From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, March
14, 2006 2:47 PM
To:
[email protected]
Subject: RE: [ActiveDir] Communication
across a trust...with firewalls
lets say the
structure is:
CLIENT-DOMAIN_A
..... DC-DOMAIN_A
...... DC-DOMAIN_B
...... MEMBERSRV-DOMAIN_B
if NTLM is used the order of
authentication is:
(1) CLIENT-DOMAIN_A wants to
access MEMBERSRV-DOMAIN_B
(2)
CLIENT-DOMAIN_A connects
to MEMBERSRV-DOMAIN_B
(3) MEMBERSRV-DOMAIN_B connects
to DC-DOMAIN_B and asks do you know: CLIENT-DOMAIN_A
(4) DC-DOMAIN_B says NO, but I
do trust DOMAIN_A. Let me check.
(5) DC-DOMAIN_B connects
to DC-DOMAIN_A and asks do you know:
CLIENT-DOMAIN_A
(6) DC-DOMAIN_A says: yes, it's
OK
(7) DC-DOMAIN_B sets up an
access token for domain B for CLIENT-DOMAIN_A.
(8) CLIENT-DOMAIN_A accesses
MEMBERSRV-DOMAIN_B
if KERBEROS is used the
order of authentication is:
(1) CLIENT-DOMAIN_A wants to
access MEMBERSRV-DOMAIN_B
(2)
CLIENT-DOMAIN_A connects to DC-DOMAIN_A and asks for a ticket to
access MEMBERSRV-DOMAIN_B
(3) DC-DOMAIN_A says: let me
check, just a sec.
(4) DC-DOMAIN_A says: that
server does not exist within the domain or the forest. However I do have a
trust with DOMAIN_B. Go to DC-DOMAIN_B
(5) CLIENT-DOMAIN_A connects
to DC-DOMAIN_B and asks for a ticket to access
MEMBERSRV-DOMAIN_B
(6) DC-DOMAIN_B says: let me
check, just a sec.
(7) DC-DOMAIN_B says: here's
your ticket and access token. have fun
(8) CLIENT-DOMAIN_A accesses
MEMBERSRV-DOMAIN_B
the problem is that only
DC-DOMAIN_A and DC-DOMAIN_B can communicate through the firewall with each
other. Other communication paths are not available or possible because of the
firewall configuration.
Within a domain, when a user’s
credentials are presented to a member server, that member server communicates
with the domain controller to validate the creds.
We have a cross-forest
(cross–company; a divestiture) trust set up that we are testing. A
member server in the other forest/domain and across the firewall is having
trouble authenticating credentials from our domain. Their DC works
fine. Ports on the firewall are only opened for the two domain
controllers (one on each side).
Here’s the question: in
order to validate the “foreign” credentials, should the member server be
looking first to its own DC, or is it trying to cross the firewall to find our
DC? Based in the preliminary traffic sampling so far, I think that’s
what is happening. Is that normal/expected behavior?
TIA,
AL
Al
Maurer
Service
Manager, Naming and Authentication Services
IT | Information Technology
Agilent
Technologies
(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com