Why? What traffic is being passed
then?
Can we assume the use of a Kerberos trust
then?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, March 08, 2004 9:17 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can someone describe teh cross-forest login proce ss?
Would you believe we did not have to open the firewall between the resource server and the domain controller in the opposite forest?
Michael Parent MCSE MCT
Analyst I - Web Services
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456
| "GRILLENMEIER,GUIDO (HP-Germany,ex1)"
<[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/02/2004 08:42 AM | To: [EMAIL PROTECTED] cc: Subject: RE: [ActiveDir] Can someone describe teh cross-forest login proce ss? |
yes (due to the usage of NTLM trusts).
BTW, I'm sure you meant single domain forests ;-)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Dienstag, 2. M�rz 2004 13:17
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can someone describe teh cross-forest login proce ss?
Thanks for your response Guido!
Sorry for the sketchy detail and misnomers :-)
We are indeed speaking of Single Forest Domains running Win2K SP4. I should have more accurately used the term "authentication" as opposed to login :-)
The user will not log into a workstation in Forest B. They will remotely access a resource from their workstation in Forest A to resource server in forest B.
So to clarify (and this is the fine point we are trying to establish), does the resource server in Forest B *directly* contact a DC in Forest A?
Michael Parent MCSE MCT
Analyst I - Web Services
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456
| "GRILLENMEIER,GUIDO
(HP-Germany,ex1)" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/02/2004 03:42 AM |
To: [EMAIL PROTECTED] cc: Subject: RE: [ActiveDir] Can someone describe teh cross-forest login proce ss? |
there isn't a simple answer to this, as it depends on multiple factors
- the domain model within your forests and the trusts that you've setup between the two
- the SP level of 2000
(and it works quite a bit different once you have 2003 forests)
but as a start: when you are _accessing_ a resource in a trusted forest B from a worstation in forest A, this is NOT a cross-forest login process. You are merely being _authorized_ to access the resource (the authentication of your account has already happened in your forest A). Actually, for Windows 2000, we can't really speak of two _forests_ that trust each other, as 2000 can only support NTLM trusts to domains outside it's own forest (just like a trust between two NT4 domains). This means, you're not setting up a trust from forest A to forest B, instead you have to setup trusts between all domains of each forest (if the forests are both single-domain forests, then it merely looks like you're building a forest trust). Assuming single domains, we'll continue speaking of trusted forests. By forest B trusting forest A, the authenticated user from forest A is allowed to accesss those resources, where you grant the user (or a group that the user is a member of) the appropriate permissions.
However, as the trust between the two is built on NTLM (and not Kerberos), when the authenticated user from forest A accesses the resources in forest B, the NTLM token will be validated again against a DC from forest A (unlike Kerberos, where the token is enough to autorize access to the resource).
If the user from forest A walks up to a workstation in forest B, his authentication is naturally triggered on the workstation in forest B. This workstation follows the trust-relationship between the forest/domain it's a member of and the user is finally authenticated via a DC/GC in forest A. So in this example, which are the GPO's that are applied to the user and the workstation?? Prior to SP4, the user's GPOs from forest/domain A are automatically applied as well as the workstation GPOs from forest/domain B. With SP4 you can explicitely configure the GPOs in each of the domains to allow you to determine GPO processing in "cross-forest" scenarios (i.e. by default, the user GPO from forest/domain A would NOT be applied to the user logging on to a workstation in forest/domain B).
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Montag, 1. M�rz 2004 18:13
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can someone describe teh cross-forest login process?
I am looking for a brief synposis of the Windows 2000 cross-forest login process.
User in Forest A, accesses Resource in Forest B (one-way trust where Forest B trusts Forest A). How does the user get authenticated?
Specifically, when a resource is trying to authenticate a user from a trusted remote forest, does the authentication request only touch a local DC (presumably a GC) or does the authenticating server query a remote forest Domain Controller?
Thanks for any and all responses that shed light on this for me :-)
Michael Parent MCSE MCT
Analyst I - Web Services
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456
