Question about Sharepoint Security across domains  
Author Message
Miriv365





PostPosted: SharePoint - General Question and Answers and Discussion, Question about Sharepoint Security across domains Top

Hey guys,
I have a question about Sharepoint and how it implements security.
In our sharepoint implementation we use NT Authentication to access several sites on the Sharepoint server. These users are in the normal form of Domain1\User. Each of those users were given individual access by the sharepoint admin (not me). We recently created a new domain which will supersede Domain1 and are moving users over to the new domain (Domain2). Now users on Domain2 are getting an NT Challenge window when trying to access sites and documents that they used to have access to. They can get around it by typing in the credentials for Domain1, but that isn't a good solution because that domain will be going away. I am not sure how to fix this. On a whim, I went into the UserInfo Table in the SITE table to experiment (yes, I know its not a good idea to mess with the database), but even changing a user's tp_Login to the new domain didn't seem to help.
One other thing, the domains supposedly have full two way trust.
Can anyone give me some suggestions for fixing my issue


SharePoint Products and Technologies3  
 
 
Mike Walsh MVP





PostPosted: SharePoint - General Question and Answers and Discussion, Question about Sharepoint Security across domains Top

One idea is that you could start giving access to AD Groups from the second server (Domain 2) to the SharePoint server.

Provided the two domains do have full two way trust these Groups will be accepted.

The users who are now using domain 2 will naturally be part of one or more Domain 2 AD Groups and thus should be able to get access to the site from that.

My assumption is that then the SharePoint server will recognize their Domain 2 name / password and correctly identify them and won't require any other identification. (It will of course think they are someone else to the "guy" who posted using a domain 1 ID.)

Worth a quick test at any rate ...

Mike


 
 
durayakar2





PostPosted: SharePoint - General Question and Answers and Discussion, Question about Sharepoint Security across domains Top

You (or the sharepoint admin) would need to give access to the users in Domain2.

The users are stored with the security ID's, so changing the domain name in the database would not work.

I know that you mentioned that you know it is not a good idea, but please remember, more than just being a bad idea, it also makes your environment unsupported, if you change the values in any SharePoint DB using any other means than SharePoint UI/OM... So, if you open a ticket with Microsoft Support, you will have to revert back to the latest backup that was intact ! This is a perfect example for the probabilty of messing up security completely by modifying the db values directly. :)

If you are migrating the users completely from Domain1 to Domain2, and the users will not exist in Domain1 anymore, you can use a utility to migrate all the users. Check SMigrate if you are on SPS 2003 as a starting point.

Hope it helps


 
 
durayakar2





PostPosted: SharePoint - General Question and Answers and Discussion, Question about Sharepoint Security across domains Top

PS : The groups in a domain should be "global" groups to be accessible from within another domain, even in a trusted scenario.


 
 
Nebelstreif





PostPosted: SharePoint - General Question and Answers and Discussion, Question about Sharepoint Security across domains Top

By the way, migrating users with stsadm may not be the solution. Apparently not all site ownership information gets transferred to the new login even when SID history is intact. And also you might encounter a problem if your server admin was a Domain1\adm_user. Your admin will need to make a new Domain2\adm_user the owner of all SharePoint site collections including the portal site manually or with stsadm -o siteowner. Even in that case I'm not sure that everything will work fine. I hope my answers in the adjacent forum will come any time soon. Anyway, I'm expecting a support incident to be opened regarding to this issue within a couple of days. So I'll try to keep you informed.