Most LDAP client applications won't chase referrals... and at any rate, the server in Domain B would need some sort of credential privileged enough to search Domain A.
--Steve On Thu, Aug 30, 2012 at 8:35 AM, Christopher Bodnar < [email protected]> wrote: > Yes Ken you have summed it up correctly. Never had to do something like > this before, but find it odd that this is no work around to get the Domain > B DC to hand off the authentication to the Domain A DC for the client. I've > got a call with Microsoft today to discuss this. I think you are right, the > only way I'm going to get this to work is to have the application server > (client) be allowed to authenticate to domain A after the DC hands it the > referral. Ugh... > > Thanks > > *Christopher Bodnar* > Enterprise Architect I, Corporate Office of Technology:Enterprise > Architecture and Engineering Services Tel 610-807-6459 > 3900 Burgess Place, Bethlehem, PA 18017 > [email protected] > > > * > The Guardian Life Insurance Company of America* > * > **www.guardianlife.com* <http://www.guardianlife.com/> > > > > > > > From: Ken Schaefer <[email protected]> > To: "NT System Admin Issues" <[email protected] > > > Date: 08/29/2012 10:09 PM > Subject: RE: LDAP authentication across external trust > ------------------------------ > > > > Unless I’m reading your setup incorrectly: > You have a one-way trust with selective authentication. When WebPortal > (part of Domain B) contacts a Domain B DC, the Domain B DC would provide a > referral to a Domain A DC (assuming the correct external cross-reference > object exists). However your web portal server in Domain B would not be > able to authenticate to the Domain A DC. > > So, you either need a two-way trust, or configure your application to bind > to a Domain A DC (with Domain A service account) to validate users. > > Cheers > Ken > > *From:* Christopher Bodnar > [mailto:[email protected]<[email protected]>] > * > Sent:* Thursday, 30 August 2012 7:16 AM* > To:* NT System Admin Issues* > Subject:* Re: LDAP authentication across external trust > > Sorry ... separate forests. (acme.com and widgets.com) > > *Christopher Bodnar* > Enterprise Architect I, Corporate Office of Technology:Enterprise > Architecture and Engineering Services Tel 610-807-6459 > 3900 Burgess Place, Bethlehem, PA 18017 * > **[email protected]* * > > The Guardian Life Insurance Company of America** > ** > **www.guardianlife.com* <http://www.guardianlife.com/> > > > > > > From: Don Kuhlman <*[email protected]* <[email protected]>> > To: "NT System Admin Issues" <* > [email protected]*<[email protected]> > > > Date: 08/29/2012 04:59 PM > Subject: Re: LDAP authentication across external trust > > ------------------------------ > > > > > Hi Chris. Are they in the same Forest or separate ? eg > domaina.company.com and domainb.company.com or domaina.com an domainb.com? > > Don K > > > ------------------------------ > > *From:* Christopher Bodnar > <*[email protected]*<[email protected]> > >* > To:* NT System Admin Issues > <*[email protected]*<[email protected]>> > * > Sent:* Wednesday, August 29, 2012 2:08 PM* > Subject:* LDAP authentication across external trust > > We have 2 domains with a one way trust relationship (Domain A is Trusted, > Domain B is Trusting). Domain B is in a DMZ. So Domain A users can access > resources in domain B with their Domain A credentials. Also using selective > authentication for this trust. Works great > > Working with a vendor to implement a new system. The issue is that they > are trying to authenticate Domain A users from within Domain B (web portal > is in domain B) across the trust relationship using LDAP. So they are > pointing the LDAP bind to a Domain B DC, and it's not working. Anyone doing > something like this? Never had to setup anything like this before. Vendor > isn't real helpful in this situation. I'm not even positive what domain the > base DN should be. Been trying both each time we make a change. So far no > luck. Also not seeing any specific errors on the domain controller yet. Bad > thing is that not sure what DC the Domain B domain controller is bouncing > the request off of in Domain A. We have quite a few, and the logs are > pretty hefty. Probably gonna have to put WireShark on this to look at the > packets to get a clue. > > Any help is appreciated. > > Thanks, > > *Christopher Bodnar* > Enterprise Architect I, Corporate Office of Technology:Enterprise > Architecture and Engineering Services Tel 610-807-6459 > 3900 Burgess Place, Bethlehem, PA 18017 * > **[email protected]* * > > The Guardian Life Insurance Company of America** > > **www.guardianlife.com* <http://www.guardianlife.com/> > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image/jpeg>>
<<image/jpeg>>
<<image/jpeg>>
