I am working on project where there is a need to expose the Domain Controller (KDC service specifically) in DMZ. This domain is going to be separate one from our production with bunch of user accounts who will be connecting to some of our SSO enabled apps
via internet (without VPN).
Is anyone in this mailing list have this sort of setup exist in their org? If yes, what security considerations you guys are following to secure KDC from external threats? How the user accounts are protected in that environment?
Are there any options to further secure the Kerberos traffic in that DMZ environment?
Would appreciate any feedback and suggestions.