EMEA iOps
asked on
Multiple domain/password/outsourced email/SSO nightmare
OK so here is the scenario...
We have a domain with users and computers (domain A). This domain has a forest trust with our email provider (domain B). When an account is created on our domain (domain A) it is sync'd to domain B every two hours using Identity Lifecycle Manager (ILM).
The user account in domain b has the same details but is in a disabled state. This object has a mailbox provisioned to it and at that point a user in domain A can open outlook and see their emails. All authentication is done at domain A.
This all works fine, the problem comes when a 3rd domain is mixed in. So a user in domain c logs onto their machine and opens outlook, they need to enter domain A's credentials. This means they are managing two passwords which is not ideal, account lockouts are rampant.
How can I solve this issue? I could establish a trust but I don't think it would achieve anything. Please note, our normal solution is to migrate users into domain A but this is not possible for this particular domain.
Any thoughts? Let me know if more information is required.
Cheers
We have a domain with users and computers (domain A). This domain has a forest trust with our email provider (domain B). When an account is created on our domain (domain A) it is sync'd to domain B every two hours using Identity Lifecycle Manager (ILM).
The user account in domain b has the same details but is in a disabled state. This object has a mailbox provisioned to it and at that point a user in domain A can open outlook and see their emails. All authentication is done at domain A.
This all works fine, the problem comes when a 3rd domain is mixed in. So a user in domain c logs onto their machine and opens outlook, they need to enter domain A's credentials. This means they are managing two passwords which is not ideal, account lockouts are rampant.
How can I solve this issue? I could establish a trust but I don't think it would achieve anything. Please note, our normal solution is to migrate users into domain A but this is not possible for this particular domain.
Any thoughts? Let me know if more information is required.
Cheers
ASKER
I'm not sure if that's an option but I will ask the question to our email provider.
My other thoughts were using AD FS somehow?
Just to add this into the mix, we have sharepoint sites in domain A that users in domain C need access to.
My other thoughts were using AD FS somehow?
Just to add this into the mix, we have sharepoint sites in domain A that users in domain C need access to.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If ILM isn't available for the additional domain, you're really not ahead of the game creating the trust since you'll have to way to keep the domain (accounts) in sync.