Active Directory Domain Trust(s)
-
We have an application (yes, "that" application, if you saw my earlier XenServer post) that many external agencies access for various reasons. This application uses AD authentication, so we have to create AD accounts for all external users. This was fine, except the number of external users has grown to the hundreds, and people cannot seem to figure out how to use our, what I feel is a very straight forward, password self-service portal (PWM), or they simply refuse. So we have a never ending flow of "need my password reset" requests coming from them.
These external agencies use AD as well, which makes us wonder if a domain trust is the answer. The idea being that these external agencies can manage their own accounts and we'd simply grant/deny access to the application.
This sounds wonderful. However, I've never established a domain trust before. Instead of diving in head first with any of the external agencies, I want to test this locally. I've set up a test DC with a test domain. I'd like to establish trust between it and our production domain.
Can you guys point me to some great resources on basically a "crash course" in domain trusts? Something that'll walk me through the process would be great, too.
For what it's worth, our production AD is Windows 2008 R2. The test DC/Domain is running Server 2012 R2.
Thanks!
-
AWWW... there is something other than a trust that I just can't remember the name of that does what you want here.
The accounts are created on their domain, and through this service, you can grant those accounts access to your stuff....
AWWW what is it called (I think is starts with an F, but I could be wrong)
-
@Dashrender Are you referring to domain federation?
-
@anthonyh said:
@Dashrender Are you referring to domain federation?
YES! Federation services!!!!
You are the man!
-
@Dashrender Well, I know the term, but know nothing about it.
Trust vs Federation is another thing I'll need to research.
-
@anthonyh said:
@Dashrender Well, I know the term, but know nothing about it.
Trust vs Federation is another thing I'll need to research.
Trust as I understand it is really only for internal company components. Federation is the ability for your system to use portions of someone else's authentication system to secure parts of yours - i.e. your application can use the username/passwords from the other company, allowing the other company to be responsible for enabling/disabling accounts, etc.
-
@Dashrender Well, from a quick search, it looks like the application needs to be "claims-aware" for federation to work. I don't know if the application in question is claims-aware. I'll have to find out.
I know you can establish what are called "external" trusts, which is what I was going to aim for. It's not a matter of connectivity. We have private connections to the agencies in question, so it would just be a matter of appropriately adjusting our firewall for whatever is needed for the domain trust and/or federation.
-
I would think Federation would be the preferred way, but i haven't researched it enough to know for sure.
-
We have a transitive domain trust with a company we just bought out..
A trust isn't something you really want for External Agencies.
-
@anthonyh said:
@Dashrender Well, from a quick search, it looks like the application needs to be "claims-aware" for federation to work. I don't know if the application in question is claims-aware. I'll have to find out.
I know you can establish what are called "external" trusts, which is what I was going to aim for. It's not a matter of connectivity. We have private connections to the agencies in question, so it would just be a matter of appropriately adjusting our firewall for whatever is needed for the domain trust and/or federation.
Yeah - Claims-aware, that founds familiar. I read about Federation Services a year or two ago. Really liked the options it could grant. Sadly it seems no one is offering it's use.
To bring it into an existing application would probably require a non trivial amount of back end work.
-
@Jason said:
We have a transitive domain trust with a company we just bought out..
A trust isn't something you really want for External Agencies.
Why is that?
-
It may be worth reporting the end users who continuously ask to have their passwords reset to their respective managers (even if they are employees of the other company).
I say this because if EmployeeA from the other company leaves and they never disable that employee's account, they potentially still have access to your stuff after they are no longer employed. If you have a website that helps them reset their passwords... They should be directed to it... Every. Single. Time. Hold their hands a few times and let THEM do the password reset while you watch over their shoulder or do a screen sharing session.
The end users never learn anything if we juts keep doing it for them.
-
-
@Jason said:
@anthonyh said:
@Jason said:
We have a transitive domain trust with a company we just bought out..
A trust isn't something you really want for External Agencies.
Why is that?
Because it is a Trust.. With something you have no control over. Not really something I'd recommend doing.
So, if we were to establish a one way external trust with one of the external agencies, what sort of control would that external agency have that I cannot control?
-
@dafyre said:
It may be worth reporting the end users who continuously ask to have their passwords reset to their respective managers (even if they are employees of the other company).
I say this because if EmployeeA from the other company leaves and they never disable that employee's account, they potentially still have access to your stuff after they are no longer employed. If you have a website that helps them reset their passwords... They should be directed to it... Every. Single. Time. Hold their hands a few times and let THEM do the password reset while you watch over their shoulder or do a screen sharing session.
The end users never learn anything if we juts keep doing it for them.
This is a big issue. We has a Self service portal. And require a new password every 90days.
-
@anthonyh said:
@Jason said:
@anthonyh said:
@Jason said:
We have a transitive domain trust with a company we just bought out..
A trust isn't something you really want for External Agencies.
Why is that?
Because it is a Trust.. With something you have no control over. Not really something I'd recommend doing.
So, if we were to establish a one way external trust with one of the external agencies, what sort of control would that external agency have that I cannot control?
Pretty sure One Way trusts don't exist anymore. I think those went out in 2003.
-
@Dashrender said:
@anthonyh said:
@Jason said:
@anthonyh said:
@Jason said:
We have a transitive domain trust with a company we just bought out..
A trust isn't something you really want for External Agencies.
Why is that?
Because it is a Trust.. With something you have no control over. Not really something I'd recommend doing.
So, if we were to establish a one way external trust with one of the external agencies, what sort of control would that external agency have that I cannot control?
Pretty sure One Way trusts don't exist anymore. I think those went out in 2003.
Actually, I just set one up between my test DC (we'll call it test.com) and our production domain (we'll call it prod.com).
I was able to set up a trust so that prod.com trusts test.com, but test.com does not trust prod.com. I was also able to set it up as selective authentication which, if I understand the description properly, means they cannot authenticate to any resource unless specifically allowed. Not sure if that'll work for the app in question, but hey it's worth a shot!
-
@anthonyh said:
@Dashrender said:
@anthonyh said:
@Jason said:
@anthonyh said:
@Jason said:
We have a transitive domain trust with a company we just bought out..
A trust isn't something you really want for External Agencies.
Why is that?
Because it is a Trust.. With something you have no control over. Not really something I'd recommend doing.
So, if we were to establish a one way external trust with one of the external agencies, what sort of control would that external agency have that I cannot control?
Pretty sure One Way trusts don't exist anymore. I think those went out in 2003.
Actually, I just set one up between my test DC (we'll call it test.com) and our production domain (we'll call it prod.com).
I was able to set up a trust so that prod.com trusts test.com, but test.com does not trust prod.com. I was also able to set it up as selective authentication which, if I understand the description properly, means they cannot authenticate to any resource unless specifically allowed. Not sure if that'll work for the app in question, but hey it's worth a shot!
let us know what you figure out.
-
@Jason said:
@dafyre said:
It may be worth reporting the end users who continuously ask to have their passwords reset to their respective managers (even if they are employees of the other company).
I say this because if EmployeeA from the other company leaves and they never disable that employee's account, they potentially still have access to your stuff after they are no longer employed. If you have a website that helps them reset their passwords... They should be directed to it... Every. Single. Time. Hold their hands a few times and let THEM do the password reset while you watch over their shoulder or do a screen sharing session.
The end users never learn anything if we juts keep doing it for them.
This is a big issue. We has a Self service portal. And require a new password every 90days.
If that is the case, then your end-users should well know how to reset their password in the Self Service Portal.
-
@dafyre said:
@Jason said:
@dafyre said:
It may be worth reporting the end users who continuously ask to have their passwords reset to their respective managers (even if they are employees of the other company).
I say this because if EmployeeA from the other company leaves and they never disable that employee's account, they potentially still have access to your stuff after they are no longer employed. If you have a website that helps them reset their passwords... They should be directed to it... Every. Single. Time. Hold their hands a few times and let THEM do the password reset while you watch over their shoulder or do a screen sharing session.
The end users never learn anything if we juts keep doing it for them.
This is a big issue. We has a Self service portal. And require a new password every 90days.
If that is the case, then your end-users should well know how to reset their password in the Self Service Portal.
And our technicians never get tickets for that either.. Sorry. I couldn't even keep a straight face typing that.
