3 Domains with NTLMSSP Configuration

Unanswered Question
Jul 18th, 2008


I successfully configured NTLMSSP using a single domain (abc.com).

Now, i want to add another 2 domains , both domains are trusted in the same forest...so theres no problem with the query via directory.

Is this possible?
I can just add another NTLM REALM for those domain..

hope someone can enlighten me.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jowolfer Fri, 07/18/2008 - 15:57


You can only configure a single NTLM realm in the WSA, but as long as there are trusts in your AD forest, users in other domains should still be able to authenticate correctly.


WSA is configured to join the domain "COMPANY". The COMPANY domain has two way trusts configure with the domain "SECONDARY".

When a user in the SECONDARY domain authenticates to the WSA, it will sends the appropriate credentials (SECONDARY\user1). The WSA will pass these credentials to the AD server we have joined (in the COMPANY domain).

Since the COMPANY AD server trusts the SECONDARY domain, it will contact the other domain controllers and authenticate the client.

You can authenticate to any number of domains as long as the AD server / domain we're joining has the trust setup and is able to authenticate other domain's users.

jowolfer Fri, 07/25/2008 - 16:00

Great! Everynow and then I'm right about something :wink:

angfeglandagan Sat, 08/02/2008 - 11:57

The problem now would be a single sign on using the 3 domains...unfortunately..i can only create 1 ntlmssp....

How do you guys manage to configure SSO with 3 domains..




jowolfer Mon, 08/04/2008 - 16:42

My understanding is that SSO will work with any of the domains that have 2 way trust setup. You will still have to setup the environment for SSO, such as setting the "Redirect Hostname" to a single word hostname.

You may have to add a trust variable in the Firefox browser.

cwling2008 Tue, 08/19/2008 - 15:57


Just curious about LDAP authentcation issue in WSA. If the two domain did not trust each other. The authentication will it works or not?

How to resolve this issue?

jowolfer Wed, 08/20/2008 - 16:00

I don't believe the trusts will have any effect on LDAP.

It's possible that one AD server may use an LDAP referral to query the appropriate AD server (for the other domain you are attempting to auth with), but I'm not sure that is how it works.

Any one else have concrete information? I'm curious as to why you would want to use LDAP with a multi domain environment. NTLM is better in every way (password from the client is secure, Kerberos between the WSA and DC, Single Sign On, Ease with authenticating to multiple domains, so forth.)


This Discussion