Support for Foreign Groups

EFT allows you to specify only one domain and one group. However, that group can contain groups and users from foreign domains, as long as a trust relationship exists between the domains. This allows users from remote domains to authenticate to EFT. So, as long as a trust relationship exists between the domains, EFT can authenticate users from remote domains. The domain in which EFT resides will need to have a group that contains the foreign domain users.

The main point is that EFT only talks to one AD/forest/controller. If the AD/forest/controller is properly configured to get information from the other domain/forest, then EFT will authenticate those users.

When your forest contains domain trees with many child domains and you observe noticeable user authentication delays between the child domains, you can optimize the user authentication process between the child domains by creating shortcut trusts to mid-level domains in the domain tree hierarchy. For more information, refer to When to create a shortcut trust on Microsoft's website. For details of controlling access to shared resources across domains, refer to the Microsoft TechNet article, Accessing resources across domains.

In the Windows Authentication page of the Site Setup wizard, you can specify any combination Domain and Group names, as long as the EFT service is running under an account that has rights to list users in that Domain and/or Group.