From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge
de
Sent: Tuesday, March 14,
2006 2:47 PM
To:
[email protected]
Subject: RE: [ActiveDir] Communication
across a trust...with firewalls
lets say the
structure is:
CLIENT-DOMAIN_A
..... DC-DOMAIN_A
...... DC-DOMAIN_B
...... MEMBERSRV-DOMAIN_B
if NTLM is used the order of
authentication is:
(1) CLIENT-DOMAIN_A wants to
access MEMBERSRV-DOMAIN_B
(2)
CLIENT-DOMAIN_A connects
to MEMBERSRV-DOMAIN_B
(3) MEMBERSRV-DOMAIN_B
connects to DC-DOMAIN_B and asks do you know:
CLIENT-DOMAIN_A
(4) DC-DOMAIN_B says NO, but I
do trust DOMAIN_A. Let me check.
(5) DC-DOMAIN_B connects
to DC-DOMAIN_A and asks do you know:
CLIENT-DOMAIN_A
(6) DC-DOMAIN_A says: yes,
it's OK
(7) DC-DOMAIN_B sets up an
access token for domain B for CLIENT-DOMAIN_A.
(8) CLIENT-DOMAIN_A accesses
MEMBERSRV-DOMAIN_B
if KERBEROS is used the
order of authentication is:
(1) CLIENT-DOMAIN_A wants to
access MEMBERSRV-DOMAIN_B
(2)
CLIENT-DOMAIN_A connects to DC-DOMAIN_A and asks for a ticket to
access MEMBERSRV-DOMAIN_B
(3) DC-DOMAIN_A says: let me
check, just a sec.
(4) DC-DOMAIN_A says: that
server does not exist within the domain or the forest. However I do have a
trust with DOMAIN_B. Go to DC-DOMAIN_B
(5) CLIENT-DOMAIN_A connects
to DC-DOMAIN_B and asks for a ticket to access
MEMBERSRV-DOMAIN_B
(6) DC-DOMAIN_B says: let me
check, just a sec.
(7) DC-DOMAIN_B says: here's
your ticket and access token. have fun
(8) CLIENT-DOMAIN_A accesses
MEMBERSRV-DOMAIN_B
the problem is that only
DC-DOMAIN_A and DC-DOMAIN_B can communicate through the firewall with each
other. Other communication paths are not available or possible because of
the firewall configuration.
Within a domain, when a user’s
credentials are presented to a member server, that member server
communicates with the domain controller to validate the
creds.
We have a cross-forest
(cross–company; a divestiture) trust set up that we are testing. A
member server in the other forest/domain and across the firewall is having
trouble authenticating credentials from our domain. Their DC works
fine. Ports on the firewall are only opened for the two domain
controllers (one on each side).
Here’s the question: in
order to validate the “foreign” credentials, should the member server be
looking first to its own DC, or is it trying to cross the firewall to find
our DC? Based in the preliminary traffic sampling so far, I think
that’s what is happening. Is that normal/expected
behavior?
TIA,
AL
Al
Maurer
Service
Manager, Naming and Authentication Services
IT | Information
Technology
Agilent Technologies
(719) 590-2639; Telnet
590-2639
http://activedirectory.it.agilent.com