Requirement: The client had two domains - A and B. There is a one way trust between A and B such that B understands everything in A. The SharePoint instance is on B i.e., Users of A can logon to B but not vice versa.
The following solutions were possible -
1) Setup claims authentication using ADFS. Probably the best approach but not sure how the credentials in B would get validated since the trust is from A to B.
2) Imports users of A into B and keep them in sync using Microsoft ForeFront Identity Manager (FIM). This would have cost implications as FIM is not free.
3) Use AppFabric Access Control. This is relatively new and not played around with it yet.
4) Have NTLM authorization right through by using the ForeFront Identity Manager service available out of the box. This is not the best approach because of possible double hop issues later on but we decided to go ahead with this as currently authorization at the DB level was not a requirement and service accounts could be used to authentication into the DB.
Having decided on Approach 4 we decided to try this out on a VM setup. We created 2 domains A and B, created the one way trust and ensured that once user from A was added to B, he was able to logon and users of B should be able to logon to A.
Once this was done, we had to install the ForeFront Identity Manager service and then run the Profiler Service in SharePoint. This imported the users from A into B. We then added a user in A on one of the sites in B. So, things looked hunky dory until this point. But when we tried to logon to the site with the credentials of the User in A a blank page was displayed and the event logged had a security exception - Bad username/password. After a bit of thought, it was clear that the credentials were not getting validated. Reason - the service account was not able to validate the username/password from domain A! We resolved the issue by using the credentials of User in A for the service account of the Profiler service in SharePoint. Possibly not the best approach but since we have SharePoint on Domain B, I guess there is no other way out!
Comments/suggestions welcome and appreciated.
