How to implement a domain that is not joined nor has trusts to the main domain

Question

Hello, 
 i have a question about this use case: 
 i have to implement SPP+SPS in this environment with multiple domains. There's one domain that doesn't have trust to any domain (included the one where the appliances are) but it needs to be implemented in the PAM architecture. 
 How can i do so? Is it possible to implement it without trusts and being it only reachable by the appliance via network routes? 
 Thank you, 
 Simone

Tawfiq.Ahmad · Accepted Answer

Hi Simone, 
 For SPP there is no issue here to manage passwords as long as SPP can communicate with the target server and the SPP service account has the required permissions to Test connect, Check Passwords & Change Passwords against that target machine. 
 For SPS , the following RDP setting is what controls this as per the admin guide: 
 Require domain membership : This is a sub-option of the Enable Network Level Authentication option. By default, the Require domain membership option is not enabled. In the default operation, you can use SPS to monitor RDP access to servers that accept only NLA, even if the client, SPS, and the server are not in the same domain. You can use this option also if the RDP server is a standalone server and is not part of a domain, or if, for some reason, you cannot add SPS to the domain. 
 If you enable the Require domain membership option, you can only authenticate successfully to the RDP server if SPS is a member of the domain to which the RDP server belongs. 
 Reference: https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-sessions/7.0%20lts/administration-guide/65#TOPIC-1831742 
 If you need further assistance with implementation or configurations, we recommend consulting with One Identity Professional Services team via discussion with your account manager. 
 Thanks!

Endpoint Privilege Management

How to implement a domain that is not joined nor has trusts to the main domain

Top Replies