0

In my company we have a very complex infrastructure.
We are from a subcompany, and we have a Active Directory Domain, configured in our PC's. Otherwise, all of us, have a Directory account for main company for access some resources and websites from main Company, and another Directory Account for accesing some resources from other subcompany.


Our subcompany Domain is not into the main Company forest, and can not be changed, and we can not enable a trust beetween domains, and change the main company resoucres, Enterprise policy :(
What we link to do is create some kind of browser component, or windows service, to map our company account to main company account, because computer users do not have to enter main company credentials every time they access recources (all main company resources uses windows authentication).
We can not use shadow accounting, because the usernames are not the same.

I see the online ID providers feature in Windows 7, and I don't know if we can use that for windows authentication on browsers, to map diferent accounts.

Any of you have an idea on where we could start ? Or some kind of solution for this problem ? Thanks for all

ServerFaulter
  • 181
  • 2
  • 13
EsteveBlanch
  • 11
  • 1
  • 4
    Instead of simply using Active Directory as it was intended, your company wants to engineer an unnecessary solution to a self-inflicted problem that would add more complexity. What is the downside to just leaving it the way it is? Save your company money and stop doing this kind of stuff. – Greg Askew Jan 16 '13 at 12:36
  • 1
    What is preventing you setting up a trust between the two domains. If it is a policy of the policy of the company, you should push for *why* this is in place. In my eyes, you're either part of the company or you're not. – jimbobmcgee Jan 16 '13 at 12:40
  • Even if you could accomplish what you are seeking here, this will not handle the syncing of computer accounts with the other company's domain. This could potentially prevent basic Windows services from operating as designed (in a trust relationship). – Brent Pabst Jan 16 '13 at 13:44
  • we could leave that way, there no problem, we just finding a way to help workers, and save they're time. We are a part of the company, but only for what they want. The Syncing of accounts are not a problem, we don't care about that. – EsteveBlanch Jan 16 '13 at 14:00

2 Answers2

2

AD Federation Services is a way to enable users from X domain access to resources in domain Y, without requiring a trust. It may not fit all of your requirements, but it's just about the only thing that can come close.

mfinni
  • 35,711
  • 3
  • 50
  • 86
0

The recommended approach would be to establish an appropriate trust relationship to enable secure and convenient access.

You could consider establishing a uni/bi-directional trust relationship (based on your authentication needs) or alternatively, if you wish to maintain autonomy and isolation, you could consider converting each domain into their own forest, and then establish a cross forest trust.

If you do not wish to make any such changes to your AD design, you could use AD's federation services to enable secure access between the two domains.

AntoineF
  • 21
  • 2