Configure iShare GIS for multi-domain authentication

Owned by Simon Chapman
Last updated: 17 Mar, 2016 by Kim Stimpson
2 min read

This article provides an overview of iShare GIS authentication in a multiple domain configuration. iShare GIS has been designed to accommodate users from multiple domains, although this is dependent on customer network, domain and Active Directory configuration. While this is intended to provide an overview, the overall responsibility for customer network and Active Directory configuration resides with the customer.

For the purposes of this article we will refer to the host domain (Domain A) where the iShare GIS server resides, and the guest domain (Domain B) where these users will also need to be authenticated to access iShare GIS secure resources. It is worth noting that these principles apply for multiple domains, so you could have more than the two domains depicted. The iShare GIS multi-domain diagram below provides an overview of the required configuration.

iShare GIS multi-domain diagram

Check List

Domain configuration

  • Configure full two-way trust relationship for all domains.

  • Test the two-way trust relationship for all domains.

  • Ensure iShare GIS has a user that can authenticate against both/all domains (as outlined within the Roles and User Authentication topic.)

Creating Local security groups on domains A and B

  • Create local security groups on the host (A) and guest (B) domains. 

  • Configure these groups with a Global Group Scope.

Creating Local Security groups on the iShare GIS server

  • Create local security groups on the iShare GIS server

  • Add the host and guest security groups to the iShare GIS security groups on the iShare GIS server.

Other considerations

  • Recycle the web and webservice application pools within IIS on the iShare GIS server when making changes to security groups (to ensure changes are reflected within the iShare GIS application).
     

  • Tools for fault finding:

    • Firefox with Firebug (e.g. view which processes are called and how long they take to complete; ability to run against a specific domain / domain user).

    • WireShark (e.g. providing a detailed view of traffic between client and server, and server and domain controller).

    • Investigate the iShare Logs as per the iShare Logging topic - increase the level of logging to 'ALL' to maximise the information written to the logs.


Related articles