We are implementing SharePoint in an environment with multiple separate domain forests that will be used to authenticate users using claims based authentication. The various domains have a one-way trust to a single domain that will act as the "root" for all authentication requests开发者_StackOverflow社区. We have tested the trust and it does work, and our claims authentication configuration appears to be working as well, however when logging in to SharePoint using forms authentication we can only authenticate users that exist explicitly in that root domain. Any trusted domain users do not authenticate, nor do they enumerate when using the GetAllUsers() method of the Active Directory Membership Provider.
We've boiled the configuration down as much as possible to this:
Connection string:
<add name="ADConnString" connectionString="LDAP://therootdomain.org" />
Membership Provider:
<add name="ADProvider"
enableSearchMethods="true"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnString"
attributeMapUsername="UserPrincipalName"
connectionUsername="svcact"
connectionPassword="svcpwd" />
As it is configured now, we are able to authenticate forms based users using the username@domain.tld convention, but only if they exist in the root domain in the trust "tree". Any users from other domains fail authentication. I think it's worth mentioning that if we switch to NTLM all users from across all trusted domains are able to authenticate; so we definitely know that the trust is functioning.
I have of course scoured the internet and I keep finding conflicting information. In some places I read that the one-way trust should "just work" and that no special configuration is required, and my scenario should not have any problems. In other places I get the impression that the ActiveDirectoryMembershipProvider is not capable of traversing domain trusts and the only way to do it is to write a customer provider that walks through multiple individual providers - but I have a hard time accepting this as our scenario does not seem that outlandish; it must be supported... right?
So my basic question is can the Active Directory Membership Provider traverse domain trusts in order to authenticate users, and if so what else needs to be configured to make that happen?
Thanks in advance!
精彩评论