TicArch

Hi All,

I need to know whether two active directory domains can be mapped to one sharepoint implementation.
If yes then please give me some links to explore the same

Cheers



Re: SharePoint - General Question and Answers and Discussion Active directory

kwm

Not sure what you mean by mapped You can import user profiles from multiple AD*s, but if you need user authentication from a other AD*s you need to setup AD trust. Just like you would do if you try to access a file server in another domain.

If you mean domain like www.mydomain.com, you can set SharePoint to respond to multiple domains by entering the addresses in ※Alternate access mappings§ in central administration.





Re: SharePoint - General Question and Answers and Discussion Active directory

HiBuddy

Hi kwm,

Thanks for your reply.

Actually we have an existing wesbite say www.a.com running in my enterprise with a active directory domain"D1".

Now we are doing sharepoint installation in our company with access url say www.b.com running under a different active directory domain "D2".

Now users of the enterprise have user accounts in both the domains "D1" and "D2".

And we want that users loggin inside www.a.com can go to www.b.com from inside it(using a link given) and vice versa.

while doing so, user should not be prompted for a loggin again.

Please let me know whether it is possible by importing user profiles from both Domains or by establishing trust between these two domains(AD trust-Two way).

Will this trust make user will get his own identity while going from www.a.com to www.b.com or vice versa.

I am asking this because i am not sure whether AD trust have a mapping table for per user mapping between the two domains.Or for this single sign on,do we need some Identity management server

Urgently need your inputs on this

Cheers





Re: SharePoint - General Question and Answers and Discussion Active directory

kwm

You will need to setup a two way trust between domain A and B. When that is done you have to make sure that users from domain A has user rights on MOSS in domain B and the other way around.

It is a good idea to import user profiles on both MOSS farms, but it will not affect authentication in anyway.

When the truest has been setup and access rights has been given on the farms, you need to set www.a.com and www.b.com as intranet sites in IE. This will make IE to automatic send users authentication.





Re: SharePoint - General Question and Answers and Discussion Active directory

Gary A. Bushey MVP

Sounds like you need to turn on and configure SharePoint's Single Sign-On feature. this is done in the Central Admin program, under the Operations tab. In the "Security Configuration" section select the "Manage settings for single sign-on" link.






Re: SharePoint - General Question and Answers and Discussion Active directory

HiBuddy

Hi Gary,

As far as i understand, single sign on provided by Sharepoint is for getting data from various LOB systems using BDC.In this, an userid/password of that particular system is preconfigured.

Single sign on in MOSS don't have a mapping table by which we can map users (per user on one to one relatoin basis)of other website to sharepoint website(that too two way i.e. users of one website can go to sharepoint website and vice versa without prompted for a userid/password).

As i wrote in my earlier post, my problem is some what different.

I hereby request you ot go through my earlier post in the same thread and suggest as what would be the best approach for this.

If my understanding about "single sign on" provided by Moss is wrong ,please let me know.

Cheers





Re: SharePoint - General Question and Answers and Discussion Active directory

kwm

I would not recommend SSO in this case.

You would have to setup SSO on both farms, you would need to administrate the same users in two domains and if I remember correct users will be asked for password when they change it so the SSO database can be updated.





Re: SharePoint - General Question and Answers and Discussion Active directory

HiBuddy

Thanks for your reply kvm.

So what do you recommend in this case.

As far as i know IDM servers available in the market do take care of situations like passowrd change etc.

Cheers





Re: SharePoint - General Question and Answers and Discussion Active directory

kwm

Yes you could set up IDM or MS MIIS to synchronic user credentials to the MOSS SSO database, if you know how to do that. It would be a good idea if you have a reason for not setting up the trust.

But if you don*t have any problems with making the trust, I would recommend that.

It is most likely the easiest solution and by setting op IDM or MIIS, you add one more thing that can fail.





Re: SharePoint - General Question and Answers and Discussion Active directory

HiBuddy

Sorry but i didn't get you kWm.

How can we use simple trust to resolve this issue as by trust one application can allow user of other application to come inside it but won't map other application user to it own application user.

I am asking this because i have been told to resolve this issue by two way trust but i couldn't visualise how we can achieve the two way user mapping using trust

Hope i am not disturbing you by my repeated queries.

Cheers





Re: SharePoint - General Question and Answers and Discussion Active directory

kwm

It is very simple. ※At least if you have done it before J§

First you need to setup the trust. When you have confirmed that the trust is working you can move on to SharePoint.

On farm A (www.a.com):

Decide what access level users from domain B should have. If they for example should be able to see the site you could add ※b\authenticated users§ to the ※visitors§ group (b = the domain name).

You can do the same on farm B. Just add ※a\authenticated users§ to the ※visitors§ group.

You can add any user or group that you want, just remember to define what domain they are coming from.

To avoid that IE asks for authentication you also have to need to set www.a.com and www.b.com as intranet sites in IE. The can be done with a GPO in AD.

Let me know if you still have any questions.





Re: SharePoint - General Question and Answers and Discussion Active directory

HiBuddy

Thanks for writing a very nice and elaborate reply.

I can definetely add b:\authenticated user in A domain website but then he will keep the identity of b:\autheticated user,which i don't want.

I want that b:\authenticated user identity gets mapped to a:\autheticated user, as this is the same user of the enterprise and the only thing is that his identity is stored in two domains A and B.

Also ,if i go by trust based approach, if i want to report as what users has done in a particular day ,then b:\autheticated user and a:\autheticated user of the same sharepoint website will be treated as different by sharepoint.

So i think the trust approach will not work for me, Other approach of IDM is the only approach which seems to be fitting my requirement

What is your opiniion about what i think

Cheer





Re: SharePoint - General Question and Answers and Discussion Active directory

kwm

Maybe I don*t understand the issue correct!

Why you want to synchronic users from domain A to B when you can have the trust I don*t see the need to have same users on both domains.

Domain A is your Enterprise domain with all company user#. Right

Who is in domain B and where is it placed, in a DMZ zone or is it another company





Re: SharePoint - General Question and Answers and Discussion Active directory

Matthew McDermott, MVP

Chiming in on the next issue you will face...you will want to evaluate your naming convention for Personal Sites (My Sites) if you are using mutliple domains you may want to use the Domain Name\User Name option.

This will guarantee unique site names.