lets say the structure is:
 
CLIENT-DOMAIN_A     .....     DC-DOMAIN_A    ......    DC-DOMAIN_B       ...... 
  MEMBERSRV-DOMAIN_B
 
if NTLM is used the order of authentication is:
(1) CLIENT-DOMAIN_A wants to access MEMBERSRV-DOMAIN_B
(2) CLIENT-DOMAIN_A connects to MEMBERSRV-DOMAIN_B
(3) MEMBERSRV-DOMAIN_B connects to DC-DOMAIN_B and asks do you know: 
CLIENT-DOMAIN_A
(4) DC-DOMAIN_B says NO, but I do trust DOMAIN_A. Let me check.
(5) DC-DOMAIN_B connects to DC-DOMAIN_A and asks do you know: CLIENT-DOMAIN_A
(6) DC-DOMAIN_A says: yes, it's OK
(7) DC-DOMAIN_B sets up an access token for domain B for CLIENT-DOMAIN_A.
(8) CLIENT-DOMAIN_A accesses MEMBERSRV-DOMAIN_B
 
if KERBEROS is used the order of authentication is:
(1) CLIENT-DOMAIN_A wants to access MEMBERSRV-DOMAIN_B
(2) CLIENT-DOMAIN_A connects to DC-DOMAIN_A and asks for a ticket to access 
MEMBERSRV-DOMAIN_B
(3) DC-DOMAIN_A says: let me check, just a sec.
(4) DC-DOMAIN_A says: that server does not exist within the domain or the 
forest. However I do have a trust with DOMAIN_B. Go to DC-DOMAIN_B
(5) CLIENT-DOMAIN_A connects to DC-DOMAIN_B and asks for a ticket to access 
MEMBERSRV-DOMAIN_B
(6) DC-DOMAIN_B says: let me check, just a sec.
(7) DC-DOMAIN_B says: here's your ticket and access token. have fun
(8) CLIENT-DOMAIN_A accesses MEMBERSRV-DOMAIN_B
 
the problem is that only DC-DOMAIN_A and DC-DOMAIN_B can communicate through 
the firewall with each other. Other communication paths are not available or 
possible because of the firewall configuration.
 
Or did I miss something?
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel     : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : [EMAIL PROTECTED]

________________________________

From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Tue 2006-03-14 16:35
To: [email protected]
Subject: [ActiveDir] Communication across a trust...with firewalls



Within a domain, when a user's credentials are presented to a member server, 
that member server communicates with the domain controller to validate the 
creds.

 

We have a cross-forest (cross-company; a divestiture) trust set up that we are 
testing.  A member server in the other forest/domain and across the firewall is 
having trouble authenticating credentials from our domain.  Their DC works 
fine.  Ports on the firewall are only opened for the two domain controllers 
(one on each side).

 

Here's the question:  in order to validate the "foreign" credentials, should 
the member server be looking first to its own DC, or is it trying to cross the 
firewall to find our DC?  Based in the preliminary traffic sampling so far, I 
think that's what is happening.  Is that normal/expected behavior?

 

TIA,

AL

Al Maurer 
Service Manager, Naming and Authentication Services 
IT | Information Technology 
Agilent Technologies 
(719) 590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 

 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.

<<winmail.dat>>

Reply via email to