What is the correct authentication mechanism when there are users inside and outside the domain?

Question

We have a Windows 7 enterprise desktop data entry app for mobile (laptop) users with local SQL Express 2008 R2 Express db that syncs data with an SQL Server 2008 R2 Server db. Users may go off network/offsite and still view and enter data. Data syncs with the server when network connection is established again. Authentication is required before syncing the data.

The existing group of users are part of the organisation's domain and they connect directly to the Sql Server.

But there are now plans for a second group of app users who belong to various partner organisations so they are outside our domain and have their own various separate domains/accounts. The aim is to deploy the desktop app to them and they will periodically sync data to our SQL Server.

What I am uncertain of: Is it possible to authenticate users from another domain? Can permissions be managed via Active Directory etc?

Which authentication protocol should be used in this scenario? Windows, Forms, SQL, etc?

The IT people are requesting that if possible users of the system be managed via Active Directory. Is it possible to manage the external domain users access via Active Directory?

Answer 1

The issue you are facing is because of the authentication. The application asks for SQL server authentication. Your need to provide SQL serer authentication instead of windows authentication else the SQL server will not work in case any other user will log into the same system or the Admin will get logged out and hence, the application will give issues.

If you want to manage your external domain while using active directory you can use a third party tool as because the authentication is less when its been used from windows and sql server both.

Answer 2

If you cannot setup trust between domains there is no way you can authenticate users from external domain against your AD.

Its not clear from your question how clients will access your server, direct connection, wsdl web services, WCF, web interface (soap) etc ...

In case you would use web services, you can create authentication / synchronization interface. Authentication method will accept credential and authenticate it against your AD (i.e. using LDAP). Once authenticated, web service can impersonate as that user and use SSPI to connect to SQL server for data synchronization.

Still, you need to create separate user accounts in your AD for all clients.