SharePoint Access with a Trusted Domain

Establishing SharePoint access for users on a trusted domain was a great learning experience. SharePoint touches so many other fundamental services within the organization: in this case, good old Active Directory. The trust in question is an external non-transitive trust with a district office with its own domain. As a two-way trust, my users can authenticate on the foreign domain, and their users can authenticate on the local domain, where SharePoint is housed.

Authentication, however, will only get you so far. Without specific rights granted to individuals or to security groups in the foreign domain, the authenticated user could not view anything in our SharePoint environment, which is a closed intranet.

Best practice, of course, is to use security groups and/or SharePoint groups whenever possible to avoid the duplication of user management outside of AD.  Therefore, I needed the names of the security groups within the foreign domain in order to grant access permissions in SharePoint. If there is a way to view users and groups from a trusted domain within Active Directory 2003 Management Console, I haven’t found it. To get around the problem, I created a folder on my desktop and did the following:  right-click the folder and go to Properties>Sharing>Share This Folder>Permissions>Add..  From Locations… choose the trusted domain name. Then select Advanced to go to the Common Queries window. With no criteria listed, Find Now to get the full list of users and groups from the foreign domain.

To test the security access, I asked the administrator of the foreign domain to create a test account for me, which I then used to log on to the SharePoint site. The log on worked, and my test account was able to navigate the site pretty much as expected. The test account was placed in only one security group: the one representing the most general group: district office. Interestingly, because the group was added only to the Viewers group at the root site, this experiment did reveal some ugly situations where inheritance was inappropriately broken, causing the test account to be unable to navigate to sub-sites beyond that level.

Next steps will be to correct the broken inheritance problems, test alerts to the foreign users, and to map the foreign security groups to their local security group equivalents in order to grant permission to sites with specialized group permissions.

Advertisements

About Joy Lavigne (Adkins)

SharePoint Administrator for a mid-sized organization. Frequent speaker at SharePoint Saturday events. Teller of terribly corny jokes. View all posts by Joy Lavigne (Adkins)

2 responses to “SharePoint Access with a Trusted Domain

  • Kevin Hughes

    With a custom MMC you can create a console that points to a trusted domain.
    If you wanted to look up users/groups in the trusted domain you need to add a new import connection in your SSP that points to the trusted domain. Then run the stsadm set property command for the peoplepicker-searchadforests property. Do that for each web app you wish to be able to see the users/groups in the other domain. Then run a full import and a full crawl.

    If you want resolution of names from the trusted domain to be quicker, add the trusted domain’s AD as an additional authentication provider for your intranet farm.

  • JoyEarles

    Thanks so much for the info Kevin!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: