Establishing security trust between two domains without VPNChild Domain vs Trust RelationshipCross-Domain / Cross-Forest Group PoliciesSecurity Risks of a One-Way Trust Relationship between DomainsWhat is ADFS (Active Directory Federation Services)?Re-establishing the Trust RelationshipCommand to check trust relation between 2 domainstrust between two different forestsOne way external trust between domainsDC with two-way forest trust does not see objects from another forestRestrict AD logon between child domains
What sort of mathematical problems are there in AI that people are working on?
Is it damaging to turn off a small fridge for two days every week?
Links to webpages in books
Are Finite Automata Turing Complete?
How to split an equation over two lines?
Do French speakers not use the subjunctive informally?
What are the benefits of using the X Card safety tool in comparison to plain communication?
What are the penalties for overstaying in USA?
In the Marvel universe, can a human have a baby with any non-human?
Apply brace expansion in "reverse order"
Hot coffee brewing solutions for deep woods camping
How can I repair scratches on a painted French door?
Peace Arch without exiting USA
Do equal angles necessarily mean a polygon is regular?
Alphabet completion rate
Can’t attend PhD conferences
Importance of the principal bundle in Chern-Simons theory
Does Marvel have an equivalent of the Green Lantern?
How risky is real estate?
Why do textbooks often include the solutions to odd or even numbered problems but not both?
Can ADFS connect to other SSO services?
Why aren't (poly-)cotton tents more popular?
When is it ok to add filler to a story?
Why is the Turkish president's surname spelt in Russian as Эрдоган, with г?
Establishing security trust between two domains without VPN
Child Domain vs Trust RelationshipCross-Domain / Cross-Forest Group PoliciesSecurity Risks of a One-Way Trust Relationship between DomainsWhat is ADFS (Active Directory Federation Services)?Re-establishing the Trust RelationshipCommand to check trust relation between 2 domainstrust between two different forestsOne way external trust between domainsDC with two-way forest trust does not see objects from another forestRestrict AD logon between child domains
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
We have a company we recently acquired and we would like for them to access our SQL Server Analysis Services (via Excel file) on our company's domain. They are external users with separate Windows domains.
I was reading about AD Forest trusts and I don't know if this is the right path. If we set up a trust relationship between the two domains, can I add NewCompanyNewUser to our SSAS security role and they would have access?
It seems like if they're in Azure, following the below would work?
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-forest
The end result I want is:
- for NewCompanyNewUser to refresh the cube/PivotTable in Excel on their PC without having to VPN (this is the key thing)
- edit: Using a jumpbox would be ok too.
Is this possible and if so, is there a high-level overview of the steps needed? Would I be able to add NewCompanySam to SSAS security role, for example?
I'm a software developer so don't know much about infrasture/AD. This is mainly for my curiosity - I don't think we'll implement this. Thanks!
My company uses Windows Server 2016. New company uses Azure AD Services.
active-directory domain azure-active-directory-ds trust-relationship
asked Jun 7 at 17:39
GabeGabe
1378 bronze badges
add a comment |
We have a company we recently acquired and we would like for them to access our SQL Server Analysis Services (via Excel file) on our company's domain. They are external users with separate Windows domains.
I was reading about AD Forest trusts and I don't know if this is the right path. If we set up a trust relationship between the two domains, can I add NewCompanyNewUser to our SSAS security role and they would have access?
It seems like if they're in Azure, following the below would work?
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-forest
The end result I want is:
- for NewCompanyNewUser to refresh the cube/PivotTable in Excel on their PC without having to VPN (this is the key thing)
- edit: Using a jumpbox would be ok too.
Is this possible and if so, is there a high-level overview of the steps needed? Would I be able to add NewCompanySam to SSAS security role, for example?
I'm a software developer so don't know much about infrasture/AD. This is mainly for my curiosity - I don't think we'll implement this. Thanks!
My company uses Windows Server 2016. New company uses Azure AD Services.
active-directory domain azure-active-directory-ds trust-relationship
asked Jun 7 at 17:39
GabeGabe
1378 bronze badges
Don't use user accounts in a SACL/SQL role; stick with groups.
– Semicolon
Jun 7 at 18:47
1
Are their workstations also in Azure? I mean, the diagram covers the trust itself - and access from the on-premise AD environemnt to the cloud AD environment, but it doesn't cover access from a separate on-premise environment. The clients would still require access from their premises to your premises - and I don't think you can (or would want to) route that through Azure and back.
– Semicolon
Jun 7 at 18:52
@Semicolon - I see what you mean. Their workstations are not in Azure. The diagram shows a jumpbox, could they just remote into there and use Excel connecting to our company's SSAS? I understand that's slightly different than my original demand (extra step of jumpbox)
– Gabe
Jun 7 at 19:17
add a comment |
We have a company we recently acquired and we would like for them to access our SQL Server Analysis Services (via Excel file) on our company's domain. They are external users with separate Windows domains.
I was reading about AD Forest trusts and I don't know if this is the right path. If we set up a trust relationship between the two domains, can I add NewCompanyNewUser to our SSAS security role and they would have access?
It seems like if they're in Azure, following the below would work?
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-forest
The end result I want is:
- for NewCompanyNewUser to refresh the cube/PivotTable in Excel on their PC without having to VPN (this is the key thing)
- edit: Using a jumpbox would be ok too.
Is this possible and if so, is there a high-level overview of the steps needed? Would I be able to add NewCompanySam to SSAS security role, for example?
I'm a software developer so don't know much about infrasture/AD. This is mainly for my curiosity - I don't think we'll implement this. Thanks!
My company uses Windows Server 2016. New company uses Azure AD Services.
active-directory domain azure-active-directory-ds trust-relationship
asked Jun 7 at 17:39
GabeGabe
1378 bronze badges
We have a company we recently acquired and we would like for them to access our SQL Server Analysis Services (via Excel file) on our company's domain. They are external users with separate Windows domains.
I was reading about AD Forest trusts and I don't know if this is the right path. If we set up a trust relationship between the two domains, can I add NewCompanyNewUser to our SSAS security role and they would have access?
It seems like if they're in Azure, following the below would work?
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-forest
The end result I want is:
- for NewCompanyNewUser to refresh the cube/PivotTable in Excel on their PC without having to VPN (this is the key thing)
- edit: Using a jumpbox would be ok too.
Is this possible and if so, is there a high-level overview of the steps needed? Would I be able to add NewCompanySam to SSAS security role, for example?
I'm a software developer so don't know much about infrasture/AD. This is mainly for my curiosity - I don't think we'll implement this. Thanks!
My company uses Windows Server 2016. New company uses Azure AD Services.
active-directory domain azure-active-directory-ds trust-relationship
active-directory domain azure-active-directory-ds trust-relationship
asked Jun 7 at 17:39
GabeGabe
1378 bronze badges
asked Jun 7 at 17:39
GabeGabe
1378 bronze badges
edited Jun 7 at 19:20
Gabe
asked Jun 7 at 17:39
GabeGabe
1378 bronze badges
asked Jun 7 at 17:39
GabeGabe
1378 bronze badges
asked Jun 7 at 17:39
GabeGabe
1378 bronze badges
1378 bronze badges
Don't use user accounts in a SACL/SQL role; stick with groups.
– Semicolon
Jun 7 at 18:47
1
Are their workstations also in Azure? I mean, the diagram covers the trust itself - and access from the on-premise AD environemnt to the cloud AD environment, but it doesn't cover access from a separate on-premise environment. The clients would still require access from their premises to your premises - and I don't think you can (or would want to) route that through Azure and back.
– Semicolon
Jun 7 at 18:52
@Semicolon - I see what you mean. Their workstations are not in Azure. The diagram shows a jumpbox, could they just remote into there and use Excel connecting to our company's SSAS? I understand that's slightly different than my original demand (extra step of jumpbox)
– Gabe
Jun 7 at 19:17
add a comment |
Don't use user accounts in a SACL/SQL role; stick with groups.
– Semicolon
Jun 7 at 18:47
1
Are their workstations also in Azure? I mean, the diagram covers the trust itself - and access from the on-premise AD environemnt to the cloud AD environment, but it doesn't cover access from a separate on-premise environment. The clients would still require access from their premises to your premises - and I don't think you can (or would want to) route that through Azure and back.
– Semicolon
Jun 7 at 18:52
@Semicolon - I see what you mean. Their workstations are not in Azure. The diagram shows a jumpbox, could they just remote into there and use Excel connecting to our company's SSAS? I understand that's slightly different than my original demand (extra step of jumpbox)
– Gabe
Jun 7 at 19:17
Don't use user accounts in a SACL/SQL role; stick with groups.
– Semicolon
Jun 7 at 18:47
Don't use user accounts in a SACL/SQL role; stick with groups.
– Semicolon
Jun 7 at 18:47
1
1
Are their workstations also in Azure? I mean, the diagram covers the trust itself - and access from the on-premise AD environemnt to the cloud AD environment, but it doesn't cover access from a separate on-premise environment. The clients would still require access from their premises to your premises - and I don't think you can (or would want to) route that through Azure and back.
– Semicolon
Jun 7 at 18:52
Are their workstations also in Azure? I mean, the diagram covers the trust itself - and access from the on-premise AD environemnt to the cloud AD environment, but it doesn't cover access from a separate on-premise environment. The clients would still require access from their premises to your premises - and I don't think you can (or would want to) route that through Azure and back.
– Semicolon
Jun 7 at 18:52
@Semicolon - I see what you mean. Their workstations are not in Azure. The diagram shows a jumpbox, could they just remote into there and use Excel connecting to our company's SSAS? I understand that's slightly different than my original demand (extra step of jumpbox)
– Gabe
Jun 7 at 19:17
@Semicolon - I see what you mean. Their workstations are not in Azure. The diagram shows a jumpbox, could they just remote into there and use Excel connecting to our company's SSAS? I understand that's slightly different than my original demand (extra step of jumpbox)
– Gabe
Jun 7 at 19:17
add a comment |
1 Answer
1
active
oldest
votes
I think there are two questions here. Trusting an acquired company is usually problematic, and you're definitely in VPN territory. If you create accounts for them in your forest, that would obviate the need for a trust to access your application.
How they get network access is a separate worm can. If it's only for SQL Server, it's possible to access SQL Server over TLS using a certificate, but this would only be secure if it were required at the server - not something everyone is prepared to do. If that were in place, creating a DSN with the credentials and server name/port to access a database in Excel is fairly straightforward using the Microsoft ODBC Driver 17 for SQL Server:
https://www.microsoft.com/en-us/download/details.aspx?id=56567
answered Jun 7 at 18:48
Greg AskewGreg Askew
29.4k3 gold badges38 silver badges70 bronze badges
Could they just remote into there using their domain account and use Excel connecting to our company's SSAS?
– Gabe
Jun 7 at 19:28
@Gabe: not without a trust.
– Greg Askew
Jun 8 at 11:13
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f970590%2festablishing-security-trust-between-two-domains-without-vpn%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I think there are two questions here. Trusting an acquired company is usually problematic, and you're definitely in VPN territory. If you create accounts for them in your forest, that would obviate the need for a trust to access your application.
How they get network access is a separate worm can. If it's only for SQL Server, it's possible to access SQL Server over TLS using a certificate, but this would only be secure if it were required at the server - not something everyone is prepared to do. If that were in place, creating a DSN with the credentials and server name/port to access a database in Excel is fairly straightforward using the Microsoft ODBC Driver 17 for SQL Server:
https://www.microsoft.com/en-us/download/details.aspx?id=56567
answered Jun 7 at 18:48
Greg AskewGreg Askew
29.4k3 gold badges38 silver badges70 bronze badges
Could they just remote into there using their domain account and use Excel connecting to our company's SSAS?
– Gabe
Jun 7 at 19:28
@Gabe: not without a trust.
– Greg Askew
Jun 8 at 11:13
add a comment |
I think there are two questions here. Trusting an acquired company is usually problematic, and you're definitely in VPN territory. If you create accounts for them in your forest, that would obviate the need for a trust to access your application.
How they get network access is a separate worm can. If it's only for SQL Server, it's possible to access SQL Server over TLS using a certificate, but this would only be secure if it were required at the server - not something everyone is prepared to do. If that were in place, creating a DSN with the credentials and server name/port to access a database in Excel is fairly straightforward using the Microsoft ODBC Driver 17 for SQL Server:
https://www.microsoft.com/en-us/download/details.aspx?id=56567
answered Jun 7 at 18:48
Greg AskewGreg Askew
29.4k3 gold badges38 silver badges70 bronze badges
Could they just remote into there using their domain account and use Excel connecting to our company's SSAS?
– Gabe
Jun 7 at 19:28
@Gabe: not without a trust.
– Greg Askew
Jun 8 at 11:13
add a comment |
I think there are two questions here. Trusting an acquired company is usually problematic, and you're definitely in VPN territory. If you create accounts for them in your forest, that would obviate the need for a trust to access your application.
How they get network access is a separate worm can. If it's only for SQL Server, it's possible to access SQL Server over TLS using a certificate, but this would only be secure if it were required at the server - not something everyone is prepared to do. If that were in place, creating a DSN with the credentials and server name/port to access a database in Excel is fairly straightforward using the Microsoft ODBC Driver 17 for SQL Server:
https://www.microsoft.com/en-us/download/details.aspx?id=56567
answered Jun 7 at 18:48
Greg AskewGreg Askew
29.4k3 gold badges38 silver badges70 bronze badges
I think there are two questions here. Trusting an acquired company is usually problematic, and you're definitely in VPN territory. If you create accounts for them in your forest, that would obviate the need for a trust to access your application.
How they get network access is a separate worm can. If it's only for SQL Server, it's possible to access SQL Server over TLS using a certificate, but this would only be secure if it were required at the server - not something everyone is prepared to do. If that were in place, creating a DSN with the credentials and server name/port to access a database in Excel is fairly straightforward using the Microsoft ODBC Driver 17 for SQL Server:
https://www.microsoft.com/en-us/download/details.aspx?id=56567
answered Jun 7 at 18:48
Greg AskewGreg Askew
29.4k3 gold badges38 silver badges70 bronze badges
answered Jun 7 at 18:48
Greg AskewGreg Askew
29.4k3 gold badges38 silver badges70 bronze badges
answered Jun 7 at 18:48
Greg AskewGreg Askew
29.4k3 gold badges38 silver badges70 bronze badges
answered Jun 7 at 18:48
Greg AskewGreg Askew
29.4k3 gold badges38 silver badges70 bronze badges
29.4k3 gold badges38 silver badges70 bronze badges
Could they just remote into there using their domain account and use Excel connecting to our company's SSAS?
– Gabe
Jun 7 at 19:28
@Gabe: not without a trust.
– Greg Askew
Jun 8 at 11:13
add a comment |
Could they just remote into there using their domain account and use Excel connecting to our company's SSAS?
– Gabe
Jun 7 at 19:28
@Gabe: not without a trust.
– Greg Askew
Jun 8 at 11:13
Could they just remote into there using their domain account and use Excel connecting to our company's SSAS?
– Gabe
Jun 7 at 19:28
Could they just remote into there using their domain account and use Excel connecting to our company's SSAS?
– Gabe
Jun 7 at 19:28
@Gabe: not without a trust.
– Greg Askew
Jun 8 at 11:13
@Gabe: not without a trust.
– Greg Askew
Jun 8 at 11:13
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f970590%2festablishing-security-trust-between-two-domains-without-vpn%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Don't use user accounts in a SACL/SQL role; stick with groups.
– Semicolon
Jun 7 at 18:47
1
Are their workstations also in Azure? I mean, the diagram covers the trust itself - and access from the on-premise AD environemnt to the cloud AD environment, but it doesn't cover access from a separate on-premise environment. The clients would still require access from their premises to your premises - and I don't think you can (or would want to) route that through Azure and back.
– Semicolon
Jun 7 at 18:52
@Semicolon - I see what you mean. Their workstations are not in Azure. The diagram shows a jumpbox, could they just remote into there and use Excel connecting to our company's SSAS? I understand that's slightly different than my original demand (extra step of jumpbox)
– Gabe
Jun 7 at 19:17