Authenticate with one domain, authorize with another.
November 18, 2008 7:19 AM Subscribe
In Active Directory, is it possible to direct the act of authenticating a user to one domain, but the subsequent authorization of that user to be handled by another?
Situation: For political, non-technical, and unchangable reasons, the users in our domain (Domain A), must now instead authenticate against Domain B. They are not in a forest together.
We retain control of the machines in Domain A. Domain A will still be used for management of machines, and possibly for authorization if we can find a way to pull it off.
Domain B will contain the users, just a giant mass of identities not separated into OUs. We will have no ability to put these users into groups or otherwise administer to Domain B. Account provisioning, some very light information, and password management is handled via Domain B.
Due to a number of vendor issues, we must put all of our users in a single domain (many of these particular applications can only look at one domain for authentication). Therefore, these users go into Domain B. You know, the domain without OUs or groups we can touch.
This means that in our area, our machines will be in Domain A, but the users will be logging in to the machine using Domain B.
Problem #1: We won't be able to put users into groups within Domain B, but almost all of the security in our various applications depends on group assignments. If we could separate authentication from authorization, users could log on to Domain B, but determining what groups, etc., could come from Domain A.
Problem #2: Domain B will not support roaming profiles, but a subset of our users (in a group in Domain A, not an OU, but that could change) need roaming profiles. We want to give users roaming profiles when they're logged onto our machines. Ideally, we'd like to be able to work it such that the roaming profiles are only triggered for the aforementioned group, perhaps pulling said profiles from Domain A.
Problem #1 is more important that Problem #2. I'm at a loss as to where to start with this, as I'm not really an Active Directory person, aside from the ability to manipulate it programmatically. Yes, I am aware that this scenario does not seem like a particularly great idea on the face of it. I'm just looking for technical solutions to what appears to be a technical problem generated by political issues.
Avenues Already Explored:
* Active Directory Federated Services isn't appropriate, as it is web-only.
* Dual sets of accounts could almost work, except for Domain B controlling the passwords.
* Dropping my jaw and blinking cluelessly has also not been effective.