Two way domain trust for Sharepoint access, security implications

Posted on 2012-09-13
Last Modified: 2012-09-17
I want users in domain B to have access to Sharepoint in domain A. I setup a one way trust for another site for the same scenario to access Sharepoint but there was a numer of issues that arose like timer services and sync. This is simplified when there is a two way trust.
I am trying to get a handle on what the security implications are for this. Obviously with a two way trust users in domain B now have the option to browse the domain A active directory and assign users in domain A access to resources in domain B but can you tell me what else I need to be concerned about. I have looked at numerous articles in domain trusts but I would like to get specific answers for this particular scenario. The domain is 2003 to 2008.
Question by:Sid_F
    LVL 39

    Expert Comment

    by:Krzysztof Pytko
    You don't have to use domain/forest-wide authentication for trust. You can choose "selective authentication" and create domain group in domain B to alllow only this group members accessing resources in domain A

    LVL 5

    Author Comment

    Yes but for Sharepoint this has implications for pulling information from domain B's active directory. It's not just giving users in domain B access to sharepoint in domain A. Its also being able to get attributes in domain B and allowing sharepoint to pull these details across to the user profiles sync into Sharepoint. Trusts are normally straight forward but with Sharepoint it becomes more complex.
    LVL 5

    Accepted Solution


    Before one begins the domain migration a number of mandatory requirements are needed to be in place to complete the migration successfully. Refer the checklist mentioned in the link -

    Talking about trust, then a domain trust is nothing but a useful way to allow users from a trusted domain to access services in a trusting domain. Regarding trust relationship between domains, I would like to share the following with you for your reference:

    Hope this helps.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Suggested Solutions

    Summary In SharePoint 2010 it is easy to create custom color themes to jazz up a site. Theme colors can also be created in PowerPoint 2010 with a few clicks. But how do the chosen colors actually look in the SharePoint site? The attached PowerPoint…
    I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now