| Author |
Message |
Tony Su
Guest
|
 Posted:
Thu Jan 20, 2005 12:31 am Post subject:
AD support for authenticating multiple FQDN? |
|
|
I have a need to authenticate Users with a FQDN that's not the native Windows
Domain FQDN... specifically, I am publishing a LCS for Internet access and
the Users and the Windows Domain name is not routable across the Internet.
Users will find the Server by way of the public FQDN, so that domain's
credentials will be presented to the LCS which will then authenticate by the
Domain's DC.
Have tried adding the public FQDN to the AD UPN suffix list, but that
doesn't work.
TIA.
--
Tony Su
www.su-networking.com
ISA
SBS
Enterprise Mobile Solutions Architect |
|
| Back to top |
|
 |
Herb Martin
Guest
|
| Posted:
Thu Jan 20, 2005 2:04 am Post subject:
Re: AD support for authenticating multiple FQDN? |
|
|
"Tony Su" <TonySu@discussions.microsoft.com> wrote in message
news:79F576AB-C419-4A7F-B331-9D787F733BC9@microsoft.com...
| Quote: | I have a need to authenticate Users with a FQDN that's not the native
Windows
Domain FQDN... specifically, I am publishing a LCS for Internet access and
the Users and the Windows Domain name is not routable across the Internet.
|
Windows DCs can only be domain controllers for one
Domain.
Each domain has an associated DNS zone name (technically
such are only FQDNs if they terminate in a "." -- FQDN is
a commonly misused term, when people really mean domain,
zone, or full machine name.)
If you must validate users from outside the domain
the main methods (for Web access) are:
1) MS Passport (expensive; FWI: eBay seems to be dropping theirs)
2) Certificate mapping (from a certificate on client to a domain user)
3) Trusts (for people authenticated in a domain you can trust)
4) External database (Perl, VBScript, SQL, etc.)
| Quote: | Users will find the Server by way of the public FQDN, so that domain's
credentials will be presented to the LCS which will then authenticate by
the
Domain's DC.
Have tried adding the public FQDN to the AD UPN suffix list, but that
doesn't work.
|
That only allows you to give users this UPN (User
Principal Name) -- they still must logon to an existing
domain user account.
--
Herb Martin
|
|
| Back to top |
|
|
Tony Su
Guest
|
| Posted:
Thu Jan 20, 2005 3:26 am Post subject:
Re: AD support for authenticating multiple FQDN? |
|
|
Hello Herb,
Glad to see you're still kicking after all these years!
Still appreciative of all the good advice you gave in my formative years on
the Saluki List...
Actually, issue resolved.
Support for alternative logons to a FQDN other than the default Windows
Domain Name is supported, but I had neglected to also modify the individual
User's account... by going into the ADUC > User Account Properties > Account
Tab, then selecting the UPN from the dropdown list.
For those who read this thread, Herb may have misunderstood my post to mean
that I wished to authenticate using another authority. The objective here was
to authenticate to the existing Windows Domain but configure an alternative
Domain Name.
Example:
Windows Domain MYDOMAIN.LOCAL
NetBIOS Win DN MYDOMAIN
Alternative Domain PUBLICDOMAIN.COM
So, if I have a remote User who needs to be authenticated for a Domain
Resource and connects as User@MYDOMAIN.LOCAL of course that won't work
because the domain name is unroutable. The User has to find the resource by
way of a public FQDN so will be seen by the Domain as User@PUBLICDOMAIN.COM
and needs to be authenticated as such.
Thanks all who read this post...
Tony
"Herb Martin" wrote:
| Quote: |
"Tony Su" <TonySu@discussions.microsoft.com> wrote in message
news:79F576AB-C419-4A7F-B331-9D787F733BC9@microsoft.com...
I have a need to authenticate Users with a FQDN that's not the native
Windows
Domain FQDN... specifically, I am publishing a LCS for Internet access and
the Users and the Windows Domain name is not routable across the Internet.
Windows DCs can only be domain controllers for one
Domain.
Each domain has an associated DNS zone name (technically
such are only FQDNs if they terminate in a "." -- FQDN is
a commonly misused term, when people really mean domain,
zone, or full machine name.)
If you must validate users from outside the domain
the main methods (for Web access) are:
1) MS Passport (expensive; FWI: eBay seems to be dropping theirs)
2) Certificate mapping (from a certificate on client to a domain user)
3) Trusts (for people authenticated in a domain you can trust)
4) External database (Perl, VBScript, SQL, etc.)
Users will find the Server by way of the public FQDN, so that domain's
credentials will be presented to the LCS which will then authenticate by
the
Domain's DC.
Have tried adding the public FQDN to the AD UPN suffix list, but that
doesn't work.
That only allows you to give users this UPN (User
Principal Name) -- they still must logon to an existing
domain user account.
--
Herb Martin
TIA.
--
Tony Su
www.su-networking.com
ISA
SBS
Enterprise Mobile Solutions Architect
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in