Cross Domain Single Sign On

J

jay d

Is it possible to seamlessly logon to Project Web Access from a remote domain
without having a trust between the two domains. I am particularly interested
in using client certificates for authentication, if it is possible. Any
feedback would be greatly appreciated.

Thanks,
Jay
 
B

Bob Segrest

Yes, this is possible if a network path exists. Can you ping the server from
the other domain?

You need to create an account for the user in each domain. The username and
password for the accounts in both domains must match.

Bob Segrest, PMP
 
J

jay d

In PWA, I tried to create an account using Windows Integrated Authentication
for a user "remotedomain\username". It says, "The user could not be created.
Check the spelling of the user name, verify that a valid domain name was
included, and check that a duplicate domain was not used." The user
"remotedomain\username" exists in the active directory on the remotedomain
but there is not trust between domains. This is where I believe the problem
lies. The two domains are on the same network (and can ping each other) but
the domains cannot trust one another. I am trying to find a single sign on
solution that will work with this setup.

Thanks,
Jay
 
B

Bob Segrest

If there is NO trust established between the two domains, you must first
create an account for the user in each domain.

For example if my username is Segrest and I am a member of Domain1 and the
Project Server is in Domain2....

There is an existing account DOMAIN1\Segrest with the password xyz123.

You must create a new account in Domain2 with the username Segrest and the
password xyz123.

When you connect to the server from Domain1, the server in Domain2 will ask
you for a valid username and password. You will then respond with
Domain2\Segrest and the password xyz123. If you allow password caching, the
process will be transparent from this point forward.


Bob Segrest, PMP
 
J

jay d

Bob - Thanks for the advice, but the security group does not allow remote
users to have accounts created in the local domain. This is why I am
reaching out to see if anyone knows about custom authentication scenarios
such as pulling the username from a user certificate.

Thanks,
Jay
 
B

Bob Segrest

Hi Jay,

I have been working with remote domains for a long time. I don't think you
can do it without creating the accounts.

If you find out otherwise, I would be very interested in the details.

Bob Segrest


Bob - Thanks for the advice, but the security group does not allow remote
users to have accounts created in the local domain. This is why I am
reaching out to see if anyone knows about custom authentication scenarios
such as pulling the username from a user certificate.

Thanks,
Jay
Click to expand...

Bob Segrest, PMP
BSegE LLC
(540) 937-5875
http://www.BSegE.com
 
B

Brian K - Project MVP

jay said:
Bob - Thanks for the advice, but the security group does not allow
remote users to have accounts created in the local domain. This is
why I am reaching out to see if anyone knows about custom
authentication scenarios such as pulling the username from a user
certificate.

Thanks,
Jay
Click to expand...

It sounds like trusts would be the only way then. Remember that the
trust only needs to be one way.

--
___
Brian K
Project MVP
http://www.projectified.com

Project Server Consultant
http://www.quantumpm.com
 
E

Earl Lewis

Although this solution may not exactly match your situation/desired outcome here's how we're setup.

Our scenario:
Project server is in domain1
Many users have accounts setup by default in domain1 and login to PWA fine.
Many other PWA users do not have accounts setup automatically in domain1
These "other" users are NOT part of another domain

For those users outside of domain1:
- we create them an account in domain1
- on each users machine (assuming Windows XP) we add a network password for domain1
How? Using the control panel "user accounts" applet and selecting the user name - on the top left of the window that allows you to change account information you'll see a link to "Manage my network passwords"

Although they don't do a domain login and don't join their machines to domain1 they can login to PWA AND WSS just fine.

This may play out differently for users/machines outside of one domain that ARE members of another domain and do domain logins to that other domain. Don't know. We're not in that situation. Hope this helps.

Earl
Is it possible to seamlessly logon to Project Web Access from a remote domain
without having a trust between the two domains. I am particularly interested
in using client certificates for authentication, if it is possible. Any
feedback would be greatly appreciated.

Thanks,
Jay
 
D

Denis in Brisbane

Thanks, Bob. That's been driving me mad for some time. It also fixed a
related problem that OLAP cube worked when I was remotely logged on to the
Project Server but not when I ran the browser from my PC.

Much appreciated!!

Denis
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Project Server 2007 - configuring for internal and external access 3
AD synchronization with external trusted domain 2
Connect to Project Server on Different Domain 4
Computer Outside Domain via VPN Tunnel 0
Office Project doesn't connect to Project Server 10
trusted domain authentication 3
Analysis Services 1
Project Professional authenticating remotely 12

Top