3 Domains with NTLMSSP Configuration

Unanswered Question
Jul 18th, 2008
User Badges:


I successfully configured NTLMSSP using a single domain (abc.com).

Now, i want to add another 2 domains , both domains are trusted in the same forest...so theres no problem with the query via directory.

Is this possible?
I can just add another NTLM REALM for those domain..

hope someone can enlighten me.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jowolfer Fri, 07/18/2008 - 15:57
User Badges:


You can only configure a single NTLM realm in the WSA, but as long as there are trusts in your AD forest, users in other domains should still be able to authenticate correctly.


WSA is configured to join the domain "COMPANY". The COMPANY domain has two way trusts configure with the domain "SECONDARY".

When a user in the SECONDARY domain authenticates to the WSA, it will sends the appropriate credentials (SECONDARY\user1). The WSA will pass these credentials to the AD server we have joined (in the COMPANY domain).

Since the COMPANY AD server trusts the SECONDARY domain, it will contact the other domain controllers and authenticate the client.

You can authenticate to any number of domains as long as the AD server / domain we're joining has the trust setup and is able to authenticate other domain's users.

jowolfer Fri, 07/25/2008 - 16:00
User Badges:

Great! Everynow and then I'm right about something :wink:

angfeglandagan Sat, 08/02/2008 - 11:57
User Badges:

The problem now would be a single sign on using the 3 domains...unfortunately..i can only create 1 ntlmssp....

How do you guys manage to configure SSO with 3 domains..




jowolfer Mon, 08/04/2008 - 16:42
User Badges:

My understanding is that SSO will work with any of the domains that have 2 way trust setup. You will still have to setup the environment for SSO, such as setting the "Redirect Hostname" to a single word hostname.

You may have to add a trust variable in the Firefox browser.

cwling2008 Tue, 08/19/2008 - 15:57
User Badges:


Just curious about LDAP authentcation issue in WSA. If the two domain did not trust each other. The authentication will it works or not?

How to resolve this issue?

jowolfer Wed, 08/20/2008 - 16:00
User Badges:

I don't believe the trusts will have any effect on LDAP.

It's possible that one AD server may use an LDAP referral to query the appropriate AD server (for the other domain you are attempting to auth with), but I'm not sure that is how it works.

Any one else have concrete information? I'm curious as to why you would want to use LDAP with a multi domain environment. NTLM is better in every way (password from the client is secure, Kerberos between the WSA and DC, Single Sign On, Ease with authenticating to multiple domains, so forth.)


This Discussion