Re: Single Sign On?
- From: "Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Tue, 27 May 2008 07:43:20 -0500
They shouldn't be provided access to your dc's via browsing, you only want
to allow them access your Exchange and Sharepoint. There should be a
firewall in place to only allow those ports that are needed to specific
servers. Problem is they will need access to your dc's for authentication
on multiple ports.
I would reconsider doing what you are contemplating. So what, so they have
to authenticate twice, tough luck those are your security rules, let them
live by them. It is your forest keep it as secure as you can.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"AJ" <andyjones99@xxxxxxxxxxxxx> wrote in message
news:b73337e9-fd77-44ed-906a-9bb7be2d266a@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On 26 May, 23:45, "Herb Martin" <n...@xxxxxxxxxxxxxx> wrote:
"AJ" <andyjone...@xxxxxxxxxxxxx> wrote in message
news:59bd8ad1-85f3-4421-8509-994bc8bbfba0@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On 26 May, 12:12, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
Hello AJ,
The trust will be the only way to use single sign on, as far as i know.
Otherwise
the user credentials can not be checked in your domain.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
Hello
We have a customer who logs into their own local domain for file
resources and they use our domain for other resources such as
sharepoint. The customer access is via the internet (No VPN) and they
authenticate using basic authentication and SSL via ISA. The customer
only wants to have to enter login credentials once (their local domain
creds) as opposed to getting challenged for credentials of our domain
when accessing our resources.
Any idea how this can be implemented or if a solution that provides
this exists. I dont want to have to create a forest trust with their
domain becuase there is no level of trust with their network.
Any help appreciated
Thanks
AJ- Hide quoted text -
- Show quoted text -
Hi Meinolf
<<
Thanks for your reply. The customer users our domain accounts to
access their sharepoint site and Exchange server which is in our
forest. I guess I could configure a one way trust where they trust our
domain and then they could actually log into their local machines
(which are a member of their local AD domain) using their accounts
that they use to access their Exchange/SharePoint site which are
actually accounts in our domain. They could then grant permissions to
these accounts against their local domain resources as required. Does
that make sense? :)
That's possible -- the key is which is least disturbing for them,
or most meets the security, admin, and other needs of the
various admins (yours and theirs).
IF you trust THEIR domain then you will trust their DCs to
authenticate them and they will use their "own domain" account.
IF they trust YOUR domain then theirs will trust your DCs to
authenticate them and they will use their account on "YOUR
domain."
Both are choices. The trust goes from the Resource (your
stuff or their computers) TOWARDS the ACCOUNT
domain -- that simple.- Hide quoted text -
- Show quoted text -
Thanks. If I created an external trust to the customer domain (running
over a branch to branch VPN tunnel), where they trust my accounts,
would I be able to hide my accounts that are not relevent to the
customer i.e those that are not in their OU in my domain?
The last thing I want is for the remote domain to be able to browse
our users/groups etc.
Thanks
AJ
.
- Follow-Ups:
- Re: Single Sign On?
- From: AJ
- Re: Single Sign On?
- References:
- Single Sign On?
- From: AJ
- Re: Single Sign On?
- From: Meinolf Weber
- Re: Single Sign On?
- From: AJ
- Re: Single Sign On?
- From: Herb Martin
- Re: Single Sign On?
- From: AJ
- Single Sign On?
- Prev by Date: Re: Single Sign On?
- Next by Date: Re: Single Sign On?
- Previous by thread: Re: Single Sign On?
- Next by thread: Re: Single Sign On?
- Index(es):
Relevant Pages
|
