Active Directory Cookbook, Third Edition (http://tinyurl.com/7kp3ct)
| | | |
| RickSheikh
Posts:373
| | 02/05/2010 10:28 PM |
| Hi Laura, Thanks for the input, I do believe the app is claims-aware (i will
double check), however, since they are using the SAML and not the
WS-Federation of ADFS (Geneva), I assume we have a different set of
apparatus at our disposal, in any event I am trying to determine the best
route without introducing another federation product or synchronization
tool.
On Fri, Feb 5, 2010 at 4:11 PM, Laura E. Hunter
<laurahcomputing@gmail.com>wrote:
> Is the application in question claims-aware? (I would assume so based
> on the use of the words SAML and SaaS in that sentence, but you know
> what they say about assuming.)
>
> If so, ADFS2 proxy in the DMZ, ADFS2 server in the internal network,
> and put the users in an internal AD. SSL traffic terminates at the
> proxy, the proxy talks back to the internal ADFS2 box via client auth
> certs to do user auths and spit tokens out to the SaaS app, and your
> directory data is never directly exposed to an external network.
>
> That's one 5-second back-of-the-napkin design, anyway.
>
> On Fri, Feb 5, 2010 at 4:45 PM, Rick Sheikh <ricksheikh@gmail.com> wrote:
> > Hello,
> >
> > I am wondering if any of you have deployed ADAM (or LDS) in DMZ with
> syncs
> > to internal prod AD, to cater an IdP for SAML authenication for a SaaS
> > provider. If so, what guide did you use for ADAM deployment ? This
> > particular situation calls for a POC (from a well known IdP) which simply
> > asks for a port 636 access to AD from the outside. I have reservations
> > against it and would like to see what your stance is on this scenario. I
> am
> > also surprised to see that they have don't have a documented use case for
> an
> > ADAM deployment. If the client had atleast one 08 DC, then I would lean
> > towards deploying a RODC in the perimeter network and be done with it.
> >
> > Your thoughts are appreciated.
> >
> > P.S I am trying to avoid MIIS/IIFP.
> >
> > Regards,
> >
>
>
>
> --
> -----------------------
> Laura E. Hunter
> Principal, LHA Consulting Incorporated (http://www.lhaconsulting.com)
> Microsoft MVP, Directory Services
> (https://mvp.support.microsoft.com/profile/laura)
> Author, Active Directory Consultant's Field Guide (
> http://tinyurl.com/7f8ll)
> Author, Active Directory Cookbook, Third Edition (
> http://tinyurl.com/7kp3ct)
>
>
| | | |
| laurahcomputing
Posts:148
| | 02/05/2010 10:44 PM |
| ADFS2 will ship with support for the IdP Lite, SP Lite and eGov SAML
2.0 profiles, hs already passed Liberty Alliance testing.
On 2/5/10, Rick Sheikh <ricksheikh@gmail.com> wrote:
> Hi Laura, Thanks for the input, I do believe the app is claims-aware (i will
> double check), however, since they are using the SAML and not the
> WS-Federation of ADFS (Geneva), I assume we have a different set of
> apparatus at our disposal, in any event I am trying to determine the best
> route without introducing another federation product or synchronization
> tool.
>
>
> On Fri, Feb 5, 2010 at 4:11 PM, Laura E. Hunter
> <laurahcomputing@gmail.com>wrote:
>
>> Is the application in question claims-aware? (I would assume so based
>> on the use of the words SAML and SaaS in that sentence, but you know
>> what they say about assuming.)
>>
>> If so, ADFS2 proxy in the DMZ, ADFS2 server in the internal network,
>> and put the users in an internal AD. SSL traffic terminates at the
>> proxy, the proxy talks back to the internal ADFS2 box via client auth
>> certs to do user auths and spit tokens out to the SaaS app, and your
>> directory data is never directly exposed to an external network.
>>
>> That's one 5-second back-of-the-napkin design, anyway.
>>
>> On Fri, Feb 5, 2010 at 4:45 PM, Rick Sheikh <ricksheikh@gmail.com> wrote:
>> > Hello,
>> >
>> > I am wondering if any of you have deployed ADAM (or LDS) in DMZ with
>> syncs
>> > to internal prod AD, to cater an IdP for SAML authenication for a SaaS
>> > provider. If so, what guide did you use for ADAM deployment ? This
>> > particular situation calls for a POC (from a well known IdP) which
>> > simply
>> > asks for a port 636 access to AD from the outside. I have reservations
>> > against it and would like to see what your stance is on this scenario. I
>> am
>> > also surprised to see that they have don't have a documented use case
>> > for
>> an
>> > ADAM deployment. If the client had atleast one 08 DC, then I would lean
>> > towards deploying a RODC in the perimeter network and be done with it.
>> >
>> > Your thoughts are appreciated.
>> >
>> > P.S I am trying to avoid MIIS/IIFP.
>> >
>> > Regards,
>> >
>>
>>
>>
>> --
>> -----------------------
>> Laura E. Hunter
>> Principal, LHA Consulting Incorporated (http://www.lhaconsulting.com)
>> Microsoft MVP, Directory Services
>> (https://mvp.support.microsoft.com/profile/laura)
>> Author, Active Directory Consultant's Field Guide (
>> http://tinyurl.com/7f8ll)
>> Author, Active Directory Cookbook, Third Edition (
>> http://tinyurl.com/7kp3ct)
>>
>>
>
--
-----------------------
Laura E. Hunter
Principal, LHA Consulting Incorporated (http://www.lhaconsulting.com)
Microsoft MVP, Directory Services
(https://mvp.support.microsoft.com/profile/laura)
Author, Active Directory Consultant's Field Guide (http://tinyurl.com/7f8ll)
Author, Active Directory Cookbook, Third Edition (http://tinyurl.com/7kp3ct)
| | | |
| joe
Posts:106
| | 02/06/2010 4:43 PM |
| Agree with Laura. One of the main points of doing federation is to avoid
poking holes in your firewall and giving an outside party access to your
LDAP directory. This would also imply that the IdP they are setting up on
your behalf would be collecting your user's credentials. Ick!
I know Ping has a managed service where they host an IdP in the cloud and
access the directory via an LDAP hole. I can totally see this in a situation
where you really can't deal with hosting your own Fed IdP on the public
internet, but I'd rather not do it if I had an alternative.
ADFS V2 is a better choice if you need SAML protocol compat. Alternately, a
protocol translator that can swap between WS-Fed and SAML would be better.
If you had to do this, I'd rather do it with synced bind proxy objects in
ADAM than an RODC as you get to pick exactly what data ends up in the
perimeter via the sync process. I assume they need to do LDAP simple bind
over SSL, so that's why I suggested synced bind proxies rather than pass
through auth.
Joe K.
----- Original Message -----
From: "Laura E. Hunter" <laurahcomputing@gmail.com>
To: <activedir@mail.activedir.org>
Sent: Friday, February 05, 2010 4:43 PM
Subject: Re: [ActiveDir] SaaS/SSO/AD
> ADFS2 will ship with support for the IdP Lite, SP Lite and eGov SAML
> 2.0 profiles, hs already passed Liberty Alliance testing.
>
>
>
> On 2/5/10, Rick Sheikh <ricksheikh@gmail.com> wrote:
>> Hi Laura, Thanks for the input, I do believe the app is claims-aware (i
>> will
>> double check), however, since they are using the SAML and not the
>> WS-Federation of ADFS (Geneva), I assume we have a different set of
>> apparatus at our disposal, in any event I am trying to determine the best
>> route without introducing another federation product or synchronization
>> tool.
>>
>>
>> On Fri, Feb 5, 2010 at 4:11 PM, Laura E. Hunter
>> <laurahcomputing@gmail.com>wrote:
>>
>>> Is the application in question claims-aware? (I would assume so based
>>> on the use of the words SAML and SaaS in that sentence, but you know
>>> what they say about assuming.)
>>>
>>> If so, ADFS2 proxy in the DMZ, ADFS2 server in the internal network,
>>> and put the users in an internal AD. SSL traffic terminates at the
>>> proxy, the proxy talks back to the internal ADFS2 box via client auth
>>> certs to do user auths and spit tokens out to the SaaS app, and your
>>> directory data is never directly exposed to an external network.
>>>
>>> That's one 5-second back-of-the-napkin design, anyway.
>>>
>>> On Fri, Feb 5, 2010 at 4:45 PM, Rick Sheikh <ricksheikh@gmail.com>
>>> wrote:
>>> > Hello,
>>> >
>>> > I am wondering if any of you have deployed ADAM (or LDS) in DMZ with
>>> syncs
>>> > to internal prod AD, to cater an IdP for SAML authenication for a SaaS
>>> > provider. If so, what guide did you use for ADAM deployment ? This
>>> > particular situation calls for a POC (from a well known IdP) which
>>> > simply
>>> > asks for a port 636 access to AD from the outside. I have reservations
>>> > against it and would like to see what your stance is on this scenario.
>>> > I
>>> am
>>> > also surprised to see that they have don't have a documented use case
>>> > for
>>> an
>>> > ADAM deployment. If the client had atleast one 08 DC, then I would
>>> > lean
>>> > towards deploying a RODC in the perimeter network and be done with it.
>>> >
>>> > Your thoughts are appreciated.
>>> >
>>> > P.S I am trying to avoid MIIS/IIFP.
>>> >
>>> > Regards,
>>> >
>>>
>>>
>>>
>>> --
>>> -----------------------
>>> Laura E. Hunter
>>> Principal, LHA Consulting Incorporated (http://www.lhaconsulting.com)
>>> Microsoft MVP, Directory Services
>>> (https://mvp.support.microsoft.com/profile/laura)
>>> Author, Active Directory Consultant's Field Guide (
>>> http://tinyurl.com/7f8ll)
>>> Author, Active Directory Cookbook, Third Edition (
>>> http://tinyurl.com/7kp3ct)
>>>
>>>
>>
>
>
> --
> -----------------------
> Laura E. Hunter
> Principal, LHA Consulting Incorporated (http://www.lhaconsulting.com)
> Microsoft MVP, Directory Services
> (https://mvp.support.microsoft.com/profile/laura)
> Author, Active Directory Consultant's Field Guide
> (http://tinyurl.com/7f8ll)
> Author, Active Directory Cookbook, Third Edition
> (http://tinyurl.com/7kp3ct)
>
| | | |
| RickSheikh
Posts:373
| | 02/06/2010 11:24 PM |
| Joe, Your input is much appreciated. Ping is in fact the IdP in question for
this POC.
Both of their products, the PingConnect or PingFederate are not
claims-aware, however the PingFederate does support WS-Federation, not
natively. It is SAML based by default.
I would love to have another option but I believe synced bind proxy with
ADAM is what I would have to deal with right now. This is all new for me,
can you recommend a good source/white paper/guide that I can refer to in
regards to setting up the ADAM. Is ADAMsync on-demand basis or can it be a
one-way scheduled task ? Lastly, LDAPS is what they require.
Thanks,
On Sat, Feb 6, 2010 at 10:40 AM, Joe Kaplan <joekaplan.net@gmail.com> wrote:
> Agree with Laura. One of the main points of doing federation is to avoid
> poking holes in your firewall and giving an outside party access to your
> LDAP directory. This would also imply that the IdP they are setting up on
> your behalf would be collecting your user's credentials. Ick!
>
> I know Ping has a managed service where they host an IdP in the cloud and
> access the directory via an LDAP hole. I can totally see this in a situation
> where you really can't deal with hosting your own Fed IdP on the public
> internet, but I'd rather not do it if I had an alternative.
>
> ADFS V2 is a better choice if you need SAML protocol compat. Alternately, a
> protocol translator that can swap between WS-Fed and SAML would be better.
>
> If you had to do this, I'd rather do it with synced bind proxy objects in
> ADAM than an RODC as you get to pick exactly what data ends up in the
> perimeter via the sync process. I assume they need to do LDAP simple bind
> over SSL, so that's why I suggested synced bind proxies rather than pass
> through auth.
>
> Joe K.
> ----- Original Message ----- From: "Laura E. Hunter" <
> laurahcomputing@gmail.com>
> To: <activedir@mail.activedir.org>
> Sent: Friday, February 05, 2010 4:43 PM
> Subject: Re: [ActiveDir] SaaS/SSO/AD
>
>
>
> ADFS2 will ship with support for the IdP Lite, SP Lite and eGov SAML
>> 2.0 profiles, hs already passed Liberty Alliance testing.
>>
>>
>>
>> On 2/5/10, Rick Sheikh <ricksheikh@gmail.com> wrote:
>>
>>> Hi Laura, Thanks for the input, I do believe the app is claims-aware (i
>>> will
>>> double check), however, since they are using the SAML and not the
>>> WS-Federation of ADFS (Geneva), I assume we have a different set of
>>> apparatus at our disposal, in any event I am trying to determine the best
>>> route without introducing another federation product or synchronization
>>> tool.
>>>
>>>
>>> On Fri, Feb 5, 2010 at 4:11 PM, Laura E. Hunter
>>> <laurahcomputing@gmail.com>wrote:
>>>
>>> Is the application in question claims-aware? (I would assume so based
>>>> on the use of the words SAML and SaaS in that sentence, but you know
>>>> what they say about assuming.)
>>>>
>>>> If so, ADFS2 proxy in the DMZ, ADFS2 server in the internal network,
>>>> and put the users in an internal AD. SSL traffic terminates at the
>>>> proxy, the proxy talks back to the internal ADFS2 box via client auth
>>>> certs to do user auths and spit tokens out to the SaaS app, and your
>>>> directory data is never directly exposed to an external network.
>>>>
>>>> That's one 5-second back-of-the-napkin design, anyway.
>>>>
>>>> On Fri, Feb 5, 2010 at 4:45 PM, Rick Sheikh <ricksheikh@gmail.com>
>>>> wrote:
>>>> > Hello,
>>>> >
>>>> > I am wondering if any of you have deployed ADAM (or LDS) in DMZ with
>>>> syncs
>>>> > to internal prod AD, to cater an IdP for SAML authenication for a SaaS
>>>> > provider. If so, what guide did you use for ADAM deployment ? This
>>>> > particular situation calls for a POC (from a well known IdP) which
>>>> > simply
>>>> > asks for a port 636 access to AD from the outside. I have reservations
>>>> > against it and would like to see what your stance is on this scenario.
>>>> > I
>>>> am
>>>> > also surprised to see that they have don't have a documented use case
>>>> > for
>>>> an
>>>> > ADAM deployment. If the client had atleast one 08 DC, then I would >
>>>> lean
>>>> > towards deploying a RODC in the perimeter network and be done with it.
>>>> >
>>>> > Your thoughts are appreciated.
>>>> >
>>>> > P.S I am trying to avoid MIIS/IIFP.
>>>> >
>>>> > Regards,
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> -----------------------
>>>> Laura E. Hunter
>>>> Principal, LHA Consulting Incorporated (http://www.lhaconsulting.com)
>>>> Microsoft MVP, Directory Services
>>>> (https://mvp.support.microsoft.com/profile/laura)
>>>> Author, Active Directory Consultant's Field Guide (
>>>> http://tinyurl.com/7f8ll)
>>>> Author, Active Directory Cookbook, Third Edition (
>>>> http://tinyurl.com/7kp3ct)
>>>>
>>>>
>>>>
>>>
>>
>> --
>> -----------------------
>> Laura E. Hunter
>> Principal, LHA Consulting Incorporated (http://www.lhaconsulting.com)
>> Microsoft MVP, Directory Services
>> (https://mvp.support.microsoft.com/profile/laura)
>> Author, Active Directory Consultant's Field Guide (
>> http://tinyurl.com/7f8ll)
>> Author, Active Directory Cookbook, Third Edition (
>> http://tinyurl.com/7kp3ct)
>>
>>
>
>
| | | |
| joe
Posts:106
| | 02/07/2010 6:47 PM |
| ADAMSync will do what you want. It must be schedule to sync periodically but
it can create bind proxy objects for your AD users (all of them or a subset
if you want). In case you want to expose any AD attributes as claims or SAML
assertions via Ping, you'd want to sync those attributes as well.
Setting up ADAM SSL can be a little bit of a PITA sometimes, but it shoudl
not give you too much trouble. You'd want to find out from Ping whether you
need to use a publicly rooted cert or whether you can use something from
your internal PKI or self-signed for this use case. If I were doing it
"right", I'd use an externally rooted cert but that would cost some money.
I'm not sure what the best document regarding setting up ADAMSync is.
However, my experience has shown that Lee Flight is a fountain of knowledge
and can help you if you get stuck. Remember that your ADAM box must be
domain-joined to authenticate proxy users.
When you create the bind proxy objects, make sure that you decide what the
users are to use as a username and then make sure that value is set to the
displayName or userPrincipalName attribute on the bind proxy objects as
those are the two attributes in ADAM at are "bindable" username values (that
your can set directly; distinguishedName is bindable but you generally don't
want people knowing or typing that).
As Laura said, ADFS V2 can provide you SAML-compatible IdP endpoint on the
public internet and thus play the role that the Ping software would be doing
here to integrate with whatever app you are looking to integrate with. It
could end up costing you less and being a better strategic investment. I say
this a great deal of respect for Ping as they are a great company with a
great product.
Best of luck! Start a new thread on ADAM and ADAMSync if you get stuck.
Joe K.
----- Original Message -----
From: "Rick Sheikh" <ricksheikh@gmail.com>
To: <activedir@mail.activedir.org>
Sent: Saturday, February 06, 2010 5:23 PM
Subject: Re: [ActiveDir] SaaS/SSO/AD
> Joe, Your input is much appreciated. Ping is in fact the IdP in question
> for
> this POC.
>
> Both of their products, the PingConnect or PingFederate are not
> claims-aware, however the PingFederate does support WS-Federation, not
> natively. It is SAML based by default.
>
> I would love to have another option but I believe synced bind proxy with
> ADAM is what I would have to deal with right now. This is all new for me,
> can you recommend a good source/white paper/guide that I can refer to in
> regards to setting up the ADAM. Is ADAMsync on-demand basis or can it be a
> one-way scheduled task ? Lastly, LDAPS is what they require.
>
> Thanks,
>
> On Sat, Feb 6, 2010 at 10:40 AM, Joe Kaplan <joekaplan.net@gmail.com>
> wrote:
>
>> Agree with Laura. One of the main points of doing federation is to avoid
>> poking holes in your firewall and giving an outside party access to your
>> LDAP directory. This would also imply that the IdP they are setting up on
>> your behalf would be collecting your user's credentials. Ick!
>>
>> I know Ping has a managed service where they host an IdP in the cloud and
>> access the directory via an LDAP hole. I can totally see this in a
>> situation
>> where you really can't deal with hosting your own Fed IdP on the public
>> internet, but I'd rather not do it if I had an alternative.
>>
>> ADFS V2 is a better choice if you need SAML protocol compat. Alternately,
>> a
>> protocol translator that can swap between WS-Fed and SAML would be
>> better.
>>
>> If you had to do this, I'd rather do it with synced bind proxy objects in
>> ADAM than an RODC as you get to pick exactly what data ends up in the
>> perimeter via the sync process. I assume they need to do LDAP simple bind
>> over SSL, so that's why I suggested synced bind proxies rather than pass
>> through auth.
>>
>> Joe K.
>> ----- Original Message ----- From: "Laura E. Hunter" <
>> laurahcomputing@gmail.com>
>> To: <activedir@mail.activedir.org>
>> Sent: Friday, February 05, 2010 4:43 PM
>> Subject: Re: [ActiveDir] SaaS/SSO/AD
>>
>>
>>
>> ADFS2 will ship with support for the IdP Lite, SP Lite and eGov SAML
>>> 2.0 profiles, hs already passed Liberty Alliance testing.
>>>
>>>
>>>
>>> On 2/5/10, Rick Sheikh <ricksheikh@gmail.com> wrote:
>>>
>>>> Hi Laura, Thanks for the input, I do believe the app is claims-aware (i
>>>> will
>>>> double check), however, since they are using the SAML and not the
>>>> WS-Federation of ADFS (Geneva), I assume we have a different set of
>>>> apparatus at our disposal, in any event I am trying to determine the
>>>> best
>>>> route without introducing another federation product or synchronization
>>>> tool.
>>>>
>>>>
>>>> On Fri, Feb 5, 2010 at 4:11 PM, Laura E. Hunter
>>>> <laurahcomputing@gmail.com>wrote:
>>>>
>>>> Is the application in question claims-aware? (I would assume so based
>>>>> on the use of the words SAML and SaaS in that sentence, but you know
>>>>> what they say about assuming.)
>>>>>
>>>>> If so, ADFS2 proxy in the DMZ, ADFS2 server in the internal network,
>>>>> and put the users in an internal AD. SSL traffic terminates at the
>>>>> proxy, the proxy talks back to the internal ADFS2 box via client auth
>>>>> certs to do user auths and spit tokens out to the SaaS app, and your
>>>>> directory data is never directly exposed to an external network.
>>>>>
>>>>> That's one 5-second back-of-the-napkin design, anyway.
>>>>>
>>>>> On Fri, Feb 5, 2010 at 4:45 PM, Rick Sheikh <ricksheikh@gmail.com>
>>>>> wrote:
>>>>> > Hello,
>>>>> >
>>>>> > I am wondering if any of you have deployed ADAM (or LDS) in DMZ with
>>>>> syncs
>>>>> > to internal prod AD, to cater an IdP for SAML authenication for a
>>>>> > SaaS
>>>>> > provider. If so, what guide did you use for ADAM deployment ? This
>>>>> > particular situation calls for a POC (from a well known IdP) which
>>>>> > simply
>>>>> > asks for a port 636 access to AD from the outside. I have
>>>>> > reservations
>>>>> > against it and would like to see what your stance is on this
>>>>> > scenario.
>>>>> > I
>>>>> am
>>>>> > also surprised to see that they have don't have a documented use
>>>>> > case
>>>>> > for
>>>>> an
>>>>> > ADAM deployment. If the client had atleast one 08 DC, then I would >
>>>>> lean
>>>>> > towards deploying a RODC in the perimeter network and be done with
>>>>> > it.
>>>>> >
>>>>> > Your thoughts are appreciated.
>>>>> >
>>>>> > P.S I am trying to avoid MIIS/IIFP.
>>>>> >
>>>>> > Regards,
>>>>> >
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> -----------------------
>>>>> Laura E. Hunter
>>>>> Principal, LHA Consulting Incorporated (http://www.lhaconsulting.com)
>>>>> Microsoft MVP, Directory Services
>>>>> (https://mvp.support.microsoft.com/profile/laura)
>>>>> Author, Active Directory Consultant's Field Guide (
>>>>> http://tinyurl.com/7f8ll)
>>>>> Author, Active Directory Cookbook, Third Edition (
>>>>> http://tinyurl.com/7kp3ct)
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> --
>>> -----------------------
>>> Laura E. Hunter
>>> Principal, LHA Consulting Incorporated (http://www.lhaconsulting.com)
>>> Microsoft MVP, Directory Services
>>> (https://mvp.support.microsoft.com/profile/laura)
>>> Author, Active Directory Consultant's Field Guide (
>>> http://tinyurl.com/7f8ll)
>>> Author, Active Directory Cookbook, Third Edition (
>>> http://tinyurl.com/7kp3ct)
>>>
>>>
>>
>>
>
| | | |
|
|