locked
Alternatives to Domain Trust for SSO RRS feed

  • Question

  • Hey everyone,

    The company I work for currently has a datacentre which intrinsically relies on NAT/PAT to maintain customer IP Address Space separation when talking externally (e.g. VPN'd customer sites) . In the datacentre it's not a problem as we control all the IP Space.

    Every few months we hit an issue where a customer wants to implement SSO and therefore a domain trust between there sites. Until now (with one exception) we've always said no as it's not supported by MS (KB978772) to implement domain trusts over NAT and we don't want to pollute our IP address space with customer routes.

    To clarify within the datacentre all our customer hosting has a trust with our management domain, it's the hosted domain trusting (or even joining) the customers own domain that is causing the problem.

    I've looked at ADFS and from what I've seen it looks overly convoluted for what we need which is simply to be able to authenticate users natively on arbitrary applications without requiring custom code or addons, for example Hosted Exchange where the user isn't prompted multiple times for the same credentials once they've logged into their workstation.

    Without radical redesign of our datacentre I'm curious as to if anyone else has come across this and has a solution.

    I'm mostly coming at this from the network rather than server perspective so apologies in advance if my knowledge of MSAD is rather limited.

    Thanks in advance

    Tuesday, June 25, 2013 5:07 PM