There are two domains A and B (separate forests). Sharepoint site is deployed in A domain. Is it possible to user from domain B to get access to the site?
As far as I understand Sharepoint is based on Active Directory accounts. Is it possible to have the user in both domains or are there any other alternatives?
Another option, not mentioned in the answer from Johny, would be to set up your Sharepoint applications to authenticate via ADFS2.
This options is easy to set up but in the same time it's very flexible. You tell your sharepoint to trust one particular ADFS but then, you can federate your ADFS with other ADFSes on different domains or break existing federation relations. You don't touch your Sharepoint when configured once.
The relation graph would be:
Sharepoint -> (trust) -> ADFS2 on domain A -> (possible trust) -> ADFS on domain B, C, others
Technically, if ADFS2 is federated with other ADFSes, your users get an option to login using A, B or other identity provider. The default ADFS page shows just a combo of identity providers but you can customize the page and show anything, like friendly images for example.
Yes you can create cross domain access, but it requires a bit of work with the servers not code.
1.cross domain access:
You have to create a trust between the domains. Furthermore I believe you have to set up DNS, so the users (domain B) can 'talk' to the DNS in domain A.
The trust will mean that, users in domain B can authenticate in domain A, and find the sharepoint site. Also remember if there are firewall between the domains, this needs to be taken into account. Here you can read about setting this up, but I recommend you research more before implementing this solution: http://www.quantumofgeek.com/2010/09/configure-sharepoint-to-authenticate-cross-forest-ad-users/
2. users in both domain
If you have the users in both domains (duplicate username/password) it will still be different logon because of the domain name. And if users change their password it will not be reflected in the other domain.
Related
I’ve got a server at a client setup in a test domain. Let’s call it domain a. We want to allow several test users to access the application for testing purposes. They are in domain b. There do not appear to be any trust relationships between domain a and b. The application uses windows with. I don’t have admin rights to anything in either domain there.
Questions:
is there a way to allow a user from domain b into our application easily?
Does a trust relationship need to be setup between the two domains to get anything to work? I think so, but I don’t have the authority to do this so getting this done is going to be really hard.
TIA.
Wally
I have somewhat of an odd question (for me, at least).
We have some private information a department would like to place on our SharePoint farm. The problem is, this is very sensitive information, and law demands that we have a 'two-stage' login process to secure the data.
Currently, it is housed using a system that:
A) you have to login to our network (windows logon screen)
B) you have to login to the application.
Our SharePoint farm has integrated authentication enabled. Meaning, once you login to your computer in the morning, you never have to login to sharepoint as it already knows your credentials.
This is a problem for us. Can we enable some sort of custom Sharepoint login?
Will this require a new web app for the site? A new site collection only perhaps?
Thanks,
~~Kolten
What you are looking for is called forms based authentication. Sharepoint 2010 uses claims based authentication and one of the providers you can configure is forms based. Meaning they provide a user name and password.
Here is a tutorial with the steps to do, it is a relatively straight forward process. just follow all the steps.
http://blogs.technet.com/b/mahesm/archive/2010/04/07/configure-forms-based-authentication-fba-with-sharepoint-2010.aspx
If you move you site out of Intranet zone, then IE will automatically ask for credential everytime.
See this:
http://support.microsoft.com/kb/258063
When running Sharepoint (WSS 3.0) with Windows Authentication (NTLM), external users must supply their usernames in the form of DOMAIN\username. This makes sense, because you could have multiple domains, trusts between them, etc. However in my case, I only have one domain, and I want my users to be able to logon with their pure username only. Is there any way to configure Sharepoint with a default logon-Domain to get this to work?
Changing the authentication to basic or forms is not an option for me.
That's a windows/IIS issue rather than something specific to sharepoint.
You can find a more detailed explanation at http://forums.iis.net/t/1151401.aspx but basically it's impossible due to the the design of integrated authentication - the client has to know the domain before the server is contacted.
The closest you get to a default domain is local logins on the server - potentially a solution if users are truly external.
Realize that some browsers can be configured to automatically provide NTLM credentials. For example, IE can do this. I believe by default it will for sites in the Local Intranet and maybe even for Trusted sites (if not, you can change it so it will).
There is software out there for pushing these settings (policies) out to users if their computer is a part of your domain.
First, a little background: We have an intranet site based on WSS 3.0 that is hosted on a server in DOMAIN_A.LOCAL and set up to use Integrated Windows Authentication to authenticate users against Active Directory user accounts of DOMAIN_A.LOCAL.
This setup works just fine for users who are logged into Windows using an AD account from DOMAIN_A.LOCAL, but when users try to access the site from a PC logged into Windows using an AD account from a different domain (i.e. DOMAIN_B.LOCAL) the following problems occur:
The user must manually enter their credentials as DOMAIN_A\UserName rather than just UserName because otherwise, Internet Explorer automatically inserts DOMAIN_B and causes authentication to fail.
Once logged in, if the user does something that requires the browser to pass their authentication through to a client app, such as clicking on a Microsoft Office document in a document library in order to open it for editing, it appears that invalid credentials (presumably DOMAIN_B) are passed automatically, thus forcing the user to manually enter their DOMAIN_A credentials again.
My question, then is this:
Is there any way to implement a "default domain" type of behavior when using Integrated Windows Authentication (as can be done when using Basic clear text authentication) so that if a user on DOMAIN_B does not enter a domain before their user name, DOMAIN_A is inserted automatically for them?
Of course, I realize this deployment may be fatally flawed, so I am also open to suggestions for a different implementation.
In summary, the main problem stems from two different kinds of users needing to access the same content on one SharePoint site. The users in DOMAIN_A all have their own full-time workstations where they log into Windows as themselves. The users in DOMAIN_B unfortunately have to use shared computers that are logged on using generic "kiosk" type accounts that have no permissions in SharePoint -- thus the requirement that the DOMAIN_B users must provide their credentials on demand when accessing a given page in SharePoint. I would like to preserve the convenience of the Integrated Windows Authentication for the "static" users of DOMAIN_A while minimizing the amount of manual authentication that the "kiosk" users in DOMAIN_B have to endure.
DOMAIN_A.LOCAL must trust DOMAIN_B.LOCAL, otherwise users from DOMAIN_B.LOCAL will receivie a credential prompt since their DOMAIN_B.LOCAL account is unknown within DOMAIN_A.LOCAL.
Given that DOMAIN_B.LOCAL is for kisok users, you probably do not want to trust this domain.
You will need to extend the web application into a new zone and either implement forms based authentication, or use Windows Authentication with a reverse proxy such as ISA server.
I was searching the internet for SharePoint user accounts with multiple domains and came across an interesting tool called Microsoft Front End Identity Manager. Have you heard of it?
So… If your using a multi forest deployment where user accounts are distributed across two or more forests. This is often seen when two organizations merge and need to access domains from both organizations. You can use the distinguished name (ms-ds-Source-Object-DN) attribute in the user object to create an association between the user accounts. In this association one account is considered the primary account and the others are the alternates of the primary account. There is a tool called Microsoft Front End Identity Manager to create this relationship between user account objects. One feature of Microsoft Front End Identity Manager is that SharePoint server can maintain a list of alternate accounts by which the profile is identified. When you use either account to find the profile of a user, SharePoint server returns the primary account profile example (domain\username).
Probably not what you want to hear, but you may want to resort to forms based authentication.
Unfortunately if you want to retain the Microsoft Office integration (which is what it seems you want), you will have to stick with Windows Authentication. Using Forms Authentication will remove most of the features you seem keen to preserve, there is more information here.
Ideally you want to use the suggestion that Jason mentioned, which would be some sort of reverse proxy. However there would probably be a cost implication if you don't already have something like ISA server, so in reality it's probably best for the DOMAIN_B's to learn to type DOMAIN_B\ before their username.
I've got a problem where I have a .co.uk domain of which I am the registrant but my web developers control the domain via easyspace.com. I'm not using the web developers anymore and it ended on bad terms so I would like to change my domain to another registrar without getting them involved. Does anyone know how I can do this?
Thanks
In order to do anything with your domain, you need to be a registered user for it. for every domain, there 4 types of registered user:
Registrant/Owner
Administrative Contact
Billing Contact
and Technical Contact
If you do a whois look-up of your domain name you can see if you are one of those registered users.
If you are, you should be able to contact the Registrar of record (i.e. GoDaddy, Network Solutions, GKG, etc.) and gain an account control login if you do not already have a login for them.
Once you have an account, you can change the Name Servers thereby pointing your site to a different server than it is currently, or initiate a transfer to a new registrar (which costs money - typically the price of a 1 year registration)
Tell them to give you control of it. You're not asking them to do something for you, you're just demanding them to hand over what's yours (assuming the domain is yours).
If you own the domain name, you should be able to change the information with the registrar to point it at another hosting service or your own.
Change your domain host to point to a new name server that you control.
You may lose your web site code but can always start a fresh.