Re: Synchronizing Domain Users Passwords in Non-Trusted Domains
- From: Andy <Andy@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 28 Feb 2008 07:31:03 -0800
Thanks for the replies. That is what I thought, but we are trying to do some
custom certificates and having a real tough time getting it to work. The
major problem on why we can't build a trust relationship is that one domain
is government and the other is county. Our easiest solution would be just to
make all those users members of the government side and take control of the
whole site like rest of the sites, but that is a power struggle and political.
What we are doing now, is we have a login script that some users click on
and then they have to login using their password, but when they change their
passwords we have to manually change them as well.
"Joe Kaplan" wrote:
This is a good job for MIIS. Account sync between non-related domains is.
not a feature that is supported by AD natively.
A federation solution may be useful, but would require more creativity and
might require provisioning of matching shadow accounts in the other domain,
so there is still a provisioning component that is implied.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Ryan Hanisco" <RyanHanisco@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:91FF0DB7-028F-429A-B065-5EA6BCC63EF6@xxxxxxxxxxxxxxxx
Hi Andy,
Without a trust in place, there isn't really a way for the Database in
another domain to get at the credentials. You could either do something
based on database credentials or even something with certificates, though
you
would need to trust the foreign CA and do custom work on the
authentication.
Without working for it, I'd say you are probably best to look at the
business need vs. the other domain's insistence that there cannot be a
trust.
Outside of that your options might be to look at ADAM or Federation
Services
to extend authentication outward.
In any case, I don't see an easy path. Any one else???
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
http://www.techsterity.com
Chicago, IL
Remember: Marking helpful answers helps everyone find the info they need
quickly.
"Andy" wrote:
We are working with users that are a member of Domain A that need to be
able
to communicate to their database in Domain B. Domain A server resides on
location along with their DC. Domain B will have the database that also
resides on location, but the DC is off site.
The problem is that we cannot setup a trust delegation since the Domain B
will not allow us to build one. So, is there a way to be able to allow
users
on Domain A to still be able to get to the database even after their
passwords change and still be able to sync to Domain B either through a
certifcate or script of some sort?
Any light on this would be great. BTW, both domains are using Win2k3
servers and XP machines. There are no SQL servers on either location,
but
we are using Oracle for the main database.
- Follow-Ups:
- Re: Synchronizing Domain Users Passwords in Non-Trusted Domains
- From: Joe Kaplan
- Re: Synchronizing Domain Users Passwords in Non-Trusted Domains
- References:
- Prev by Date: Re: Finding RSOP applied to an user in a OU
- Next by Date: Re: Is ADFS the Identity Provider?
- Previous by thread: Re: Synchronizing Domain Users Passwords in Non-Trusted Domains
- Next by thread: Re: Synchronizing Domain Users Passwords in Non-Trusted Domains
- Index(es):
Relevant Pages
|
