0

I'm wondering if this if possible:

I have 1 AD Domain: InternalDomain. I want to create a secondary domain: CustomersDomain. I would like my SharePoint to be able to authenticate users from both InternalDomain and CustomersDomain.

  • Employees from the inside would connect directly to the SharePoint with InternalDomain. (DNS matter I guess)
  • Customers or Employees from outside would connect through a WAP and an ADFS server with Both [Internal|Customers]Domain (Public IP and DNS)

But, is this a good scenario in order to :

  • Manage Customers AD Account
  • Manage Customers authentication into SharePoint
  • Manage Employees authentication from outside

So my Customer AD will only store credentials to log in SharePoint for customers, no more rights. And my Internal AD Users (or some of them) will be able to create new Customer Account. But also, some customers will be able to create new account or at least ask for.

Ask if I'm not understandable enough. The idea is simple: best way to handle employee AD account (no changes on the AD server), handle customer accounts, handle authentication all with SharePoint.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Nico
  • 302
  • 1
  • 5
  • 17

2 Answers2

1

It is possible, one way to do this is:

1) Create a one-way trust from your CustomersDomain to your InternalDomain.

2) Install your SharePoint farm in the CustomersDomain. Because there is a trust between the domains, internal users will be able to connect to it as well.

3) Configure your DNS, firewalls, reverse proxies & co to route traffic to your farm, depending on where they come from.

Note that you don't need ADFS in this setup.

If you don't have trusts between your domains, then you will need 2 ADFS farms (one per domain), create a trust between them, and probably do some customization to route users to the correct server based on their location. It's more complicated.

There is diagram from Microsoft called "Extranet Topologies for SharePoint 2010 Products", you may look at it to find more ideas (available here on technet, it's the 3rd one).

Matthieu
  • 323
  • 1
  • 3
  • 7
  • Thanks a lot for your answer Matthieu ! trust between domains is what I found while searching around. As my SP farm is already installed, I'll search if it's possible to move a farm from a domain to another. But ADFS seems like a good solution too IMO. Thanks ! – Nico Dec 10 '14 at 12:17
  • I would just complete your answer with the link of SharePoint 2013 Diagram : : http://technet.microsoft.com/en-us/library/cc263199(v=office.15).aspx – Nico Dec 10 '14 at 15:03
  • "move a farm from a domain to another" -> I think it's safer to create a new farm, and migrate your content DB... And be careful with ADFS, some features are harder to configure with it (business intelligence mainly). Do a POC first:-) – Matthieu Dec 10 '14 at 16:30
  • Yes, I'm working on a test env. right now, thanks for the advice :) – Nico Dec 15 '14 at 07:38
-1

I have the same scenario, but i cannot build a trust between two domains because both domains have similar NetBIOS names, and usually a trust is not created when the NeTBIOS names or SID of both domain controllers are same. can you please advise how could i enable sharepoint to handle permissions for users of both domains.

user330686
  • 1