Directory Programming .NET

This is probably an easy question...

Do I need a FS-A for each account store?

My example: I have three domains.  One is in the resource domain, so my FS-R (being in that domain) can just have that as it's Account Store right?  The other two domains are trusted by this resource domain.

Domain A is external domain, where web servers live

Domain B is internal where AD has some users I want to give access to A's resources

Domain C is like B just some more users in AD that need access to A's resources

B and C might also have things like SharePoint, OWA, etc. (which need ADFS)

So... I was going to use the Forest Trust scenario... I know that you said that wasn't the best, but that is what they want for now.  I thought that this meant the B and C domains were trusted through A so I would only need one FS-A/R server.

I have a feeling I will need two FS-A servers (in domains B and C) and one FS-A/R (in A), and one FS-R-P (in A, well, it won't be joined to A).

Am I on the right track?

You need one FS per AD forest, although a multi-domain forest can all use one FS.  It is possible to authenticate users in a trusted forest from a single FS, but that gets a little messy.  I like to keep things separate if possible so I don't have to depend on being able to do claims processing across a forest trust.  Since you can have different AD schemas in the two forests but can only define one claims extraction per store, you can end up with some weird issues with claims extractions.

It is possible to stack multiple ADAM account stores on a given FS, but I think that model is messy to, so I prefer to have just one account store/FS.

I hope that helps!

that does help.

even though I have one network, with mult. domains.  They do want to be able to have them be separate in the future, so it makes since to separate out the FS components.

what reading this from bpuhl: http://imav8n.wordpress.com/2008/04/04/adfs-auth-with-trusts/

what happens when you have users with the same name, can you still use only one FS?  would all users login to the same FBA form on one FS-P?

i'm sure there are a lot of smiths out there who would have the same first initial, i don't understand what it would look like for users with the same name and using the same FS/FS-P to login.

Hopefully you have different UPN suffixes in the trusted domain, so you would at least have different user names if using the UPN claim.  In my mind, it is the only really useful one.

Unqualified names aren't even guaranteed unique in a muti-domain forest, much less in some sort of external trust arrangement, so that is usually never a good idea to take a dependency on.  This is why I think the CN identity claim is probably always a bad idea.

ok, so long as each domain has it's own suffix and I'm using the UPN it should be possible to use one FS?

and I can still use one FS if all three domains have resources?

will they be logging in to the FSP that trusts all three domains (with unique suffixes) or will they have three FSP (one for each) and one FS that services all three FSPs?

I'm trying to come up with the most cost effective solution.

Thanks for all the help joe, you and jim and brian have been great helps!

You will have massive problems in AD if you don't have unique UPN suffixes.  UPN has to be unique forest wide for any given user or it tends to prevent that user from being able to log in.  I think it is probably ok to assume this will be fine.

The FSP matches up with the FS.  You can load balance it like any web app, but it still talks to its FS.  The AD account store aligns to an AD forest.

I tried logging in to my external FSP using the other domains username@domain but that didn't work

username@externaldomain does work, and the external domain trusts the other two internal domains, how do you get the login to sync up to multiple domains?

had another thought, I can only potentially combine FS-A servers that have windows trusts, but I am not able to combine all the resources into one FS-R am I?

If I can't combine FS-R servers to span multiple domains then it is pointless because I'll have resources in all three domains.  (OWA at least)

FS-R servers must be domain joined to their domain, along with the resources themselves correct?

An FS-R is just an FS that has resource applications.  If the resource apps use the NT token agent, then they must be domain joined to a domain in the FS-R's resource forest, although not necessarily the same domain the FS-R is joined to.  It could also be some sort of external trust, although I'd generally suggest not doing that.

Otherwise, I'm a little confused about what all the FS's are if there are trusts between these domains.  Usually you use ADFS where you can't create some sort of forest trust.  The sweet spot for ADFS is for crossing organizational boundaries.

Some of the trusts are only one way, so I would assume that the domain that trusts all others would be where the FS servers are placed. 

From the comments you and others have made it seems possible to boil any Windows Trust scenario down to one FS and one FSP, but there is certainly not any documentation out there about that, unless you can point me to some you know of.

Also, if ADFS is for non-forest trust scenarios, why does ADFS have the Forest Trust scenario when you setup the trust relationship?

ADFS is primarily a federation technology that uses PKI to establish trusts across organizational boundaries.  It is primarily there for situations where you can't or don't want to establish an AD trust.

However, Microsoft also supports a mode of ADFS where a forest trust can be used as a way to authenticate an ADFS trust.  The basically allows you to avoid having to use certificates for signing the token and can instead rely on Kerberos for signing the token.  This mechanism isn't part of the spec though and doesn't interop, so I don't really consider it to be "pure" and try to avoid it.  I'm still not clear exactly when it would make sense to use this method of token signing.

As for whether an FS should handle a single AD forest or also support logins for users in trusted forests, I think that depends primarily on what you are trying to do and if you can make it work.  My preference would be to keep it separate.  After all, why use ADFS if you can use forest trusts in the first place?

I've never personally used forest trusts with authentication to an application, so I am not sure how involved that would be.

ADFS, once understood, seems really simple to get working for .NET applications.

I would like to be able to give the client the option to reduce the FS servers needed by using the forest trusts in place, but I am not sure how to implement that.

What do I need to configure to allow trusted domain users to login to my external FSP?

If the external domain trusts the internal domain, they should be able to authenticate via IWA.  After that, it is really just an issue of whether or not the FS can do claims processing for the external user.  That likely just comes down to permissions, but I don't know enough about how this works in detail to know if there are any gotchas as I've never tried to set this and definitely don't have enough time to build a test environment to find out.  :)

I assume you are talking about internal users being able to use IWA to the external FS to login.  I understand that that would work.  However, if I did that those internal users would still need to be able to login from the internet using the proxy FBA, how would they do that? 

Also, I would still need FS-R servers for the OWA servers in the internal domains, unless one FS-R can provide FS service for more than one domain, is that possible?

Even though I have trusts setup it still sounds like I need a FS setup in each domain.  At least to use ADFS that is, we're using ADFS to allow for federation.