I'm wondering if this if possible:
I have 1 AD Domain: InternalDomain. I want to create a secondary domain: CustomersDomain. I would like my SharePoint to be able to authenticate users from both InternalDomain and CustomersDomain.
- Employees from the inside would connect directly to the SharePoint
with InternalDomain. (DNS matter I guess) - Customers or Employees from outside would connect through a WAP and
an ADFS server with Both [Internal|Customers]Domain (Public IP and DNS)
But, is this a good scenario in order to :
- Manage Customers AD Account
- Manage Customers authentication into SharePoint
- Manage Employees authentication from outside
So my Customer AD will only store credentials to log in SharePoint for customers, no more rights. And my Internal AD Users (or some of them) will be able to create new Customer Account. But also, some customers will be able to create new account or at least ask for.
Ask if I'm not understandable enough. The idea is simple: best way to handle employee AD account (no changes on the AD server), handle customer accounts, handle authentication all with SharePoint.
Best Answer
It is possible, one way to do this is:
1) Create a one-way trust from your CustomersDomain to your InternalDomain.
2) Install your SharePoint farm in the CustomersDomain. Because there is a trust between the domains, internal users will be able to connect to it as well.
3) Configure your DNS, firewalls, reverse proxies & co to route traffic to your farm, depending on where they come from.
Note that you don't need ADFS in this setup.
If you don't have trusts between your domains, then you will need 2 ADFS farms (one per domain), create a trust between them, and probably do some customization to route users to the correct server based on their location. It's more complicated.
There is diagram from Microsoft called "Extranet Topologies for SharePoint 2010 Products", you may look at it to find more ideas (available here on technet, it's the 3rd one).