Domain joined WAP in DMZ

Question

To date, I've only ever used ADFS for claims aware applications.

I'm now looking at using it for some non-claims aware applications.

I've read that the WAP server must be domain joined for this so that it can perform Kerberos constrained delegation.

I've previously been told that domain joined servers shouldn't be in the DMZ. Assuming that advice is still best practice, what is the most secure way of deploying domain joined WAP servers in a DMZ? ..... And are there any alternative configurations that would still allow authentication for non-claims aware applications

Thanks for your help

Answer 1

what is the most secure way of deploying domain joined WAP servers in a DMZ?

If you absolutely must have domain joined servers in DMZ, don't put writeable domain controllers in DMZ - only read-only domain controllers. Generally, domain-joined servers in DMZ increase security risks, so in terms of security this should be avoided if possible.

And are there any alternative configurations that would still allow authentication for non-claims aware applications

Azure AD Application Proxy would be a good alternative. It supports various SSOs, including Kerberos, and advanced security rules (with Azure AD Conditional Access). Aside advanced security controls, the main benefit is - you wouldn't have to put any servers inside DMZ or open any incoming ports on your firewall. It has its own considerations and limitations, which may or may not apply to your case. It depends on the application itself, user geography and some other factors