Duplicate user for Intranet and Internet Domains


  • Hi,

    Am woring on a Portal with Intranet and Internet Access.

    For Intranet users authentication is against AD domains. This part is fine.

    For Internet users - The Security policies doesnt allow authentications against AD which is in internal network. There is a copy of AD in the DMZ tier against which the authentication has to happen. But then, the domain is completely different. We have not reached to stage of setups yet, but am afraid this would mean that because of separete domains in internal netwrok and dmz network, the user would be treated as different user when logging in on intranet Vs Internet.

    Has anyone seen this before - any thoughts/guidance would be helpful.



    Tuesday, September 24, 2013 1:24 PM


All replies

  • Hello,

    I think having 2 AD (1 original and 1 copy) will definitely create 2 different credentials for single user. There are other options to avoid 2 credentials for 1 user such as:

    1. Set-up one-way trust from external domain to internal domain
    2. Use Azure AD FS  (see
    3. Create custom STS for external user what will inject custom claim properties; and use the claim for user/group management. (see

    I hope it gives you some clue. 

    Best regards,

    Riwut Libinuko
    SharePoint Architect, Singapore
    Microsoft MVP | SharePoint Server | Singapore
    Blog :

    Tuesday, September 24, 2013 2:45 PM
  • Thanks for your reply -

    Can you please elaborate on how the option 3 would work?

    Also pls suggest if anyone else can advise some other ways also.



    Wednesday, September 25, 2013 5:49 PM
  • I did confirm that there is one way trust from external domain to internal domain. Am not sure if that can help users to authenticate against the internal AD. Can someone pls help confirm?


    Monday, September 30, 2013 12:16 AM
  • That means users on the internal domain can authenticate to services on the external domain.  If SharePoint was hosted on the external domain, that would mean you would need to configure each Web Application to allow authentication against the internal domain:

    Trevor Seward, MCC

    Follow or contact me at...

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Monday, September 30, 2013 12:34 AM