This is also a good application for federation (ADFS). It gives you
the flexibility of provisioning your dealer accounts in ADAM instead
of AD (which can give you a lot more flexibility in terms of how to
allocate hardware) and can give you the ability to allow the dealers
to log on with their own accounts if they can create a federation
server on their end to provide access to their own domain resources.
This may or may not be possible/desireable, but in many cases it is
because you don't have to provision and manage their identities.
Unfortunately, this is much more complex to implement though.
From a security perspective, though, Brian is right. If you just want
to do this with AD and trusts, you should do a separate forest and do
a forest trust. Otherwise, you aren't buying much in terms of real
security. You might as well just put the accounts in a separate OU.
Joe K.
On 11/30/06, Group, Russ [EMAIL PROTECTED] wrote:
Hi all
We are in the process of creating a SharePoint site that external users
(dealers) can access to obtain shipping information. I have the SharePoint
server in my LAN with a reverse proxy appliance in the DMZ that the dealers
will use to access the SharePoint server.
The discussion came up about using a child domain for these dealers to
authenticate to the SharePoint server. Is this an accepted practice (create
a child domain for the external users)? How safe is this compared to
creating a separate OU for the dealer in the parent domain?
Thank you
Russ
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
