Joe
Fri May 09 07:11:27 PDT 2008
I will say that ADFS IS a good solution for doing some types of integration
across security realm boundaries, but currently it only supports web
applications, so it cannot be used to satisfy all situations. It is also
more effort to set up than a simple trust.
SharePoint does support ADFS well, but there would be additional complexity
with getting SharePoint integrated with ADFS if all of the other forests
using it now are already integrated via Windows security.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:%23%23kpuSdsIHA.420@TK2MSFTNGP02.phx.gbl...
> Security boundaries are defined by the AD forest, once a trust is
> established there are certain inherent risks. I don't know what you folks
> are trying to protect from one another nor understand your topology. It
> would be hard for anyone w/o understanding your enterprise to be able to
> tell you whether or not you are taking risks with the trust. I don't
> believe the company is concerned about external people gaining access to
> your system, but the largest source of risk to companies is actually
> internal hacking I do believe though, if there is a one way trust where
> you are trusting them, their risk is very minimal.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
>
http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "BBNBQ" <BBNBQ@discussions.microsoft.com> wrote in message
> news:5F97668C-FBC6-4880-A180-2010D40825EC@microsoft.com...
>> Hi.
>> We are facing a situation with a particular subsidiary company. We have a
>> sort of a resource Forest with a centralized Sharepoint Server. We
>> requested
>> each subsidiary to create a one-way AD trust with the resource forest in
>> order to authenticate their users on the site.
>>
>> All but one subsidiary is giving us problems. Mostly because they
>> semi-outsource many aspects of their IT operations including security;
>> and
>> the oursourcing company is worried about any breaches that it might be
>> accountable for.
>>
>> The main concern it seems is with opening the RPC ports; but all we need
>> is
>> for them to open up one of their domain controllers to the resource
>> forest
>> DCs and some servers and apply a registry setting that fixes the AD RPC
>> port.
>>
>> Still, they won't budge and instead had us implement ADFS.
>> We have implemented ADFS ok and they can authenticate, but we are having
>> issues with ADFS and MOSS user profiles. And I would like them to get
>> onboard
>> with the AD Trust.
>>
>> In their recent response, they claim:
>> 1- ADFS is the world wide accepted method for connecting companies to
>> exchange information over the Internet.
>> ** But we have a private link that doesn't go through the Internet and is
>> protected by firewalls!
>>
>> 2-They calim their security policy does not allow using AD trust becuse
>> is
>> it not safe and can facilitate the hacking of their data?!!
>>
>> 3-They also claim that Microsoft recommended we standardize on ADFS for
>> authenticating all of our subsidiaries instead of AD trust!! (I will have
>> to
>> investigate with the local MS reps)
>>
>> So, my question is, if we are all companies under the same umbrella and a
>> reasonable amount of trust/security policies can be agreed on, then would
>> an
>> AD Trust (one-way at that!!) be considered that un-safe?
>>
>>
>>
>>
>
>