topic Re: 3 Domains with NTLMSSP Configuration in Web Security

3 Domains with NTLMSSP Configuration

angfeglandagan — Fri, 18 Jul 2008 16:31:38 GMT

Hi,

I successfully configured NTLMSSP using a single domain (abc.com).

Now, i want to add another 2 domains , both domains are trusted in the same forest...so theres no problem with the query via directory.

Is this possible?
I can just add another NTLM REALM for those domain..

hope someone can enlighten me.

kira

Re: 3 Domains with NTLMSSP Configuration

jowolfer — Fri, 18 Jul 2008 22:57:04 GMT

Kira,

You can only configure a single NTLM realm in the WSA, but as long as there are trusts in your AD forest, users in other domains should still be able to authenticate correctly.

Example:

WSA is configured to join the domain "COMPANY". The COMPANY domain has two way trusts configure with the domain "SECONDARY".

When a user in the SECONDARY domain authenticates to the WSA, it will sends the appropriate credentials (SECONDARY\user1). The WSA will pass these credentials to the AD server we have joined (in the COMPANY domain).

Since the COMPANY AD server trusts the SECONDARY domain, it will contact the other domain controllers and authenticate the client.

You can authenticate to any number of domains as long as the AD server / domain we're joining has the trust setup and is able to authenticate other domain's users.

Re: 3 Domains with NTLMSSP Configuration

angfeglandagan — Fri, 25 Jul 2008 18:20:16 GMT

Hi Josh,

Yup..i was able to make it work.....thanks..

Re: 3 Domains with NTLMSSP Configuration

jowolfer — Fri, 25 Jul 2008 23:00:04 GMT

Great! Everynow and then I'm right about something :wink:

Re: 3 Domains with NTLMSSP Configuration

angfeglandagan — Sat, 02 Aug 2008 18:57:50 GMT

The problem now would be a single sign on using the 3 domains...unfortunately..i can only create 1 ntlmssp....

How do you guys manage to configure SSO with 3 domains..

anyone?

thanks,

kira

Re: 3 Domains with NTLMSSP Configuration

jowolfer — Mon, 04 Aug 2008 23:42:15 GMT

My understanding is that SSO will work with any of the domains that have 2 way trust setup. You will still have to setup the environment for SSO, such as setting the "Redirect Hostname" to a single word hostname.

You may have to add a trust variable in the Firefox browser.

Re: 3 Domains with NTLMSSP Configuration

cwling2008 — Tue, 19 Aug 2008 22:57:36 GMT

Hi,

Just curious about LDAP authentcation issue in WSA. If the two domain did not trust each other. The authentication will it works or not?

How to resolve this issue?

Re: 3 Domains with NTLMSSP Configuration

jowolfer — Wed, 20 Aug 2008 23:00:05 GMT

I don't believe the trusts will have any effect on LDAP.

It's possible that one AD server may use an LDAP referral to query the appropriate AD server (for the other domain you are attempting to auth with), but I'm not sure that is how it works.

Any one else have concrete information? I'm curious as to why you would want to use LDAP with a multi domain environment. NTLM is better in every way (password from the client is secure, Kerberos between the WSA and DC, Single Sign On, Ease with authenticating to multiple domains, so forth.)