[Server] Multi AD management


Simple idea but may be complex to implement : make easymorph server be able to authenticate uppon different Active Directory (only one can be defined currently I think). Necessary for big companies resulting of « merge » of smaller ones.


Hi. It’s an interesting suggestion.
But, as I know, joining a single computer to multiple Active Directory domains is impossible.

Please describe how the Active Directory merging/acquisition is performed.
How do domain A users access resources that belong to domain B? Or you’re using AD for authentication/authorization purposes only?
Do you use Active Directory Forest, for example?
Are you going to use Azure AD in the future?

When we first connect to easymorph server, there is a popup asking the login and password and there we type our domain\login + password.

It would be good that if 2 colleagues from different domains connect, they can both use their own domain\login and that it can work.

I know that a tool like Denodo is multi AD compatible (but maybe because it’s Kerberos compatible).

Hi @ckononenko,

I insist a little bit about multi AD management.

I have more information now and here is the situation :

  • All end users and all end user groups will be on same domain. Let's call it "USERS"

  • On the opposite, folders will be on network file system in another domain. Let's call it "FILES". Also service accounts (workers) will be on domaine FILES. So let's say applicative resources will be on FILES.

Imagine we install Easymorph Server on domain FILES (machine in FILES). Imagine also that on the EM Server administration we parameter the active directory USERS. Do you think it will work, knowing that between FILES and USERS there will be an automatic approval and of course from the server, the active directory USERS will be available.

In other words, how active directory configured in EM Server is used ? Is it just used to control end users and groups security ? Or are you also using it for service accounts and network file systems configured in workspaces for files / connectors storage ?

Thanks !

For Windows Authentication, we use the built-in capabilities of Windows.
In this case, the operating system itself transmits information about the user and his groups.
That has some limitations. For example, the EasyMorph Server must be AD joined and deployed in the same domain as its users.

Can two domains be used simultaneously? We didn't set it up that way. However, if these domains are somehow united using Active Directory, then this is probably possible. It is more a matter of Active Directory domain configuration and settings.

In other words, how active directory configured in EM Server is used

Explicitly, Active Directory is only used for authentication via Windows Authentication when a user tries to open a session. And also for determining user identity when making requests via the EasyMorph Custom API Server.
A connection to Active Directory is used to resolve users and groups when adding a user/group to the Space access-control list.

The last part of your message it is really what I was thinking and I think it's ok with that. But when you say EM Server must be AD joined and deployed in the same domain as its users I'm really not sure. If they are in 2 different domains BUT there is a mutual approval between domains, the net logon service (https://learn.microsoft.com/en-us/azure/active-directory-domain-services/concepts-forest-trust#ntlm-referral-processing) should do the job and allow the authentication. I will propose Dmitry to test that part in our achitecture.

In any case, the EasyMorph Server must be AD joined to the AD domain. This AD must be able to authenticate AD users by user credentials and pass the user identity to the EasyMorph Server.

The web client (not to be confused with the user) is not necessarily to be AD-joined, but the Desktop client must be AD-joined.