Right we opened up a hole between the two DCs (GCs actually) and nothing besides web traffic to the resource server.
Michael Parent MCSE MCT
Analyst I - Web Services
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456
| "joe" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 03/08/2004 10:24 PM
|
To: <[EMAIL PROTECTED]> cc: Subject: RE: [ActiveDir] Can someone describe teh cross-forest login proce ss? |
The way I understand it what should have happened is that the client in A should have connected to the resource server in B, the resource server should have contacted the DC of domain B it is in that's its secure channel is to and then that DC of B will passthrough check with a DC of domain A of the user.
The resource server never would have gone back to domain A unless it was a DC itself and had a secure channel directly to A.
This definitely should have something coming back to the domain of the user. I would guess you have the holes to the DC of domain B already or you have holes between B and A DC's.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)
Sent: Monday, March 08, 2004 2:56 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can someone describe teh cross-forest login proce ss?
wow - that's a nice surprise - not sure if this is a feature of NTLMv2 or if I simply had it wrong. I am pretty sure that in NT4 days the resource server would only check with it's DC to if a token trying to access it comes from a trusted domain and would then request the authentication process *directly*. But good to know if this isn't the case for trusts between two W2k domains!
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Montag, 8. M�rz 2004 17:04
To: [EMAIL PROTECTED]
Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can someone describe teh cross-forest login proce ss?
Its win2k -> win2K, so it's an NTLM trust but we decided to try it without opening the firewall between the resource server in Forest B and the Domain Controller in Forest A and it worked.
We put the requisite LMHOSTS information for the two DCs to find one another and we are seeing that its the Forest B domain controller (not the forest B resource server) contacting the Forest A domain controller.
This is how I thought it would work originally but for the life of me I couldnt properly verbalize why except that because its a resource in another domain, that the resource server would contact its GC server instead of the foreign domain controller directly...
Michael Parent MCSE MCT
Analyst I - Web Services
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456
| "Mulnick, Al" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/08/2004 10:38 AM | To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> cc: Subject: RE: [ActiveDir] Can someone describe teh cross-forest login proce ss? |
Why? What traffic is being passed then?
Can we assume the use of a Kerberos trust then?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, March 08, 2004 9:17 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can someone describe teh cross-forest login proce ss?
Would you believe we did not have to open the firewall between the resource server and the domain controller in the opposite forest?
Michael Parent MCSE MCT
Analyst I - Web Services
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456
| "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/02/2004 08:42 AM | To: [EMAIL PROTECTED] cc: Subject: RE: [ActiveDir] Can someone describe teh cross-forest login proce ss? |
yes (due to the usage of NTLM trusts).
BTW, I'm sure you meant single domain forests ;-)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Dienstag, 2. M�rz 2004 13:17
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can someone describe teh cross-forest login proce ss?
Thanks for your response Guido!
Sorry for the sketchy detail and misnomers :-)
We are indeed speaking of Single Forest Domains running Win2K SP4. I should have more accurately used the term "authentication" as opposed to login :-)
The user will not log into a workstation in Forest B. They will remotely access a resource from their workstation in Forest A to resource server in forest B.
So to clarify (and this is the fine point we are trying to establish), does the resource server in Forest B *directly* contact a DC in Forest A?
Michael Parent MCSE MCT
Analyst I - Web Services
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456
| "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/02/2004 03:42 AM | To: [EMAIL PROTECTED] cc: Subject: RE: [ActiveDir] Can someone describe teh cross-forest login proce ss? |
there isn't a simple answer to this, as it depends on multiple factors
- the domain model within your forests and the trusts that you've setup between the two
- the SP level of 2000
(and it works quite a bit different once you have 2003 forests)
but as a start: when you are _accessing_ a resource in a trusted forest B from a worstation in forest A, this is NOT a cross-forest login process. You are merely being _authorized_ to access the resource (the authentication of your account has already happened in your forest A). Actually, for Windows 2000, we can't really speak of two _forests_ that trust each other, as 2000 can only support NTLM trusts to domains outside it's own forest (just like a trust between two NT4 domains). This means, you're not setting up a trust from forest A to forest B, instead you have to setup trusts between all domains of each forest (if the forests are both single-domain forests, then it merely looks like you're building a forest trust). Assuming single domains, we'll continue speaking of trusted forests. By forest B trusting forest A, the authenticated user from forest A is allowed to accesss those resources, where you grant the user (or a group that the user is a member of) the appropriate permissions.
However, as the trust between the two is built on NTLM (and not Kerberos), when the authenticated user from forest A accesses the resources in forest B, the NTLM token will be validated again against a DC from forest A (unlike Kerberos, where the token is enough to autorize access to the resource).
If the user from forest A walks up to a workstation in forest B, his authentication is naturally triggered on the workstation in forest B. This workstation follows the trust-relationship between the forest/domain it's a member of and the user is finally authenticated via a DC/GC in forest A. So in this example, which are the GPO's that are applied to the user and the workstation?? Prior to SP4, the user's GPOs from forest/domain A are automatically applied as well as the workstation GPOs from forest/domain B. With SP4 you can explicitely configure the GPOs in each of the domains to allow you to determine GPO processing in "cross-forest" scenarios (i.e. by default, the user GPO from forest/domain A would NOT be applied to the user logging on to a workstation in forest/domain B).
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Montag, 1. M�rz 2004 18:13
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can someone describe teh cross-forest login process?
I am looking for a brief synposis of the Windows 2000 cross-forest login process.
User in Forest A, accesses Resource in Forest B (one-way trust where Forest B trusts Forest A). How does the user get authenticated?
Specifically, when a resource is trying to authenticate a user from a trusted remote forest, does the authentication request only touch a local DC (presumably a GC) or does the authenticating server query a remote forest Domain Controller?
Thanks for any and all responses that shed light on this for me :-)
Michael Parent MCSE MCT
Analyst I - Web Services
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456
