Background/Infrastructure (Just remember I didn't design it!):
I have a website(MVC5) which is deployed into production, dev, test, etc. Each of those environments is in its own domain, and the users are in another domain again. ALL of the environment domains completely trust the user account domain, but they do not trust each other.
I am attempting to get my website to work for users in all of the various environments without using credentials from those specific domains - most users don't have accounts in the other domains but will use this website. The end user experience is to type in the url for a domain and have it know who they are.
Because this is all domain based it is easy enough to setup IIS for windows authentication, that's done and working.
Problem:
Where I'm stuck is the authorization across domains. In each domain I have a group (eg DEV\WebsiteAccess) which is for access to this website. I added a group from the users domain (eg FABRIKAM\DevSystemUsers) into that access group, and it doesn't work. If I put the user into the DEV group directly, it DOES work.
It would seem that IIS is unable to traverse the full tree across the trust. The service account running the website is a DEV domain admin. DEV fully trusts FABRIKAM.
Is anyone aware of a way to tell IIS to walk the permissions on the other side?
Thanks
Jeff