Multiple domain/password/outsourced email/SSO nightmare

EMEA iOps used Ask the Experts™
OK so here is the scenario...

We have a domain with users and computers (domain A). This domain has a forest trust with our email provider (domain B). When an account is created on our domain (domain A) it is sync'd to domain B every two hours using Identity Lifecycle Manager (ILM).

The user account in domain b has the same details but is in a disabled state. This object has a mailbox provisioned to it and at that point a user in domain A can open outlook and see their emails. All authentication is done at domain A.

This all works fine, the problem comes when a 3rd domain is mixed in. So a user in domain c logs onto their machine and opens outlook, they need to enter domain A's credentials. This means they are managing two passwords which is not ideal, account lockouts are rampant.

How can I solve this issue? I could establish a trust but I don't think it would achieve anything. Please note, our normal solution is to migrate users into domain A but this is not possible for this particular domain.

Any thoughts? Let me know if more information is required.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Can you mirror your setup of 'Domain A' for 'Domain C'?  You'd need to create a trust between Domain B and Domain C and then sync using ILM.  That way users in Domain C would function just like users in Domain A.

If ILM isn't available for the additional domain, you're really not ahead of the game creating the trust since you'll have to way to keep the domain (accounts) in sync.


I'm not sure if that's an option but I will ask the question to our email provider.

My other thoughts were using AD FS somehow?

Just to add this into the mix, we have sharepoint sites in domain A that users in domain C need access to.
ADFS could certainly get around the issues you have in front of you but it's neither quick nor easy to get setup and quite frankly beyond the scope of this question.

Honestly I don't see many ways to address your dilemma without purchasing/using a product that will synchronize accounts across domains.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial