Would you believe we did not have to open the firewall between the resource server and the domain controller in the opposite forest?
Michael Parent MCSE MCT
Analyst I - Web Services
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456
| "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 03/02/2004 08:42 AM
|
To: [EMAIL PROTECTED] cc: Subject: RE: [ActiveDir] Can someone describe teh cross-forest login proce ss? |
yes (due to the usage of NTLM trusts).
BTW, I'm sure you meant single domain forests ;-)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Dienstag, 2. M�rz 2004 13:17
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can someone describe teh cross-forest login proce ss?
Thanks for your response Guido!
Sorry for the sketchy detail and misnomers :-)
We are indeed speaking of Single Forest Domains running Win2K SP4. I should have more accurately used the term "authentication" as opposed to login :-)
The user will not log into a workstation in Forest B. They will remotely access a resource from their workstation in Forest A to resource server in forest B.
So to clarify (and this is the fine point we are trying to establish), does the resource server in Forest B *directly* contact a DC in Forest A?
Michael Parent MCSE MCT
Analyst I - Web Services
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456
| "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/02/2004 03:42 AM | To: [EMAIL PROTECTED] cc: Subject: RE: [ActiveDir] Can someone describe teh cross-forest login proce ss? |
there isn't a simple answer to this, as it depends on multiple factors
- the domain model within your forests and the trusts that you've setup between the two
- the SP level of 2000
(and it works quite a bit different once you have 2003 forests)
but as a start: when you are _accessing_ a resource in a trusted forest B from a worstation in forest A, this is NOT a cross-forest login process. You are merely being _authorized_ to access the resource (the authentication of your account has already happened in your forest A). Actually, for Windows 2000, we can't really speak of two _forests_ that trust each other, as 2000 can only support NTLM trusts to domains outside it's own forest (just like a trust between two NT4 domains). This means, you're not setting up a trust from forest A to forest B, instead you have to setup trusts between all domains of each forest (if the forests are both single-domain forests, then it merely looks like you're building a forest trust). Assuming single domains, we'll continue speaking of trusted forests. By forest B trusting forest A, the authenticated user from forest A is allowed to accesss those resources, where you grant the user (or a group that the user is a member of) the appropriate permissions.
However, as the trust between the two is built on NTLM (and not Kerberos), when the authenticated user from forest A accesses the resources in forest B, the NTLM token will be validated again against a DC from forest A (unlike Kerberos, where the token is enough to autorize access to the resource).
If the user from forest A walks up to a workstation in forest B, his authentication is naturally triggered on the workstation in forest B. This workstation follows the trust-relationship between the forest/domain it's a member of and the user is finally authenticated via a DC/GC in forest A. So in this example, which are the GPO's that are applied to the user and the workstation?? Prior to SP4, the user's GPOs from forest/domain A are automatically applied as well as the workstation GPOs from forest/domain B. With SP4 you can explicitely configure the GPOs in each of the domains to allow you to determine GPO processing in "cross-forest" scenarios (i.e. by default, the user GPO from forest/domain A would NOT be applied to the user logging on to a workstation in forest/domain B).
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Montag, 1. M�rz 2004 18:13
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can someone describe teh cross-forest login process?
I am looking for a brief synposis of the Windows 2000 cross-forest login process.
User in Forest A, accesses Resource in Forest B (one-way trust where Forest B trusts Forest A). How does the user get authenticated?
Specifically, when a resource is trying to authenticate a user from a trusted remote forest, does the authentication request only touch a local DC (presumably a GC) or does the authenticating server query a remote forest Domain Controller?
Thanks for any and all responses that shed light on this for me :-)
Michael Parent MCSE MCT
Analyst I - Web Services
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456
