locked
Allowing access to an AD domain for users in another AD domain RRS feed

  • Question

  • Hi,

    I currently am simulating 4 organizations in a virtual machine environment, meaning I have 4 distinct domains and I have IBM Websphere Process/Lombardi Server on 1 domain.  All machines are running Windows Server 2008 Datacenter SP1.  I have configured Websphere to allow access to the applications it is hosting to all Active Directory users.

    My goal is to also grant access to the Websphere Process Server users in other domains through the existing AD of the machine so that I have a single point of managing all my Websphere users.

    I was looking at AD FS 1.1 and I tried the sample from the Microsoft website.  The concept of assigning users in another AD to a global-security group and federating that group to grant access to a web service in IIS meets my needs but since I am using IBM Websphere as my web server I was hoping I can do the same without IIS.

    So my question is what are the suggested ways to go about this so that AD users from another domain can be granted access to the current domain using the same credentials they have in their domain? (e.g. Websphere is in Domain A and I need to have AD of Domain A to include the users in Domain B so that both Domain A & B users can login and use Websphere stuff)

    Thanks.

    Saturday, June 25, 2011 8:35 PM

All replies

  • Hello,

    you can create a trust relationship between domain A and B so that users of the first domain can be grant access to resources of the other domain.

    More here: http://technet.microsoft.com/en-us/library/cc977993.aspx

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

     

    Saturday, June 25, 2011 8:48 PM
  • Hi ,

    Both the domains is in same forest ar in different forest?

    To create a Forest Trust

    http://technet.microsoft.com/en-us/library/cc754626.aspx

    To understand when to create forest trust

    http://technet.microsoft.com/en-us/library/cc771397.aspx

    Sunday, June 26, 2011 4:08 AM
  • ADFS doesn't require trust relationship, it requires a SAN/UCC certificate.

    You can use Peoplepicker for searching user in different forest & assigning permission.

    http://blogs.msdn.com/b/joelo/archive/2007/01/18/multi-forest-cross-forest-people-picker-peoplepicker-searchadcustomquery.aspx

    Setting up an ADFS lab environment - Part 1

    http://blogs.technet.com/b/adfs/archive/2007/02/26/setting-up-an-adfs-lab-environment-part-1.aspx

    ADFS

    http://blogs.technet.com/b/adfs/

    If, you want to use trust relationship, configure two way forest trust relationship.

    Creating Forest Trusts

    http://technet.microsoft.com/en-us/library/cc776940%28WS.10%29.aspx

    Domain and Forest Trust Tools and Settings

    http://technet.microsoft.com/en-us/library/cc756944%28WS.10%29.aspx 

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Sunday, June 26, 2011 7:17 AM
  • Thanks for your replies.  Ok so now I have established 2 way forest trust between my 2 domains.  During the creation of the trust, I chose selective authentication for both sides.

    After that I went to AD Users and Computers and I created a Universal/Security Group in Domain A (UniSecGroupA) and another in Domain B (UniSecGroupB).  I added some users in Domain B to be members of (UniSecGroupB).  Then I tried to make the group (UniSecGroupB) a member of (UniSecGroupA) but everytime I select the other forest and enter admin credentials, it says it can't find (UniSecGroupA) in that forest.

    Please advise the proper way of doing it if I am doing it wrong.

    Thanks.

    Wednesday, July 6, 2011 7:37 PM
  • You can't add universal group of one forest to be member of universal group in another forest.

    Universal groups from any domain within the forest in which this Universal Group resides

    http://technet.microsoft.com/en-us/library/cc755692%28WS.10%29.aspx

     

    Regards


    MVP-Directory Services

    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, July 7, 2011 4:35 AM
  • Hi,

    As Awinsh said "You can't add universal group of one forest to be member of universal group in another forest.".

    I suggest you to create Domain local group(In doamin A) and add the universal group of domain be.

    Please let us know the result.


    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, July 7, 2011 11:29 AM
  • Yes, placing the Universal Group of Domain B in a Domain Local Group in Domain A worked.

    My follow up question is that after this has been done.  I logged in to the IBM Websphere Administrative Console and gave the Domain Local Group Administrator privileges to the IBM Websphere Application Server.  However, it seems that I still cannot login using the credentials of Domain B in Webpshere.

    Websphere seems to be using LDAP and fully distinguished names.  The screenshots and information regarding configuring AD in Websphere can be found here in the LDAP section of the article: http://www.ibm.com/developerworks/websphere/techjournal/0701_ilechko/0701_ilechko.html

    I have no problems assigning roles to user groups in Domain A itself.  But for the trusted forest users, it doesn't seem to work. 

    I also tried adding another base entry realm so that my single AD containing both Domain A & B users are covered (e.g. Domain A Repository: dc=contoso,dc=com AND Domain A Repository: dc=lawfirm,dc=com --> for the forest trust users) but it ended up locking the whole Websphere system security and I had to reset it.

    Any suggestions or ideas on how to go with LDAP and the use of DN's for AD so that the Forest trust will work in this scenario or is this really a limitation where forest trust can't be applied?

    Thanks.

    Thursday, July 7, 2011 2:13 PM