Sharepoint 2010 one way trust

Question

Hello All,

 

We are currently suggesting a following architecture for our client and was curious about reading a lot of posts around one -way AD trust here.

Scenario: We are creating a web portal for our client in which we will be hosting Sharepoint server (standard edition) in DMZ zone and have a domain controller in the same zone so that we can create external users who will be accessing this site as users on this domain.

Internal users(in corporate LAN) of the client will also need access to this sharepoint server hosted in DMZ. We have suggested this architecture considering licensing issues as internal users can be covered by CAL and external users can be covered using sharepoint internet license.

one way trust from DMZ AD into Corporate AD would be implemented 

Query: 

We would be implementing workflows which internal users can assign tasks to external users and vice-versa. By looking at other related posts on the net, is this one -way trust a right way to achieve this scenario? from experience can anyone suggest if we are going the right way? or what are the bottle necks that I may face? Configuring people picker to pick up users from other domains is the only thing needed after we implement this or is there any other things I might need to be aware of?

 

Quick replies appreciated.

 

regards,

Shrini

 

 

Answer 1

We are currently doing almost the exact same thing. Having the external domain trust the internal domain is the way to go. Then you execute some stsadm commands to have the people picker / people search popup window scan both domains.

you're describing the back-to-back topology, MS has written a lot about different extranet topologies

http://go.microsoft.com/fwlink/?LinkId=187988

Answer 2

Thanks Todd for a very quick reply. Really appreciate it.

I had seen some articles around which describe people implementing the same architecture, but were facing problem in people picker not being able to pick up users from different domain even after applying one way trust. The work around was profile imports which I guess is too much of a task? Do you also foresee this as an issue? 

 

 

 

Answer 3

Hi Shark25,

 

The People Picker automatically issues queries to all two-way trusted domains when it uses the application pool account to search for users and groups. When you select a secondary account in the People Picker, the primary account information will be returned.

 

For one-way trusts you must provide the following information:

 

• Logon credentials with permission to query the forest
• An encryption key that will be used when the People Picker is performing a query

For more information about one-way trust, please refer to the following articles:

 

http://mattstratton.com/tech-tips/configuring-sharepoint-2010-search-in-a-one-way-trust-scenario

 

http://martijnschouten.wordpress.com/2010/06/24/sharepoint-2010-search-with-one-way-domain-trust/

 

http://www.marc-antho-etc.net/blog/post/2009/05/13/SharePoint-People-Picker-and-Active-Directory-Part-1.aspx

 

Hope this helps.

 

Rock Wang

---

Regards, Rock Wang Microsoft Online Community Support

Answer 4

Hi Rock,

 

Just to add I believe we dont need the SSO (SSS) service in sharepoint to be enabled for this? I guess the user from the internal domain would directly be able to access the site, without it having to sign in again? Site is on extranet domain?