Home / server / Questions / 123970
Accepted
Geo Ego
Asked: 2010-03-19 10:55:19 +0800 CST

Grant access for users on a separate domain to SharePoint

  • 772

I just completed development of a SharePoint site on a virtual server and am currently in the process of granting users from a different domain to the site. I am the developer, and not much of a network admin. The virtual server is not a domain controller, and does not have Active Directory installed. The SharePoint domain is SHAREPOINT, and the domain with the users I want to give access to is COMPANY. They are connected via LAN. I have provided them with a link to the site and added them as users via SharePoint and SQL Server, which is all I thought I would need to do. However, when they go to the link, the site shows them a SharePoint error page telling them access is denied. The problem comes down to a custom web part for SharePoint. If I remove that web part from the index page, they are able to access it just fine.

In the security event log, I am showing the following:

Event Type: Failure Audit
Event Source:   Security
Event Category: Object Access 
Event ID:   560
Date:       3/18/2010
Time:       11:11:49 AM
User:       COMPANY\ThisUser
Computer:   SHAREPOINT
Description:
Object Open:
    Object Server:  Security Account Manager
    Object Type:    SAM_ALIAS
    Object Name:    DOMAINS\Account\Aliases\00000404
    Handle ID:  -
    Operation ID:   {0,1719489}
    Process ID: 416
    Image File Name:    C:\WINDOWS\system32\lsass.exe
    Primary User Name:  SHAREPOINT$
    Primary Domain: COMPANY
    Primary Logon ID:   (0x0,0x3E7)
    Client User Name:   ThisUser
    Client Domain:  PRINTRON
    Client Logon ID:    (0x0,0x1A3BC2)
    Accesses:   AddMember 
            RemoveMember 
            ListMembers 
            ReadInformation 

    Privileges: -
    Restricted Sid Count:   0
    Access Mask:    0xF

Then, four of these in a row:

Event Type: Failure Audit
Event Source:   Security
Event Category: Object Access 
Event ID:   560
Date:       3/18/2010
Time:       11:12:08 AM
User:       NT AUTHORITY\NETWORK SERVICE
Computer:   SHAREPOINT
Description:
Object Open:
    Object Server:  SC Manager
    Object Type:    SERVICE OBJECT
    Object Name:    WinHttpAutoProxySvc
    Handle ID:  -
    Operation ID:   {0,1727132}
    Process ID: 404
    Image File Name:    C:\WINDOWS\system32\services.exe
    Primary User Name:  SHAREPOINT$
    Primary Domain: COMPANY
    Primary Logon ID:   (0x0,0x3E7)
    Client User Name:   NETWORK SERVICE
    Client Domain:  NT AUTHORITY
    Client Logon ID:    (0x0,0x3E4)
    Accesses:   Query status of service 
            Start the service 
            Query information from service 

    Privileges: -
    Restricted Sid Count:   0
    Access Mask:    0x94

Any ideas what permissions I need to grant to the user to get them access to SharePoint?

I do have one user from the other domain that is able to view the page fine. For this user, I gave him rights to Is there any way I can compare that user to other users and see what permissions might need to be added?

windows-server-2003 sharepoint permissions

4 Answers

  1. You'll need to set up a trust relationship between the domains (I'm assuming they're not in the same tree/forest).

    In order for Sharepoint to grant permissions on users from a different domain, it needs to trust that domain's authentication.

    If they're not in the same forest, then set up an external trust between them (SHAREPOINT trusts COMPANY) in Active Directory Domains and Trusts.

    • 3
  2. Best Answer

    I'm also think that domain trusts is good idea for your task. I have successful experience with it: In my case Each domain had its own intranet-portal based on MOSS 2007. It was necessary to provide access to both portals for users from both domains. We created up a two-way trust relationship between forests and grant all necessary permissions. My env is standard: AD, 2003, MOSS 2007.

    In my opinion, there are two another methods. Probably they will be better for you:

    1. If both of your domains are in one secure LAN networks, you can allow anonymous access to your portal.
    2. You can create accounts in your domain for users from external domain. In that case users from external domain will need to use form-based authentication (not windows auth)

    You can mix those two methods. Lets say that you can grant anonymous read access for all and create few accounts in your domain for users, who need contributor rights on intranet-portal.

    • 2

  3. You have a couple of other options in addition to the ones mentioned above.

    1. Extend your web application into a new zone (Extranet zone) and use Forms Based authentication against the COMPANY domain to give access to those users.
    2. Implement ISA server (or another product...) as a reverse proxy in front of SharePoint to do the authentication - this should allow both domains to use Windows Authentication.

    Here is an excellent blog post discussing the first option:
    http://blogs.msdn.com/sharepoint/archive/2006/08/16/configuring-multiple-authentication-providers-for-sharepoint-2007.aspx

    • 2

  4. Okay. finally, I found a article and it helped me right away...

    http://www.howtogeek.com/howto/vmware/allow-access-to-a-vmware-virtual-machinenat-from-another-computer/

    Went to "Virtual Network Editor" from my host computer (found under VMWare menu)
Change the IP address for the NAT subnet ip to 192.168.10.0
Followed the article above for more on NAT settings

    Bingo... i can now do portal.spplay.com from my host pc.

    • 1