SharePoint can use multiple domains for user authentication, however I recently came across an issue when setting up an extranet using this scenario.
The steps for setting up SharePoint 2007 to use multiple domains for user authentication are relatively simple:
- Add the second domain as a user profile source in the SSP
- Issue the following stsadm command to encrypt the password for the account that is used to access the second forest or domain on each web front end server in the farm:
stsadm –o setapppassword –password <password>
- Issue the following stsadm command to add multiple domains to the people picker search list:
stsadm –o set property –pn peoplepicker-searchadforests –pv domain:<original resource domain>;domain:<secondary domain>,<domain>\<username>,<password> –url <web application URL>
At this point I could successfully add users from the second domain to the security groups in a site collection or site, however when I attempted to log in as one of these users, I received a “500 – Internal server error”. Logging in as a user from the original resource domain worked fine however.
Modifying the web.config file for the web application to set CallStack to true and CustomErrors to Off didn’t give me any further information, at least in Internet Explorer 8, as I still saw the same “500 – Internal server error”, however viewing the web application in Firefox gave me a somewhat cryptic error:
This error translates as STATUS_AUTHENTICATION_FIREWALL_FAILED, however the firewall wasn’t an issue in this scenario.
The solution was to grant the machine accounts for each of the web servers in the SharePoint farm an extra right in AD. The steps were:
- On a domain controller, start “Active Directory Users and Computers”
- On the view menu, ensure that the ‘Advanced Features’ option is checked
- Locate the computer account for first of the web servers in the SharePoint farm
- For the computer account, right-click and select properties and then click the security tab
- Add the <external domain>\Domain Users group to the security list and grant the ‘Allowed to authenticate’ right. Click OK to close the dialog.
- Repeat these steps for the computer accounts of all the other web servers in the farm
This resolved the issue and allowed users from the second domain to log into SharePoint.
Note that to achieve multiple domain authentication for SharePoint 2010, the same stsadm commands are used, and I therefore believe that the same issue may occur, however the above solution should also work for SharePoint 2010.