Administrators can create multiple central stores in enterprises that
contain multiple domains. In fact, you can use more than one type of central
store in these environments. For example, you can associate user configurations
with an NTFS network share central store in one domain and an Active Directory
central store in another domain.
Because companies might maintain multiple Windows domains, users might
also have more than one Windows account. Single Sign-on includes a feature
known as Account Association to allow a user to log on to any application from
one or more Windows accounts. Because Single Sign-on typically binds user
credentials to a single account, the credential information is not synchronized
automatically among multiple accounts that a user owns.
However, administrators can configure Account Association to
synchronize user credentials by using the Credential Synchronization Module.
Users with Account Association configured have access to all applications from
any of their accounts in their Single Sign-on environment. When user
credentials are changed, added, or removed from one account, the credentials
are synchronized automatically with each of the user’s associated accounts.
Without Account Association, users with multiple Windows accounts are
forced to manually change their logon information separately from each Windows
To allow users to synchronize credentials by using Account
Association, give them access to AccAssoc.exe as a published application.