Remove From My Forums

Cross Domain Authentication and Authorisation

Question
0

Sign in to vote

Hi Guys,

I have this challenge where my clients are using, says Domain A domain user account to perform window authentication to my SharePoint server which is hosted in Domain B.

Understand that we can do One Way forest truest from Domain B -> Domain A. However, I just want to check that in technical point of view, is there any way that I can identify the users as Domain B users instead? Assuming that the Login ID in Domain A and Domain B are the same.

Meaning they may authenticate via their Domain A first and subsequently, my SharePoint Server takes in the token and identify him as Domain B instead.

They will see their claimed id in sharepoint as DomainB\HisLogin

Your advice will be much appreciated!

Cheng

Tuesday, November 19, 2013 5:04 PM

Answers

0

Sign in to vote
As long as Domain B (SharePoint) trusts Domain A (Users) (this is a one-way trust), you can have a seamless login. You will need to take extra steps as outlined in http://technet.microsoft.com/en-us/library/cc263460(v=office.12).aspx, and in addition, your SharePoint servers in Domain B need port access to the Domain Controller(s) in Domain A, but this is an entirely do-able setup. This way users log in with the same credentials that they used to log into Windows, given the SharePoint site is in the Intranet Zone in Internet Explorer.
Trevor Seward, MCC
Follow or contact me at...

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
- Proposed as answer by DubaStep Wednesday, November 20, 2013 9:19 PM
- Marked as answer by Victoria Xia Wednesday, November 27, 2013 1:07 AM
Wednesday, November 20, 2013 6:56 AM

All replies

0

Sign in to vote

So when dealing with multiple domains, there are several scenarios:

- Domain Migration: in this case, use the SIDHistory attribute, which allows your old domains' SID to be associated with your new account. This is more of a user mapping from old to new, than anything else.

- Resource Domains: in this case, an account for each user exists in both domains. In this capacity, there are attributes that allow DOMAINA\User1 to access resources in DOMAINB as though DOMAINA\User1 were actually logged in as DOMAINB\User1. I believe each system has its own attribute (Exchange, Lync, etc)... not sure what SP would use.

- Domain Trusts for organizational association: in this case, an enterprise may just keep several domains separate but trusted... in doing so, just work with users in both domains directly (for permissions, assigning tasks, etc). Special effort will be required to address user profile sync'ing if you need users from all domains.
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com

Tuesday, November 19, 2013 5:16 PM
0

Sign in to vote

This is not possible as they have different ObjectSIDs.
Trevor Seward, MCC
Follow or contact me at...

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Tuesday, November 19, 2013 5:17 PM
0

Sign in to vote

As Trevor said, not possible. SIDs are different. What is it you are trying to accomplish? What is the technical reason for wanting to do this?

Tuesday, November 19, 2013 9:58 PM
0

Sign in to vote

First of all, thanks for the advise made.

The objective is merely allow seamless authentication of the user. But as the same time, they assign content permission/access base on DomainB domain user.

@Scott Brickey, im more into the Resource Domain approach. However, it seems that it requires a Two-way transitive trusts for Domain A and Domain B which is not possible in this case. :(

Also, there is no requirement to have Domain A pool of users into the SharePoint Server. It is hosted in Domain B and will only have users from Domain B.

Cheng

Wednesday, November 20, 2013 6:14 AM
0

Sign in to vote
As long as Domain B (SharePoint) trusts Domain A (Users) (this is a one-way trust), you can have a seamless login. You will need to take extra steps as outlined in http://technet.microsoft.com/en-us/library/cc263460(v=office.12).aspx, and in addition, your SharePoint servers in Domain B need port access to the Domain Controller(s) in Domain A, but this is an entirely do-able setup. This way users log in with the same credentials that they used to log into Windows, given the SharePoint site is in the Intranet Zone in Internet Explorer.
Trevor Seward, MCC
Follow or contact me at...

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
- Proposed as answer by DubaStep Wednesday, November 20, 2013 9:19 PM
- Marked as answer by Victoria Xia Wednesday, November 27, 2013 1:07 AM
Wednesday, November 20, 2013 6:56 AM
0

Sign in to vote

There's no SP equivalent to the msExchMasterAccountSID attribute that Exchange uses when authenticating between account domains and resource domains?
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com

Wednesday, November 20, 2013 3:57 PM
0

Sign in to vote

SharePoint keeps a copy of the ObjectSID in the content database (UserInfo table), but has no Active Directory schema (in other words, does not have its own attributes, unlike Exchange).
Trevor Seward, MCC
Follow or contact me at...

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Wednesday, November 20, 2013 4:02 PM

Answered by:

Cross Domain Authentication and Authorisation

Question

Answers

All replies