Thanks Brian! I'll check on why the client in project.corp wasn't trying to use Kerberos.
On Thu, Dec 8, 2016 at 4:12 PM Brian Desmond <[email protected]> wrote: > > > > > > > > > > > > > > > > > *RODCs won’t help because RODCs don’t have trust passwords cached locally.* > > > > > > > > *If this is done via Kerb there shouldn’t be any communication from the > resource in the “project” forest to a DC in the “corp” forest. The client > in the corp forest will need to contact a “project” DC, though.* > > > > > > > > > > > > *Thanks,* > > > *Brian Desmond* > > > > > > *w – 312.625.1438 | c – 312.731.3132* > > > > > > *From:* [email protected] [mailto: > [email protected]] > > *On Behalf Of *Eric Wittersheim > > > *Sent:* Thursday, December 8, 2016 11:27 AM > > > *To:* [email protected] > > > *Subject:* Re: [NTSysADM] External trust issue > > > > > > > > > > Melvin, > > > > > > > > > > > > > > I'm not sure about Federation. I'll toss out the idea of a RODC, that > might be possible. > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > Eric > > > > > > > > > On Thu, Dec 8, 2016 at 11:00 AM, Melvin Backus <[email protected]> > wrote: > > > > > > > > > Just > > spitballing here, but would federation help that? Or put an RODC for > > company.corp on location at > > custproj.corp > > > > > > > > > > > > -- > > > There are 10 kinds of people in the world... > > > those who understand binary and those who don't. > > > > > > *From:* > > [email protected] [mailto:[email protected]] > > *On Behalf Of *Eric Wittersheim > > > *Sent:* Thursday, December 8, 2016 11:36 AM > > > *To:* [email protected] > > > *Subject:* [NTSysADM] External trust issue > > > > > > > > > > > > > > I have a interesting project that I'm working on and I believe I have hit > a snag that is going to throw a big monkey wrench in the deal. > > > > > > > > > > > > > > Here is what I have to work with. > > > > > > > > > > > > > > 2 domains in separate forests. > > > > > > > > > > > > > > Company.corp > > > > > > > CustProj.corp > > > > > > > > > > > > > > I have created a one way trust that allows users from Company.corp to > authenticate to users in CustProj.corp. Inside of CustProj.corp there are > a number of servers that users can > > authenticate using Company.corp credentials. The rub is when a user is > logging into server1.CustProj.corp using Company.corp credentials the > authentication request goes to a DC in Company.corp. This I believe is by > design from Microsoft but requirements > > for this project dictate that there cannot be authentication requests from > [servers].CustProj.corp to any DCs at Company.corp. The hope was to have > the DC at CustProj.corp relay the auth requests on behalf of the client. > Is there anyway to force this? Am > > I missing something that I can set this? Any ideas or third party products > that might help? > > > > > > > > > > > > > > Eric > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
