Solved

How can associate external FQDN with internal FQDN to prevent logon popup?

Posted on 2007-12-06
10
1,067 Views
Last Modified: 2012-06-21
Hi,

We've developed our corporate intranet in MOSS on Windows 2003 and linked it to our active directory so that if you enter https://portal.ourcompany.local from the LAN, you get through to the MOSS intranet, and are logged in to the portal automatically because we are logged in to our desktops.

Through MOSS, we have changed the FQDN of the intranet to https://portal.ourcompany.com so that those out on the road can access it. Works fine externally with a logon popup shown for the user, but internally on the LAN where people log onto the ourcompany.local domain through active directory we'd still like them to be able to log in to https://portal.ourcompany.com without getting the popup box.

By entering their details again they are taken to the portal but we'd like to omit this additional prompt. The DNS records have been changed so that someone on the LAN gets portal.proctorgroup.com resolving locally to the MOSS server.

How can we get rid of the additional login prompt for local LAN users?

Cheers,

Jim.
0
Comment
Question by:e-matters
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 22

Expert Comment

by:cj_1969
ID: 20419514
Both domains need to be in AD and then set up a trust between the domains so that the portal domain will trust the internal.
0
 
LVL 9

Expert Comment

by:moss_guru
ID: 20419637
I believe that adding the  https://portal.ourcompany.com address to your Local Intranet "Sites" list in your browser would fix that issue.  This would be (in IE7) in Internet Options, on the Security Tab, in the Intranet Zone.  Click Sites, then Advanced, and you should be able to add it.  The problem is that the browser will not pass Authenticated credentials to a non-trusted location (ie the Internet), and it cannot tell that your ".com" address is really an internal trusted location.  You can update this via the registry as well (see code)
Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ourcompany.com\portal]
"*"=dword:00000001

Open in new window

0
 

Author Comment

by:e-matters
ID: 20442543
Hi,

I had already tried this but still received the pop-up.

Best regards,

Jim.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:e-matters
ID: 20442577
Hi,

Thanks for your response. Is it possible to set up the ourcompany.com domain name without having a domain controller for it, by simply adding it as a record into DNS or something similar?
 
0
 
LVL 9

Accepted Solution

by:
moss_guru earned 150 total points
ID: 20442597
Yes.  DNS domains do not require an AD domain controller.  Just create the new domain in DNS and add your host record in that domain. (ie Host or A Record for "Portal" in the new domain "ourcompany.com")...
0
 

Author Comment

by:e-matters
ID: 20442683
And then it is straightforward to get the two domains to trust each other?

0
 
LVL 9

Expert Comment

by:moss_guru
ID: 20442721
Trust is an AD term for allowing two Active Directory's to "trust" each others' (two-way or one-way) authentication.  This means that DomainA\User1 can be given access to DomainB\Server1's fileshares, even yought they are not part of the same AD Forest.

DNS Domains have no need of such a trust, as they are resolution only resources.  They resolve names to IPs, no security involved.
0
 

Author Comment

by:e-matters
ID: 20442894
Sorry to be thick, but if I need to establish a trust then presumably I need to Active Directories. At the moment I have one, and an external domain name. I guess one alternative is to set up a barebones server with an Active Directory for ourcompany.com and then trust them, but I'd rather there was a cleaner way.

0
 
LVL 9

Expert Comment

by:moss_guru
ID: 20443521
If you have the DNS domain resolving correctly, and you are importing the profiles and security from the correct AD structure, there should not be an issue.  Are you sure you need a matching AD domain for the external DNS name?  I would not think this would be necessary.  If your PC's are in the same Domain as your profiles, and you are logging in to that same AD, and your IE client recognizes the URL as a trusted internal site, your credentials should be passed to the MOSS servers... If some point along that chain fails, then you will be prompted.
0
 

Expert Comment

by:Skarkroe
ID: 26823714
I am having this exact same problem, but feeling sort of ignorant.  My internal and external domain are the same?  What am I missing?
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question