首先，一点背景：我们有一个基于WSS 3.0 Intranet站点驻留在服务器上的 * DOMAIN_A.LOCAL * 并设置为使用集成Windows身份验证来验证用户的身份活跃目录用户帐户的 * DOMAIN_A.LOCAL *

First, a little background: We have an intranet site based on WSS 3.0 that is hosted on a server in *DOMAIN_A.LOCAL* and set up to use Integrated Windows Authentication to authenticate users against Active Directory user accounts of *DOMAIN_A.LOCAL*.

此安装方法的效果蛮好的使用AD帐户谁登录到Windows用户的 * DOMAIN_A.LOCAL * ，但在用户尝试使用广告从PC登录到Windows访问网站考虑从不同的域（即 * DOMAIN_B.LOCAL * ）会出现下列问题：

This setup works just fine for users who are logged into Windows using an AD account from *DOMAIN_A.LOCAL*, but when users try to access the site from a PC logged into Windows using an AD account from a different domain (i.e. *DOMAIN_B.LOCAL*) the following problems occur:

用户必须手动输入他们的凭据， * DOMAIN_A \用户名* ，而不是仅仅的的用户名的，否则，Internet Explorer会自动插入 * DOMAIN_B * 并导致身份验证失败。

The user must manually enter their credentials as *DOMAIN_A\UserName* rather than just UserName because otherwise, Internet Explorer automatically inserts *DOMAIN_B* and causes authentication to fail.

登录后，如果用户做一些事情，需要在浏览器通过传递他们的身份验证客户端应用程序，例如，单击Microsoft Office文档在文档库中，以打开它进行编辑，这看来，无效的凭证（presumably * DOMAIN_B * ）将自动传递，从而迫使用户手动输入他们的 * DOMAIN_A * 的凭据了。

Once logged in, if the user does something that requires the browser to pass their authentication through to a client app, such as clicking on a Microsoft Office document in a document library in order to open it for editing, it appears that invalid credentials (presumably *DOMAIN_B*) are passed automatically, thus forcing the user to manually enter their *DOMAIN_A* credentials again.

我的问题，则是这样的：

My question, then is this:

有没有办法使用集成Windows身份验证（如可使用基本明文身份验证时进行），这样如果在实施默认域类型的行为在用户的 * DOMAIN_B * 之前他们的用户名不输入域名， * DOMAIN_A * 自动插入又在哪里？

Is there any way to implement a "default domain" type of behavior when using Integrated Windows Authentication (as can be done when using Basic clear text authentication) so that if a user on *DOMAIN_B* does not enter a domain before their user name, *DOMAIN_A* is inserted automatically for them?

当然，我知道这部署可能是致命的缺陷，所以我也愿意听取建议的不同的实现。

Of course, I realize this deployment may be fatally flawed, so I am also open to suggestions for a different implementation.

总之，主要问题来自两个不同类型的用户需要访问在一个SharePoint站点相同的内容。在 * DOMAIN_A * 的用户都拥有自己的专职工作站他们登录到Windows作为自己。在用户的 * DOMAIN_B * 遗憾的是必须使用的登录使用通用的亭型账户有在SharePoint没有权限的共享计算机 - 这样的要求是在 * DOMAIN_B * 用户必须按要求提供其凭据。我想preserve集成Windows身份验证的方便的静态用户的 * DOMAIN_A * ，同时尽量减少人工认证的信息亭的用户在金额* DOMAIN_B * 不得不忍受。

In summary, the main problem stems from two different kinds of users needing to access the same content on one SharePoint site. The users in *DOMAIN_A* all have their own full-time workstations where they log into Windows as themselves. The users in *DOMAIN_B* unfortunately have to use shared computers that are logged on using generic "kiosk" type accounts that have no permissions in SharePoint -- thus the requirement that the *DOMAIN_B* users must provide their credentials on demand when accessing a given page in SharePoint. I would like to preserve the convenience of the Integrated Windows Authentication for the "static" users of *DOMAIN_A* while minimizing the amount of manual authentication that the "kiosk" users in *DOMAIN_B* have to endure.

推荐答案

* DOMAIN_A.LOCAL *必须信任* DOMAIN_B.LOCAL *，否则用户的* DOMAIN_B.LOCAL *将receivie凭据提示，因为他们的* DOMAIN_B.LOCAL *账户内* DOMAIN_A.LOCAL *未知数。

*DOMAIN_A.LOCAL* must trust *DOMAIN_B.LOCAL*, otherwise users from *DOMAIN_B.LOCAL* will receivie a credential prompt since their *DOMAIN_B.LOCAL* account is unknown within *DOMAIN_A.LOCAL*.

由于* DOMAIN_B.LOCAL *针对kisok用户，你可能不希望信任此域。

Given that *DOMAIN_B.LOCAL* is for kisok users, you probably do not want to trust this domain.

您需要将Web应用程序反向代理延伸到一个新的区域，要么实现基于表单的身份验证，或者使用Windows身份验证，如ISA服务器。

You will need to extend the web application into a new zone and either implement forms based authentication, or use Windows Authentication with a reverse proxy such as ISA server.