We have two locations (Site-AD and Site-B) that are able to connect with each other thru the internet. Site-AD has private web-based services that need to be restricted to Site-B (Site-C,D,E and others) and require Active-Directory for authentication and security. Site-B is a stand-alone site that doesn't use or have active-directory.Question: Is there a mechanism / architecture that will allow a system/user at Site-B to use the systems/services at Site-AD without requiring active-directory authentication and without a VPN appliance maintaining and validating user logins?The goal is to provide restricted access to the systems/servicesof Site-AD to known locations, but as a service-provider we do not want to maintain user accounts or passwords. The only thing I can think of is by using a singleAD account and establishing ACLs restricting the sites users are coming from. Still that requires a bit of administration that we'd rather not do and there has to be some easier way of doing this. Given the above, what options can be used? Thanks!

what kind of services are you refering to? Once a server have Active Directory on it, you will need AD authentication to access resources on that machine.Isaac Oben MCITP:EA, MCSE

Hi Isaac and others,The problem definitely revolves around the AD authentication and remotely doing so from known sites on the internet without VPN functionality. A second piece I recently became aware of is that the customer does use AD for theiremployee authentication, but don't want to extend a domain trust or setup a child domain for our server solutions. We still don't want to administer and maintain a separate set of user accounts (it'd also be a pain for the user to logon to two separate domains that don't trust each other).Given the above, any thoughts on remotely connecting from a stand-alone workstation with local accounts over the internet to a site with server solutionsthat require some sort of AD or Kerberos authentication without a VPN connection (software client or hardware). Is there a solution, be it middleware or such - keeping in mind a domain trust is more than likely out of the question (still trying to pursuade otherwise to avoid all of this)?Thanks again!

I'm in the same boat as AC2K, and need to find a resolution to the same exact situation.The only means of bypassing AD I've foundthus far is either creating accounts on the target server (unacceptable because of AD) or using the net use command (mapping a drive is also unacceptable). My next course seems to be using ip addresses; in this case a range, from the outside agency,to verify through another (UNIX) server/system. I don't mind having the outside users login in twice to access my server and software, but they need to use the authentication I have already established (long used) to access the software and minimize administration. I'd appreciated a bit more depth of detailtoIssac Oben's statement "Once a server have Active Directory on it, you will need AD authentication to access resources on that machine."