question

Bastien1920-4414 avatar image
0 Votes"
Bastien1920-4414 asked jcoyne-msft-csa edited

How to connect two on-premise domain controllers (not in the same network) to a single AzureAD

Good afternoon, everyone,

Someone could tell me if it is possible to connect two domain controllers to a single Azure AD.

Let me explain:

I work in a IT company and we offer remote offices to our clients. Authentication in our remote offices is done via our domain controller. One of our clients, already having a domain controller in their network, asked us if it was possible to use his AD account to authenticate on our remote offices. So an SSO installation with two remote domain controllers on-premise.

Thank you in advance for your clarification.

azure-active-directoryazure-ad-connectadfs
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

comment removed

0 Votes 0 ·
soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered roberth commented

@Bastien1920-4414, The requirement is still not clear. Based on the explanation given it looks like you are trying to create a relationship between you local and remote sites, which can pretty much be done using your on-prem Domain Controllers. SSO would be delivered using Kerberos within your org network. I am not sure where Azure AD is coming into picture here.

Do clarify your requirement with AAD, so that we can help better.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your response.

For now, let's forget about AzureAD, I thought it might be a good solution.

On my side, I have an Active Directory with a forest called domain-A. Another company has own Active Directory with forest called domain-B.

The users of other company (Domain-B) want to access the remoteapp resources of domain-A (My company) with their login (username, password) from domain-B. Is this possible?

0 Votes 0 ·

I'm fairly sure that you can set up a forest trust in this case, which I believe has to be a two-way trust. RDS is not my primary field of expertise 😅

0 Votes 0 ·
EmiliaB-4835 avatar image
0 Votes"
EmiliaB-4835 answered

If I understand correctly, you're talking about federated identity management. Well, according to this article it is possible: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sagus avatar image
0 Votes"
sagus answered

I think that better solution for your clients would be separate forest in DMZ or external zone, with ADFS service and federation with your internal AD and AD of your clients. It will work for different clients, even when they don't have local AD. It deliver better protection of your internal resources and better control on access.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

rbrayb avatar image
0 Votes"
rbrayb answered

You tagged the question with "ADFS" so I assume that's an option.

In this scenario, you would install ADFS for your domain, they would install ADFS for their domain and then you would then federate the two ADFS.

The domain-B users can then access domain-A applications using their domain-B credentials.

If this is a possible solution, let me know and I can elaborate.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jcoyne-msft-csa avatar image
0 Votes"
jcoyne-msft-csa answered jcoyne-msft-csa edited

You would need to setup federated services and also setup SAML authentication on your domain to allow their federated domains credentials. I don't recommend this method unless you want to go through great lengths to manage and secure your companies internal domain, for yours and your customers sake.

I would also suggest a method that involves a stop gap in the case of a credential is compromised by a bad actor or something with the knowledge to harm your internal domain or your customers remote offices. This would involve setting up your domain with 2FA integrations to control desktop sign ons. This would be possible with many 2FA products but my experience has been successful with Duo.

I suggest also looking into moving your own environments into Azure if this is going to be a common practice between you and your customers since this would make your own infrastructure management a breeze and also make you very flexible to integrate with any future customer. Hope this helps!

https://www.appliedis.com/federated-authentication-with-a-saml-identity-provider/

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.