Hi,

I'm seeing more and more cases where applications used by external collaborators are using AD as their authentication directory.

Since the users may only be temporarily engaged by the company, it is cost prohibitive to issue hard tokens to allow authentication, and in many cases the applications cannot integrate with these more secure methods.

They also need to access the application from an increasing portfolio of devices, so it could be running Windows, Mac OS, Linux or any number of Smartphone OS's.

Consequently there are more and more requests for allowing authentication to internal AD using just single factor authentication (username and password) over the internet.

This has obvious security risks, not least the fact that a DoS attack could be issued, user data stolen etc.

Has anyone else seen similar things? If so, how are you tackling them? Are there any products out there that could sit in front of the AD and still allow seamless LDAP / NTLM / Kerberos authentication but would prevent a DoS by not forwarding on huge numbers of login attempts?

I've looked at various VPN solutions but they generally support only a subset of devices, or do not allow a seamless user experience. 

Ultimately I guess I'm talking about compensating controls that would give peace of mind where we can't offer multi-factor authentication.

Thanks.