Question : Sharepoint + Trusts + People Picker

I have a sharepoint vendor who is trying to sell me Sharepoint Services.  I currently run an Active Directory 2003 Native domain with a handful of users who need to use the Vendor's sharepoint services.  

They contend that they require the following:

1) A one way external trust whereby their domain trusts mine.  (I agree with that)

2) An account on our domain. (There is nothing in the MSFT docs I see that require this)
They refer to the following article about the People Picker application in Sharepoint.  I have read the article and verified that the STSADM.exe script seems to use an account in some cases.  (Article here : http://blogs.msdn.com/rajank/default.aspx)

When I asked about the account properties and the reason for its existence, they refer to the Microsoft Bilge on the benefits of Single-Sign-On, not having the users continually authenticating, yadayadayada.  From what Ive read, the only other choice they have is Forms Authentication...which is painful for them to setup.

So....my question is....

Do I truly need to give access to an account in my domain to achive single sign on?  
If so, what are the minimal rights required on that account?

Answer : Sharepoint + Trusts + People Picker

SSO fools a lot of people because it actually isn't used for front end authentication it's used for back end impersonation.

So, if their domain trusts yours when a member of your domain accesses their website they are 'Trusted' so they can access the vendors site which you understand and agree with.  However, in this case the 'People Picker' is a backend process that needs to access your domain to get a list of people.

Because your domain doesn't trust theirs they need a AD account to access your farm.  NTLM credentials can't be relayed (unless you used Kerberos which likely won't work here) so the 'People Picker' on their farm has no access to yours.

So, yes in order to let SSO work properly on their domain to use the 'People Picker' for your domain they need an account in your domain.  You can make sure that the account you give them has minimum privileges .