Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How can associate external FQDN with internal FQDN to prevent logon popup?

Posted on 2007-12-06
10
Medium Priority
?
1,069 Views
Last Modified: 2012-06-21
Hi,

We've developed our corporate intranet in MOSS on Windows 2003 and linked it to our active directory so that if you enter https://portal.ourcompany.local from the LAN, you get through to the MOSS intranet, and are logged in to the portal automatically because we are logged in to our desktops.

Through MOSS, we have changed the FQDN of the intranet to https://portal.ourcompany.com so that those out on the road can access it. Works fine externally with a logon popup shown for the user, but internally on the LAN where people log onto the ourcompany.local domain through active directory we'd still like them to be able to log in to https://portal.ourcompany.com without getting the popup box.

By entering their details again they are taken to the portal but we'd like to omit this additional prompt. The DNS records have been changed so that someone on the LAN gets portal.proctorgroup.com resolving locally to the MOSS server.

How can we get rid of the additional login prompt for local LAN users?

Cheers,

Jim.
0
Comment
Question by:e-matters
10 Comments
 
LVL 22

Expert Comment

by:cj_1969
ID: 20419514
Both domains need to be in AD and then set up a trust between the domains so that the portal domain will trust the internal.
0
 
LVL 9

Expert Comment

by:moss_guru
ID: 20419637
I believe that adding the  https://portal.ourcompany.com address to your Local Intranet "Sites" list in your browser would fix that issue.  This would be (in IE7) in Internet Options, on the Security Tab, in the Intranet Zone.  Click Sites, then Advanced, and you should be able to add it.  The problem is that the browser will not pass Authenticated credentials to a non-trusted location (ie the Internet), and it cannot tell that your ".com" address is really an internal trusted location.  You can update this via the registry as well (see code)
Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ourcompany.com\portal]
"*"=dword:00000001

Open in new window

0
 

Author Comment

by:e-matters
ID: 20442543
Hi,

I had already tried this but still received the pop-up.

Best regards,

Jim.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:e-matters
ID: 20442577
Hi,

Thanks for your response. Is it possible to set up the ourcompany.com domain name without having a domain controller for it, by simply adding it as a record into DNS or something similar?
 
0
 
LVL 9

Accepted Solution

by:
moss_guru earned 450 total points
ID: 20442597
Yes.  DNS domains do not require an AD domain controller.  Just create the new domain in DNS and add your host record in that domain. (ie Host or A Record for "Portal" in the new domain "ourcompany.com")...
0
 

Author Comment

by:e-matters
ID: 20442683
And then it is straightforward to get the two domains to trust each other?

0
 
LVL 9

Expert Comment

by:moss_guru
ID: 20442721
Trust is an AD term for allowing two Active Directory's to "trust" each others' (two-way or one-way) authentication.  This means that DomainA\User1 can be given access to DomainB\Server1's fileshares, even yought they are not part of the same AD Forest.

DNS Domains have no need of such a trust, as they are resolution only resources.  They resolve names to IPs, no security involved.
0
 

Author Comment

by:e-matters
ID: 20442894
Sorry to be thick, but if I need to establish a trust then presumably I need to Active Directories. At the moment I have one, and an external domain name. I guess one alternative is to set up a barebones server with an Active Directory for ourcompany.com and then trust them, but I'd rather there was a cleaner way.

0
 
LVL 9

Expert Comment

by:moss_guru
ID: 20443521
If you have the DNS domain resolving correctly, and you are importing the profiles and security from the correct AD structure, there should not be an issue.  Are you sure you need a matching AD domain for the external DNS name?  I would not think this would be necessary.  If your PC's are in the same Domain as your profiles, and you are logging in to that same AD, and your IE client recognizes the URL as a trusted internal site, your credentials should be passed to the MOSS servers... If some point along that chain fails, then you will be prompted.
0
 

Expert Comment

by:Skarkroe
ID: 26823714
I am having this exact same problem, but feeling sort of ignorant.  My internal and external domain are the same?  What am I missing?
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question