Single sign-on problem across domains

Hi all,

We had to migrate from our old domain to a new one due to the old system
admin made a mess out of the old one. However, we still have some services in
the old domain (mainly sharepoint and live communication server). As most of
our users are sales people, explaining the intricacies of loging on to one
domain and then authenticating to other services is a pain...

Is there a way to get single sign-on to work? There is already a trust
between the domains, but the services we run from the old domain still ask
for credentials. Any tips and ideas?

Cheers!

On the old Domain you have to give permissions to the Accounts/Groups
residing in the New Domain. When done correctly the old Accounts/Groups on
the old domain can be removed and will no longer be used. You can
temporarily "disable" the Accounts in the old Domain and rename the Groups
to something else to keep them from accidentally being used.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

"Lars" <(E-Mail Removed)> wrote in message
news:3D9DFB61-A5B8-4B37-8F31-(E-Mail Removed)...
> Hi all,
>
> We had to migrate from our old domain to a new one due to the old system
> admin made a mess out of the old one. However, we still have some services
> in
> the old domain (mainly sharepoint and live communication server). As most
> of
> our users are sales people, explaining the intricacies of loging on to one
> domain and then authenticating to other services is a pain...
>
> Is there a way to get single sign-on to work? There is already a trust
> between the domains, but the services we run from the old domain still ask
> for credentials. Any tips and ideas?
>
> Cheers!

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> temporarily "disable" the Accounts in the old Domain and rename the Groups

Skip renaming the Groups, that won't accomplish anything,...I don't know
what I was thinking,...just disable the Accounts.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Thanks!

How do I map between them, thelling them that newdomain\user1 is
olddomain\user1 etc?

Lars

"Phillip Windell" wrote:

> "Phillip Windell" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > temporarily "disable" the Accounts in the old Domain and rename the Groups
>
> Skip renaming the Groups, that won't accomplish anything,...I don't know
> what I was thinking,...just disable the Accounts.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>

"Lars" <(E-Mail Removed)> wrote in message
newsAFDF37C-1A76-4D50-86FD-(E-Mail Removed)...
> Thanks!
>
> How do I map between them, thelling them that newdomain\user1 is
> olddomain\user1 etc?

You don't map anything. You just add the Accounts/Groups from the new
Domain directly to the Permissions of the particular resource. The users
should already be logging in with the credentials from the new Domain.

You are already using the new domain?,...the workstations are (should be)
joined to the new domain? The users are already logging into the new domain
on their machines? If this is no so, then use the File and Settings
Transfer Wizard in XP to save the user profiles,...get those other things
done,...then use the same tool to import the profiles back in.

It may be simpler to run the File and Settings Transfer Wizard directly off
of the XP CD and I believe it will work on more than one version of Windows.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

Oh, must've been tired yesterday. This works for our file server, and it will
probably work for sharepoint as well. However, my biggest pain at the moment
is Live Communications Server and Office Communicator...

Cheers,

Lars

"Phillip Windell" wrote:

> "Lars" <(E-Mail Removed)> wrote in message
> newsAFDF37C-1A76-4D50-86FD-(E-Mail Removed)...
> > Thanks!
> >
> > How do I map between them, thelling them that newdomain\user1 is
> > olddomain\user1 etc?
>
> You don't map anything. You just add the Accounts/Groups from the new
> Domain directly to the Permissions of the particular resource. The users
> should already be logging in with the credentials from the new Domain.
>
> You are already using the new domain?,...the workstations are (should be)
> joined to the new domain? The users are already logging into the new domain
> on their machines? If this is no so, then use the File and Settings
> Transfer Wizard in XP to save the user profiles,...get those other things
> done,...then use the same tool to import the profiles back in.
>
> It may be simpler to run the File and Settings Transfer Wizard directly off
> of the XP CD and I believe it will work on more than one version of Windows.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
>
> Microsoft ISA Server Partners: Partner Hardware Solutions
> http://www.microsoft.com/forefront/e...epartners.mspx
> -----------------------------------------------------
>
>
>

"Lars" <(E-Mail Removed)> wrote in message
news:33C18FA5-A15D-49B8-A88C-(E-Mail Removed)...
> Oh, must've been tired yesterday. This works for our file server, and it
> will
> probably work for sharepoint as well. However, my biggest pain at the
> moment
> is Live Communications Server and Office Communicator...

Shouldn't make any difference.
Anything that has a way to specify permissions has to have a way to specify
"where" the accounts are. The "where" would be the new domain.

Now I don't know anything specifically about Live Communications Server and
Office Communicator,...I have never used those. Maybe there are profiles
that have to be moved or recreated. You'll have to ask someone who knows
those products well.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------