Setting up WSS with multiple faces

TheMSsForum.com: The Microsoft Software Forum

I am setting up a WSS site for collaboration with users outside our
company. It will be on the perimeter network behind some security, with
it's own AD Server and SQL Server. The external AD Server will house
all our external user accounts and may (or may not, if possible) have a
one-way trust with our internal AD Server. I also want to attach this
to our internal SPS portal. The Internal SPS server will not be able to
see any of the external users, due to the one-way trust. Internal users
will always access the internal SPS Server and external users will
always access the external WSS Server. The only traffic allowed between
the perimeter network and the internal network will be communications
between the internal SPS Server, and the DB Server, and communications
necessary for the one-way trust.

1. Is the one-way trust needed?
2. Will I be able to manage external users from the internal interface?
(If necessary, assume that they are already added to the external AD Server)
Top

RE: Setting up WSS with multiple faces by v-wdxu

v-wdxu
Tue Dec 13 21:23:11 CST 2005

------=_NextPart_0001_7C49AC76
Content-Type: text/plain
Content-Transfer-Encoding: 7bit


Hi Shawn,

SPS uses the windows authentication(in non-anonymous scenario) to
authenticate the users. The one way trust should be required for this
scenario because the intranet AD should trust the accounts from the
external domain, then the external accounts could be permitted by the
intranet AD server.

For your second problem, this is one AD admin issue, not WSS/SPS. However,
from my view, if you obtain the external AD domain admin right, it is sure
that you could manage the external AD accounts.

Please feel free to let me know if you have any further question on this
issue.

Best Regards,
Wei-Dong XU
Microsoft Support
---------------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
---------------------------------------------------------------------------
It is my pleasure to be of any assistance.

------=_NextPart_0001_7C49AC76
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\froman\fprq2\fcharset0 Georgia;}}
\viewkind4\uc1\pard\lang2052\f0\fs24
\par Hi Shawn,
\par
\par SPS uses the windows authentication(in non-anonymous scenario) to authenticate the users. The one way trust should be required for this scenario because the intranet AD should trust the accounts from the external domain, then the external accounts could be permitted by the intranet AD server.
\par
\par For your second problem, this is one AD admin issue, not WSS/SPS. However, from my view, if you obtain the external AD domain admin right, it is sure that you could manage the external AD accounts.
\par
\par Please feel free to let me know if you have any further question on this issue.
\par
\par Best Regards,
\par Wei-Dong XU
\par Microsoft Support
\par ---------------------------------------------------------------------------
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par ---------------------------------------------------------------------------
\par It is my pleasure to be of any assistance.
\par
\par
\par }
------=_NextPart_0001_7C49AC76--

Top

Re: Setting up WSS with multiple faces by Shawn

Shawn
Tue Dec 13 23:33:42 CST 2005

Actually, the trust would go the other way. The external AD would trust
the internal AD. No external users will be accessing the internal
portal, only the external WSS server.

Wei-Dong XU [MS] wrote:
> Hi Shawn,
>
> SPS uses the windows authentication(in non-anonymous scenario) to
> authenticate the users. The one way trust should be required for this
> scenario because the intranet AD should trust the accounts from the
> external domain, then the external accounts could be permitted by the
> intranet AD server.
>
> For your second problem, this is one AD admin issue, not WSS/SPS. However,
> from my view, if you obtain the external AD domain admin right, it is sure
> that you could manage the external AD accounts.
>
> Please feel free to let me know if you have any further question on this
> issue.
>
> Best Regards,
> Wei-Dong XU
> Microsoft Support
> ---------------------------------------------------------------------------
> This posting is provided "AS IS" with no warranties, and confers no rights.
> ---------------------------------------------------------------------------
> It is my pleasure to be of any assistance.
>
Top

Re: Setting up WSS with multiple faces by v-wdxu

v-wdxu
Thu Dec 15 03:34:01 CST 2005

------=_NextPart_0001_630B5A75
Content-Type: text/plain
Content-Transfer-Encoding: 7bit



Hi Shown,

Thanks for the correctness!

"I am setting up a WSS site for collaboration with users outside our
company."
Since the one-way trust is External trust internal, this is to say, the
intranet account could access the WSS site; and your collaboration will
work very smoothly.

Then the internal user could use the dsa.msc utility to connect to the
external domain to perform the management if he obtains the necessary
permissions. So my answers to your two questions in the first post are all
yes. :-)

Best Regards,
Wei-Dong XU
Microsoft Support
---------------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
---------------------------------------------------------------------------
It is my pleasure to be of any assistance.


------=_NextPart_0001_630B5A75
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\froman\fprq2\fcharset0 Georgia;}}
\viewkind4\uc1\pard\lang2052\f0\fs24
\par
\par Hi Shown,
\par
\par Thanks for the correctness!
\par
\par "\i I am setting up a WSS site for collaboration with users outside our company.\i0 "
\par Since the one-way trust is External trust internal, this is to say, the intranet account could access the WSS site; and your collaboration will work very smoothly.
\par
\par Then the internal user could use the dsa.msc utility to connect to the external domain to perform the management if he obtains the necessary permissions. So my answers to your two questions in the first post are all yes. :-)
\par
\par Best Regards,
\par Wei-Dong XU
\par Microsoft Support
\par ---------------------------------------------------------------------------
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par ---------------------------------------------------------------------------
\par It is my pleasure to be of any assistance.
\par
\par
\par
\par }
------=_NextPart_0001_630B5A75--

Top