cross-domain windows authentication

  • As a dba for a hosting company, we manage hundreds of SQL servers across several different domains using windows authentication. With Windows XP, we have simply added appropriate entries into our windows password manager such as: (assuming my laptop is on the DOMAIN1 domain)

    Server: DOMAIN2\*

    User Name: DOMAIN2\<username>

    Password: <password>

    It works beautifully. Whenever I attempt to connect to a resource on DOMAIN2 using windows auth, it passes the appropriate credentials for the target domain. When the passwords expire every 3 months, I update all entries in one fell swoop and I'm good to go.

    However - with the advent of Windows 7, the corresponding password management functionality doesn't appear to work with SSMS any more. We are able to add the fully-qualified domain suffix such as: *.DOMAIN2.company.com, and it will allow us to connect to UNC paths on that domain, but not via SSMS.

    A clumsy workaround is to use the 'runas' functionality via command line to open SSMS under alternate credentials. This obviously only works for one domain at a time.

    This is a pretty huge hurdle for us in moving to Windows 7 right now, so any suggestions would be greatly appreciated.

  • Is there a reason you don't set up all these domains to have an external trust relationship where those domains trust the domain where your user accounts reside? That would tend to be a smarter, simpler, and more secure architecture.

    K. Brian Kelley
    @kbriankelley

  • That would be an option, although we manage many of our customers' access to our dbs via windows auth as well, and security restrictions prevent us from configuring domain trusts between us and them.

  • Allen Krehbiel (4/21/2011)


    That would be an option, although we manage many of our customers' access to our dbs via windows auth as well, and security restrictions prevent us from configuring domain trusts between us and them.

    I'm not sure what your security restrictions are, but they probably need to be looked at. Because as of right now you're probably running with greater risk than if you went with a model where those domains you're supporting trusted your central domain. 1 account to secure is easier than 15 accounts to secure.

    K. Brian Kelley
    @kbriankelley

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply