Single Sign On?

[AJ]

Hello

We have a customer who logs into their own local domain for file
resources and they use our domain for other resources such as
sharepoint. The customer access is via the internet (No VPN) and they
authenticate using basic authentication and SSL via ISA. The customer
only wants to have to enter login credentials once (their local domain
creds) as opposed to getting challenged for credentials of our domain
when accessing our resources.

Any idea how this can be implemented or if a solution that provides
this exists. I dont want to have to create a forest trust with their
domain becuase there is no level of trust with their network.

Any help appreciated

Thanks

AJ

 

[Meinolf Weber]

Hello AJ,

The trust will be the only way to use single sign on, as far as i know. Otherwise
the user credentials can not be checked in your domain.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

[AJ]

Hello AJ,

The trust will be the only way to use single sign on, as far as i know. Otherwise
the user credentials can not be checked in your domain.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm







- Show quoted text -

Hi Meinolf

Thanks for your reply. The customer users our domain accounts to
access their sharepoint site and Exchange server which is in our
forest. I guess I could configure a one way trust where they trust our
domain and then they could actually log into their local machines
(which are a member of their local AD domain) using their accounts
that they use to access their Exchange/SharePoint site which are
actually accounts in our domain. They could then grant permissions to
these accounts against their local domain resources as required. Does
that make sense?

Thanks

AJ

 

[Herb Martin]

Hello AJ,

The trust will be the only way to use single sign on, as far as i know.
Otherwise
the user credentials can not be checked in your domain.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm







- Show quoted text -

Hi Meinolf
<<
Thanks for your reply. The customer users our domain accounts to
access their sharepoint site and Exchange server which is in our
forest. I guess I could configure a one way trust where they trust our
domain and then they could actually log into their local machines
(which are a member of their local AD domain) using their accounts
that they use to access their Exchange/SharePoint site which are
actually accounts in our domain. They could then grant permissions to
these accounts against their local domain resources as required. Does
that make sense?
That's possible -- the key is which is least disturbing for them,
or most meets the security, admin, and other needs of the
various admins (yours and theirs).

IF you trust THEIR domain then you will trust their DCs to
authenticate them and they will use their "own domain" account.

IF they trust YOUR domain then theirs will trust your DCs to
authenticate them and they will use their account on "YOUR
domain."

Both are choices. The trust goes from the Resource (your
stuff or their computers) TOWARDS the ACCOUNT
domain -- that simple.

 

[AJ]

Hi Meinolf
<<
Thanks for your reply. The customer users our domain accounts to
access their sharepoint site and Exchange server which is in our
forest. I guess I could configure a one way trust where they trust our
domain and then they could actually log into their local machines
(which are a member of their local AD domain) using their accounts
that they use to access their Exchange/SharePoint site which are
actually accounts in our domain. They could then grant permissions to
these accounts against their local domain resources as required. Does
that make sense?



That's possible -- the key is which is least disturbing for them,
or most meets the security, admin, and other needs of the
various admins (yours and theirs).

IF you trust THEIR domain then you will trust their DCs to
authenticate them and they will use their "own domain" account.

IF they trust YOUR domain then theirs will trust your DCs to
authenticate them and they will use their account on "YOUR
domain."

Both are choices.  The trust goes from the Resource (your
stuff or their computers) TOWARDS the ACCOUNT
domain -- that simple.- Hide quoted text -

- Show quoted text -

Thanks. If I created an external trust to the customer domain (running
over a branch to branch VPN tunnel), where they trust my accounts,
would I be able to hide my accounts that are not relevent to the
customer i.e those that are not in their OU in my domain?
The last thing I want is for the remote domain to be able to browse
our users/groups etc.

Thanks

AJ

 

[Paul Bergson [MVP-DS]]

They shouldn't be provided access to your dc's via browsing, you only want
to allow them access your Exchange and Sharepoint. There should be a
firewall in place to only allow those ports that are needed to specific
servers. Problem is they will need access to your dc's for authentication
on multiple ports.

I would reconsider doing what you are contemplating. So what, so they have
to authenticate twice, tough luck those are your security rules, let them
live by them. It is your forest keep it as secure as you can.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Meinolf
<<
Thanks for your reply. The customer users our domain accounts to
access their sharepoint site and Exchange server which is in our
forest. I guess I could configure a one way trust where they trust our
domain and then they could actually log into their local machines
(which are a member of their local AD domain) using their accounts
that they use to access their Exchange/SharePoint site which are
actually accounts in our domain. They could then grant permissions to
these accounts against their local domain resources as required. Does
that make sense?



That's possible -- the key is which is least disturbing for them,
or most meets the security, admin, and other needs of the
various admins (yours and theirs).

IF you trust THEIR domain then you will trust their DCs to
authenticate them and they will use their "own domain" account.

IF they trust YOUR domain then theirs will trust your DCs to
authenticate them and they will use their account on "YOUR
domain."

Both are choices. The trust goes from the Resource (your
stuff or their computers) TOWARDS the ACCOUNT
domain -- that simple.- Hide quoted text -

- Show quoted text -

Thanks. If I created an external trust to the customer domain (running
over a branch to branch VPN tunnel), where they trust my accounts,
would I be able to hide my accounts that are not relevent to the
customer i.e those that are not in their OU in my domain?
The last thing I want is for the remote domain to be able to browse
our users/groups etc.

Thanks

AJ

 

[AJ]

They shouldn't be provided access to your dc's via browsing, you only want
to allow them access your Exchange and Sharepoint.  There should be a
firewall in place to only allow those ports that are needed to specific
servers.  Problem is they will need access to your dc's for authentication
on multiple ports.

I would reconsider doing what you are contemplating.  So what, so they have
to authenticate twice, tough luck those are your security rules, let them
live by them.  It is your forest keep it as secure as you can.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights..











Thanks. If I created an external trust to the customer domain (running
over a branch to branch VPN tunnel), where they trust my accounts,
would I be able to hide my accounts that are not relevent to the
customer i.e those that are not in their OU in my domain?
The last thing I want is for the remote domain to be able to browse
our users/groups etc.

Thanks

AJ- Hide quoted text -

- Show quoted text -

Thanks
I thought that the ports required for the trust to be created would
more than likely enable browsing too seeing as there is quite a range
of ports required. I gusess that was a wrong assumption and I haven't
looked for specifics at this stage.

Surely connecting via an IPSEC VPN tunnel is pretty secure and the
customer site is very small i.e. limited number of users and we do
have a certain level of trust. Are your concerns because its an
external trust full stop?

Unfortunately we have to be helpful to the customer and at least
investigate possibilities. After all we dont want the paying customer
to look eslewhere. appreciate that there is a security risk involved
but how high is it in reality?

Thanks Paul

AJ

 

[Herb Martin]

Hi Meinolf
<<
Thanks for your reply. The customer users our domain accounts to
access their sharepoint site and Exchange server which is in our
forest. I guess I could configure a one way trust where they trust our
domain and then they could actually log into their local machines
(which are a member of their local AD domain) using their accounts
that they use to access their Exchange/SharePoint site which are
actually accounts in our domain. They could then grant permissions to
these accounts against their local domain resources as required. Does
that make sense?



That's possible -- the key is which is least disturbing for them,
or most meets the security, admin, and other needs of the
various admins (yours and theirs).

IF you trust THEIR domain then you will trust their DCs to
authenticate them and they will use their "own domain" account.

IF they trust YOUR domain then theirs will trust your DCs to
authenticate them and they will use their account on "YOUR
domain."

Both are choices. The trust goes from the Resource (your
stuff or their computers) TOWARDS the ACCOUNT
domain -- that simple.- Hide quoted text -

- Show quoted text -

<<
Thanks. If I created an external trust to the customer domain (running
over a branch to branch VPN tunnel), where they trust my accounts,
would I be able to hide my accounts that are not relevent to the
customer i.e those that are not in their OU in my domain?
The last thing I want is for the remote domain to be able to browse
our users/groups etc.
Possible but tedious and likely you won't maintain it carefully.

If you share an Exchange system it would seem they SHOULD
be able to see your users....perhaps.