User Synchronization Service as an Intermediate Login Provider

What if we have an integration server in one office that is not on a domain and we have a contractor connecting to it from another office who has a caching\gateway server in their office.

The contractor wants to have his domain user accounts synch with PW.

In SS4 there is a new feature that allows you to install the user synch service on a server at another location and synch users.

If your ProjectWise Integration Server cannot access the local domain controller and authenticate Windows users, you can install ProjectWise User Synchronization Service on a local area network (LAN) to act as an intermediate login provider for ProjectWise users with Windows accounts. In support of this, a new setting has been added to the dmskrnl.cfg file, UserSyncService=, which lets you specify the computer on which ProjectWise User Synchronization Service is installed. See the SS4ru ProjectWise Implementation Guide Chapter Page 128 for more details about setting this up.

Here is the excerpt from the dmsknrl.cfg

Here is the excerpt from the dmsknrl.cfg
; If ProjectWise Integration Server is installed outside the local network,
; for example on a Cloud virtual machine, it cannot access the local domain
; controller and authenticate Windows users. In that case, User Synchronization
; Service can be installed on a local network (LAN) to provide delegated logins
; and allow synchronized Windows users to access ProjectWise Integration Server.
; To enable User Synchronization Service delegated logins, the UserSyncService
; option below must be set to the name of the local machine on which User
; Synchronization Service is installed. Also, the IP address of the User
; Synchronization Service machine must be added to the [Trusted Servers] list in this file.
;UserSyncService=<User Synchronization Service host name>

So in the dmskrnl.cfg on the integration server, at the top of the file in the Trusted Servers section

[Trusted Servers]
UserSync =

And at the bottom of the file where the datasources listings live you would add the line under each datasource that would synch users from another domain

Type=Microsoft SQL Server
Name= MyPWDatasource

I am told a "gotchya" to this setup is that the service uses Windows Challenge/Response (NTLM) as the authentication protocol which is turned off on most modern servers in favor of using Kerberos.  So some tweaking of the windows server might need to be done.

For more info on NTLM see