Establishing security trust between two domains without VPNChild Domain vs Trust RelationshipCross-Domain / Cross-Forest Group PoliciesSecurity Risks of a One-Way Trust Relationship between DomainsWhat is ADFS (Active Directory Federation Services)?Re-establishing the Trust RelationshipCommand to check trust relation between 2 domainstrust between two different forestsOne way external trust between domainsDC with two-way forest trust does not see objects from another forestRestrict AD logon between child domains

Multi tool use
Multi tool use

What sort of mathematical problems are there in AI that people are working on?

Is it damaging to turn off a small fridge for two days every week?

Links to webpages in books

Are Finite Automata Turing Complete?

How to split an equation over two lines?

Do French speakers not use the subjunctive informally?

What are the benefits of using the X Card safety tool in comparison to plain communication?

What are the penalties for overstaying in USA?

In the Marvel universe, can a human have a baby with any non-human?

Apply brace expansion in "reverse order"

Hot coffee brewing solutions for deep woods camping

How can I repair scratches on a painted French door?

Peace Arch without exiting USA

Do equal angles necessarily mean a polygon is regular?

Alphabet completion rate

Can’t attend PhD conferences

Importance of the principal bundle in Chern-Simons theory

Does Marvel have an equivalent of the Green Lantern?

How risky is real estate?

Why do textbooks often include the solutions to odd or even numbered problems but not both?

Can ADFS connect to other SSO services?

Why aren't (poly-)cotton tents more popular?

When is it ok to add filler to a story?

Why is the Turkish president's surname spelt in Russian as Эрдоган, with г?



Establishing security trust between two domains without VPN


Child Domain vs Trust RelationshipCross-Domain / Cross-Forest Group PoliciesSecurity Risks of a One-Way Trust Relationship between DomainsWhat is ADFS (Active Directory Federation Services)?Re-establishing the Trust RelationshipCommand to check trust relation between 2 domainstrust between two different forestsOne way external trust between domainsDC with two-way forest trust does not see objects from another forestRestrict AD logon between child domains






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








0















We have a company we recently acquired and we would like for them to access our SQL Server Analysis Services (via Excel file) on our company's domain. They are external users with separate Windows domains.



I was reading about AD Forest trusts and I don't know if this is the right path. If we set up a trust relationship between the two domains, can I add NewCompanyNewUser to our SSAS security role and they would have access?



It seems like if they're in Azure, following the below would work?
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-forest



The end result I want is:



  • for NewCompanyNewUser to refresh the cube/PivotTable in Excel on their PC without having to VPN (this is the key thing)

    • edit: Using a jumpbox would be ok too.


Is this possible and if so, is there a high-level overview of the steps needed? Would I be able to add NewCompanySam to SSAS security role, for example?



I'm a software developer so don't know much about infrasture/AD. This is mainly for my curiosity - I don't think we'll implement this. Thanks!



My company uses Windows Server 2016. New company uses Azure AD Services.



Azure AD Services forest trust






active-directory domain azure-active-directory-ds trust-relationship







share|improve this question
























  • Don't use user accounts in a SACL/SQL role; stick with groups.

    – Semicolon
    Jun 7 at 18:47






  • 1





    Are their workstations also in Azure? I mean, the diagram covers the trust itself - and access from the on-premise AD environemnt to the cloud AD environment, but it doesn't cover access from a separate on-premise environment. The clients would still require access from their premises to your premises - and I don't think you can (or would want to) route that through Azure and back.

    – Semicolon
    Jun 7 at 18:52











  • @Semicolon - I see what you mean. Their workstations are not in Azure. The diagram shows a jumpbox, could they just remote into there and use Excel connecting to our company's SSAS? I understand that's slightly different than my original demand (extra step of jumpbox)

    – Gabe
    Jun 7 at 19:17


















0















We have a company we recently acquired and we would like for them to access our SQL Server Analysis Services (via Excel file) on our company's domain. They are external users with separate Windows domains.



I was reading about AD Forest trusts and I don't know if this is the right path. If we set up a trust relationship between the two domains, can I add NewCompanyNewUser to our SSAS security role and they would have access?



It seems like if they're in Azure, following the below would work?
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-forest



The end result I want is:



  • for NewCompanyNewUser to refresh the cube/PivotTable in Excel on their PC without having to VPN (this is the key thing)

    • edit: Using a jumpbox would be ok too.


Is this possible and if so, is there a high-level overview of the steps needed? Would I be able to add NewCompanySam to SSAS security role, for example?



I'm a software developer so don't know much about infrasture/AD. This is mainly for my curiosity - I don't think we'll implement this. Thanks!



My company uses Windows Server 2016. New company uses Azure AD Services.



Azure AD Services forest trust






active-directory domain azure-active-directory-ds trust-relationship







share|improve this question
























  • Don't use user accounts in a SACL/SQL role; stick with groups.

    – Semicolon
    Jun 7 at 18:47






  • 1





    Are their workstations also in Azure? I mean, the diagram covers the trust itself - and access from the on-premise AD environemnt to the cloud AD environment, but it doesn't cover access from a separate on-premise environment. The clients would still require access from their premises to your premises - and I don't think you can (or would want to) route that through Azure and back.

    – Semicolon
    Jun 7 at 18:52











  • @Semicolon - I see what you mean. Their workstations are not in Azure. The diagram shows a jumpbox, could they just remote into there and use Excel connecting to our company's SSAS? I understand that's slightly different than my original demand (extra step of jumpbox)

    – Gabe
    Jun 7 at 19:17














0












0








0








We have a company we recently acquired and we would like for them to access our SQL Server Analysis Services (via Excel file) on our company's domain. They are external users with separate Windows domains.



I was reading about AD Forest trusts and I don't know if this is the right path. If we set up a trust relationship between the two domains, can I add NewCompanyNewUser to our SSAS security role and they would have access?



It seems like if they're in Azure, following the below would work?
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-forest



The end result I want is:



  • for NewCompanyNewUser to refresh the cube/PivotTable in Excel on their PC without having to VPN (this is the key thing)

    • edit: Using a jumpbox would be ok too.


Is this possible and if so, is there a high-level overview of the steps needed? Would I be able to add NewCompanySam to SSAS security role, for example?



I'm a software developer so don't know much about infrasture/AD. This is mainly for my curiosity - I don't think we'll implement this. Thanks!



My company uses Windows Server 2016. New company uses Azure AD Services.



Azure AD Services forest trust






active-directory domain azure-active-directory-ds trust-relationship







share|improve this question
















We have a company we recently acquired and we would like for them to access our SQL Server Analysis Services (via Excel file) on our company's domain. They are external users with separate Windows domains.



I was reading about AD Forest trusts and I don't know if this is the right path. If we set up a trust relationship between the two domains, can I add NewCompanyNewUser to our SSAS security role and they would have access?



It seems like if they're in Azure, following the below would work?
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-forest



The end result I want is:



  • for NewCompanyNewUser to refresh the cube/PivotTable in Excel on their PC without having to VPN (this is the key thing)

    • edit: Using a jumpbox would be ok too.


Is this possible and if so, is there a high-level overview of the steps needed? Would I be able to add NewCompanySam to SSAS security role, for example?



I'm a software developer so don't know much about infrasture/AD. This is mainly for my curiosity - I don't think we'll implement this. Thanks!



My company uses Windows Server 2016. New company uses Azure AD Services.



Azure AD Services forest trust






active-directory domain azure-active-directory-ds trust-relationship




active-directory domain azure-active-directory-ds trust-relationship






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jun 7 at 19:20







Gabe

















asked Jun 7 at 17:39









GabeGabe

1378 bronze badges




1378 bronze badges












  • Don't use user accounts in a SACL/SQL role; stick with groups.

    – Semicolon
    Jun 7 at 18:47






  • 1





    Are their workstations also in Azure? I mean, the diagram covers the trust itself - and access from the on-premise AD environemnt to the cloud AD environment, but it doesn't cover access from a separate on-premise environment. The clients would still require access from their premises to your premises - and I don't think you can (or would want to) route that through Azure and back.

    – Semicolon
    Jun 7 at 18:52











  • @Semicolon - I see what you mean. Their workstations are not in Azure. The diagram shows a jumpbox, could they just remote into there and use Excel connecting to our company's SSAS? I understand that's slightly different than my original demand (extra step of jumpbox)

    – Gabe
    Jun 7 at 19:17


















  • Don't use user accounts in a SACL/SQL role; stick with groups.

    – Semicolon
    Jun 7 at 18:47






  • 1





    Are their workstations also in Azure? I mean, the diagram covers the trust itself - and access from the on-premise AD environemnt to the cloud AD environment, but it doesn't cover access from a separate on-premise environment. The clients would still require access from their premises to your premises - and I don't think you can (or would want to) route that through Azure and back.

    – Semicolon
    Jun 7 at 18:52











  • @Semicolon - I see what you mean. Their workstations are not in Azure. The diagram shows a jumpbox, could they just remote into there and use Excel connecting to our company's SSAS? I understand that's slightly different than my original demand (extra step of jumpbox)

    – Gabe
    Jun 7 at 19:17

















Don't use user accounts in a SACL/SQL role; stick with groups.

– Semicolon
Jun 7 at 18:47





Don't use user accounts in a SACL/SQL role; stick with groups.

– Semicolon
Jun 7 at 18:47




1




1





Are their workstations also in Azure? I mean, the diagram covers the trust itself - and access from the on-premise AD environemnt to the cloud AD environment, but it doesn't cover access from a separate on-premise environment. The clients would still require access from their premises to your premises - and I don't think you can (or would want to) route that through Azure and back.

– Semicolon
Jun 7 at 18:52





Are their workstations also in Azure? I mean, the diagram covers the trust itself - and access from the on-premise AD environemnt to the cloud AD environment, but it doesn't cover access from a separate on-premise environment. The clients would still require access from their premises to your premises - and I don't think you can (or would want to) route that through Azure and back.

– Semicolon
Jun 7 at 18:52













@Semicolon - I see what you mean. Their workstations are not in Azure. The diagram shows a jumpbox, could they just remote into there and use Excel connecting to our company's SSAS? I understand that's slightly different than my original demand (extra step of jumpbox)

– Gabe
Jun 7 at 19:17






@Semicolon - I see what you mean. Their workstations are not in Azure. The diagram shows a jumpbox, could they just remote into there and use Excel connecting to our company's SSAS? I understand that's slightly different than my original demand (extra step of jumpbox)

– Gabe
Jun 7 at 19:17











1 Answer
1






active

oldest

votes


















3














I think there are two questions here. Trusting an acquired company is usually problematic, and you're definitely in VPN territory. If you create accounts for them in your forest, that would obviate the need for a trust to access your application.



How they get network access is a separate worm can. If it's only for SQL Server, it's possible to access SQL Server over TLS using a certificate, but this would only be secure if it were required at the server - not something everyone is prepared to do. If that were in place, creating a DSN with the credentials and server name/port to access a database in Excel is fairly straightforward using the Microsoft ODBC Driver 17 for SQL Server:



https://www.microsoft.com/en-us/download/details.aspx?id=56567






share|improve this answer























  • Could they just remote into there using their domain account and use Excel connecting to our company's SSAS?

    – Gabe
    Jun 7 at 19:28











  • @Gabe: not without a trust.

    – Greg Askew
    Jun 8 at 11:13













Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f970590%2festablishing-security-trust-between-two-domains-without-vpn%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









3














I think there are two questions here. Trusting an acquired company is usually problematic, and you're definitely in VPN territory. If you create accounts for them in your forest, that would obviate the need for a trust to access your application.



How they get network access is a separate worm can. If it's only for SQL Server, it's possible to access SQL Server over TLS using a certificate, but this would only be secure if it were required at the server - not something everyone is prepared to do. If that were in place, creating a DSN with the credentials and server name/port to access a database in Excel is fairly straightforward using the Microsoft ODBC Driver 17 for SQL Server:



https://www.microsoft.com/en-us/download/details.aspx?id=56567






share|improve this answer























  • Could they just remote into there using their domain account and use Excel connecting to our company's SSAS?

    – Gabe
    Jun 7 at 19:28











  • @Gabe: not without a trust.

    – Greg Askew
    Jun 8 at 11:13















3














I think there are two questions here. Trusting an acquired company is usually problematic, and you're definitely in VPN territory. If you create accounts for them in your forest, that would obviate the need for a trust to access your application.



How they get network access is a separate worm can. If it's only for SQL Server, it's possible to access SQL Server over TLS using a certificate, but this would only be secure if it were required at the server - not something everyone is prepared to do. If that were in place, creating a DSN with the credentials and server name/port to access a database in Excel is fairly straightforward using the Microsoft ODBC Driver 17 for SQL Server:



https://www.microsoft.com/en-us/download/details.aspx?id=56567






share|improve this answer























  • Could they just remote into there using their domain account and use Excel connecting to our company's SSAS?

    – Gabe
    Jun 7 at 19:28











  • @Gabe: not without a trust.

    – Greg Askew
    Jun 8 at 11:13













3












3








3







I think there are two questions here. Trusting an acquired company is usually problematic, and you're definitely in VPN territory. If you create accounts for them in your forest, that would obviate the need for a trust to access your application.



How they get network access is a separate worm can. If it's only for SQL Server, it's possible to access SQL Server over TLS using a certificate, but this would only be secure if it were required at the server - not something everyone is prepared to do. If that were in place, creating a DSN with the credentials and server name/port to access a database in Excel is fairly straightforward using the Microsoft ODBC Driver 17 for SQL Server:



https://www.microsoft.com/en-us/download/details.aspx?id=56567






share|improve this answer













I think there are two questions here. Trusting an acquired company is usually problematic, and you're definitely in VPN territory. If you create accounts for them in your forest, that would obviate the need for a trust to access your application.



How they get network access is a separate worm can. If it's only for SQL Server, it's possible to access SQL Server over TLS using a certificate, but this would only be secure if it were required at the server - not something everyone is prepared to do. If that were in place, creating a DSN with the credentials and server name/port to access a database in Excel is fairly straightforward using the Microsoft ODBC Driver 17 for SQL Server:



https://www.microsoft.com/en-us/download/details.aspx?id=56567







share|improve this answer












share|improve this answer



share|improve this answer










answered Jun 7 at 18:48









Greg AskewGreg Askew

29.4k3 gold badges38 silver badges70 bronze badges




29.4k3 gold badges38 silver badges70 bronze badges












  • Could they just remote into there using their domain account and use Excel connecting to our company's SSAS?

    – Gabe
    Jun 7 at 19:28











  • @Gabe: not without a trust.

    – Greg Askew
    Jun 8 at 11:13

















  • Could they just remote into there using their domain account and use Excel connecting to our company's SSAS?

    – Gabe
    Jun 7 at 19:28











  • @Gabe: not without a trust.

    – Greg Askew
    Jun 8 at 11:13
















Could they just remote into there using their domain account and use Excel connecting to our company's SSAS?

– Gabe
Jun 7 at 19:28





Could they just remote into there using their domain account and use Excel connecting to our company's SSAS?

– Gabe
Jun 7 at 19:28













@Gabe: not without a trust.

– Greg Askew
Jun 8 at 11:13





@Gabe: not without a trust.

– Greg Askew
Jun 8 at 11:13

















draft saved

draft discarded
















































Thanks for contributing an answer to Server Fault!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f970590%2festablishing-security-trust-between-two-domains-without-vpn%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







VbOBV7vs
-
6RE3J6 zbK 2SttfVY,nSV,GtTihNg9CotsNfWkn

Popular posts from this blog

RemoteApp sporadic failureWindows 2008 RemoteAPP client disconnects within a matter of minutesWhat is the minimum version of RDP supported by Server 2012 RDS?How to configure a Remoteapp server to increase stabilityMicrosoft RemoteApp Active SessionRDWeb TS connection broken for some users post RemoteApp certificate changeRemote Desktop Licensing, RemoteAPPRDS 2012 R2 some users are not able to logon after changed date and time on Connection BrokersWhat happens during Remote Desktop logon, and is there any logging?After installing RDS on WinServer 2016 I still can only connect with two users?RD Connection via RDGW to Session host is not connecting

Image
Can I use my laptop, which says 100-240V, in the USA? Definition of Newton's first law Why did the ICC decide not to probe alleged US atrocities in Afghanistan? Is there ever any indication in the MCU as to how Spider-Man got his powers? Should pressure only be applied at the top of a pastry bag? How did Thanos not realise this had happened at the end of Endgame? On studying Computer Science vs. Software Engineering to become a proficient coder Why does the Earth follow an elliptical trajectory rather than a parabolic one? What's the word for the soldier salute? Why not just directly invest in the holdings of an ETF? Can a tourist shoot a gun in the USA? Why in a Ethernet LAN, a packet sniffer can obtain all packets sent over the LAN? What is Plautus’s pun about frustum and frustrum? Extrude the faces of a cube symmetrically along XYZ Why does my circuit work on a breadboard, but not on a perfboard? I am new to soldering How do I tell my supervisor...
Read more

Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

Image
Parroquias da LarachaParroquias de Galicia baixo a advocación de Santiago o Maior coruñésLarachacomarca de BergantiñosIGE20131999castro de Montesclarospoboado castrexoidade de ferroromanización de Galiciamiliariopazo de Montesclarosséculo XIXAmboadeA AreosaA BarreiraBos AiresA BoticaAs Brañas da ViñaAs BrañasBusteloOs CanedosFerreirosAs FervenzasA Fonte da CanleO FormigueiroFornelosA FragaFragundeGravidoA LamelaMarfuloOs MeánsMontes ClarosA PanelaO PazoQuintánsRibelaSamiroO SeixoA TelleiraVilañoVilanovaA ViñaVista AlegreCabovilaño (San Román)Caión (Santa María do Socorro)Coiro (San Xián)Erboedo (Santa María)Golmar (San Bieito)Lemaio (Santa Mariña)Lendo (San Xián)Lestón (San Martiño)Montemaior (Santa María Madanela)Soandres (San Pedro)Soutullo (Santa María)Torás (Santa María)Vilaño (Santiago) Vilaño, A Laracha Na Galipedia, a Wi...
Read more

Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020

Image
OftalmoloxíaDiscapacidade sentidovistaNorteaméricaEuropaollopaíses en vías de desenvolvementopaíses desenvolvidos2014Organización Mundial da SaúdeGaliciaretinopatía diabéticaglaucomaresto visualagudeza visualcampo visualterapia xénicaretinavirus do arrefriado comúncanadestradoséculo XIXLouis Brailleteclado brailleescáneresrecoñecemento óptico de caractereslectores de pantallacorsinestesiafrauta doceamareloclarineteazultamboresvermellopianoverdeSistema Constanzsemáforocans guíaBrailletactosoftwaretactoeuroAvuiséculo XXUnión SoviéticaFranciaItaliaInglaterraNataciónatletismociclismojudoesquífútbol salamontañismoxadrezgoalballsociedademúsicosindixentesprofetassabiosoídotactomúsicarisatactooídolinguaxePiaget (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u0...
Read more