A
A
algordon2019-11-04 22:36:45
VPN
algordon, 2019-11-04 22:36:45

Active Directory: how to authorize a user outside the local network?

There is a local network 10.xxx and a domain controller on windows server 2019 in it the
CD is on NAT, there is an external static IP address.
The company has employees who work from home or travel to projects, in turn they work on laptops, that is, they carry it with them, including for work in the office.
How can users log on to a domain when they are not on the local area network of the office with a CD?
I've read the terminal server implementation, but there are no resources at the moment to implement it.
Is it possible to set up a VPN connection before entering the Win user password? I read about SSO, but it seems to work only on Win7, and on the laptops of Win10 employees.

Answer the question

In order to leave comments, you need to log in

5 answer(s)
V
Vadim Choporov, 2019-11-05
@tolstyiii

If a person carries a laptop with him, and you only need authorization on it under the UZ domain, then don’t worry at all. Windows caches the credits of the last (I don't remember exactly, like 10) users who logged into the system. Those. the user needs to log in at least once to a beech connected to a network that has access to the CD, and then he will work quietly under the same user offline (relative to the domain). There is a nuance - the password expiration date. If then the employee/beech does not log in for a long time in the network with access to the CD (2 password periods in the domain), then the beech will fly out of the domain - it will need to be transferred to the domain, and the employee will need to reset the password (should prompt the user immediately upon login, by default) when connected to a network with access to the CD.
*VPN is already needed to access network resources.
** You haven't finished reading about SSO, but you probably don't need it at the current stage.

R
Ronald McDonald, 2019-11-04
@Zoominger

I read the implementation option with a terminal server

This is the ideal option.
Look for resources.

V
Vadim, 2019-11-05
@dark_rain

DirectAccess
https://blogs.technet.microsoft.com/abeshkov/2009/...
https://docs.microsoft.com/en-us/windows-server/re...

N
nApoBo3, 2019-11-05
@nApoBo3

1.vpn before login. But there are many things that are not very obvious.
2. directaccess
3. azure, there you can raise the integration with local ad.
4. caching credentials. By default, it is, i.e. at the facility, someone who has already logged into the system will be able to log in, without access to the controller. And only then vpn rises from the session if access to data is needed.

M
maniac_by, 2019-11-05
@maniac_by

And it’s not too lazy for people in 2029 to raise LDAP on micro-squalor ...

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question