Announcement

Collapse
No announcement yet.

SSO - Field Transliteration across domains - is it possible?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSO - Field Transliteration across domains - is it possible?

    I have a conundrum.

    How do I facilitate a integration of two Single-Sign-On’s (SSO) in AD when the AD listings are not exactly the same – in short how do I circumvent the Kerebos SSO of AD.

    This is the situation.

    Imagine there is a User : JoeBloggs Password: 123 Domain: UNIQUEDOMAIN

    He exists in AD “Server_One “as “UNIQUEDOMAIN\JoeBloggs” Password “123”

    He exists in AD “Server_Two” as “ALLDOMAIN\JoeBloggs-uniquedomain” Password “123”

    Now Imagine there is another User : PeterSmith Password: abc Domain: ANOTHERDOMAIN

    He exists in AD “Server_One “as “ANOTHERDOMAIN\PeterSmith” Password “abc”

    He exists in AD “Server_Two” as “ALLDOMAIN\PeterSmith-anotherdomain” Password “abc”

    Neither ANOTHERDOMAIN nor UNIQUEDOMAIN “see” “Server_Two” but “Server_One” can see both. The passwords are the same. Here is the Gotcha – “Server_Two” is ours. “Server_One” is not. We have no control over “Server_One”, nor either users first step of their SSO authentication. We cannot have millions of “Pseudo-domains” (my word for it, i.e. home-grown versions of ANOTHERDOMAIN or UNIQUEDOMAIN can’t be made) for the size of the project it would be far too messy. We need to have “one” AD DOMAIN on “Server_Two”

    Now. What I need to do is get the “Server_Two” to serve up the data via SSO. In theory “Server_Two” might not need to have AD it might simply have MS SQL with those fields in it but I hope you can see the issue.

    The only way I can think of to do this is to remap it using a SQL-type solution – i.e. take out AD and install Kerberos 5 on the “Server_Two” and plug in MS-SQL but even this is probably fraught with it’s own endless mess of problems – not least because it seems MIT doesn’t build for Windows anymore on their main site – but also because I don’t know for sure that Kerberos 5 is varied for domains-per-user.

    I am prepared to dig. But I need to know where: Is this even possible and how might I got about it? Thanks in advance

  • #2
    Re: SSO - Field Transliteration across domains - is it possible?

    Since they're both Kerberos can you setup a trust between the necessary domains?

    Maybe look into ADLDS and syncing that with a Kerberos realm if possible...
    https://www.google.com/webhp?rlz=1C1...w=1920&bih=936
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment

    Working...
    X