Domain B DC can send a referral to the client telling the client to go to a Domain A DC (it requires that the external reference object exist in the directory, but it should be there) – that’s how LDAP works. Domain B DC will not “proxy” the authentication request (unlike NTLM) to the Domain A DC.
Kerberos works the same way as LDAP, NTLM works a different way. It’s just the way the protocol works. In any case, even if Domain B DC were able to proxy the request to a Domain A DC, it doesn’t have permissions to authenticate to a Domain A DC because you have a one-way trust. Cheers Ken From: Christopher Bodnar [mailto:[email protected]] Sent: Thursday, 30 August 2012 10:35 PM To: NT System Admin Issues Subject: RE: LDAP authentication across external trust Yes Ken you have summed it up correctly. Never had to do something like this before, but find it odd that this is no work around to get the Domain B DC to hand off the authentication to the Domain A DC for the client. I've got a call with Microsoft today to discuss this. I think you are right, the only way I'm going to get this to work is to have the application server (client) be allowed to authenticate to domain A after the DC hands it the referral. Ugh... Thanks Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected]<mailto:> [cid:[email protected]] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> From: Ken Schaefer <[email protected]<mailto:[email protected]>> To: "NT System Admin Issues" <[email protected]<mailto:[email protected]>> Date: 08/29/2012 10:09 PM Subject: RE: LDAP authentication across external trust ________________________________ Unless I’m reading your setup incorrectly: You have a one-way trust with selective authentication. When WebPortal (part of Domain B) contacts a Domain B DC, the Domain B DC would provide a referral to a Domain A DC (assuming the correct external cross-reference object exists). However your web portal server in Domain B would not be able to authenticate to the Domain A DC. So, you either need a two-way trust, or configure your application to bind to a Domain A DC (with Domain A service account) to validate users. Cheers Ken From: Christopher Bodnar [mailto:[email protected]] Sent: Thursday, 30 August 2012 7:16 AM To: NT System Admin Issues Subject: Re: LDAP authentication across external trust Sorry ... separate forests. (acme.com and widgets.com) Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected]<mailto:> [cid:[email protected]] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> From: Don Kuhlman <[email protected]<mailto:[email protected]>> To: "NT System Admin Issues" <[email protected]<mailto:[email protected]>> Date: 08/29/2012 04:59 PM Subject: Re: LDAP authentication across external trust ________________________________ Hi Chris. Are they in the same Forest or separate ? eg domaina.company.com and domainb.company.com or domaina.com an domainb.com ? Don K ________________________________ From: Christopher Bodnar <[email protected]<mailto:[email protected]>> To: NT System Admin Issues <[email protected]<mailto:[email protected]>> Sent: Wednesday, August 29, 2012 2:08 PM Subject: LDAP authentication across external trust We have 2 domains with a one way trust relationship (Domain A is Trusted, Domain B is Trusting). Domain B is in a DMZ. So Domain A users can access resources in domain B with their Domain A credentials. Also using selective authentication for this trust. Works great Working with a vendor to implement a new system. The issue is that they are trying to authenticate Domain A users from within Domain B (web portal is in domain B) across the trust relationship using LDAP. So they are pointing the LDAP bind to a Domain B DC, and it's not working. Anyone doing something like this? Never had to setup anything like this before. Vendor isn't real helpful in this situation. I'm not even positive what domain the base DN should be. Been trying both each time we make a change. So far no luck. Also not seeing any specific errors on the domain controller yet. Bad thing is that not sure what DC the Domain B domain controller is bouncing the request off of in Domain A. We have quite a few, and the logs are pretty hefty. Probably gonna have to put WireShark on this to look at the packets to get a clue. Any help is appreciated. Thanks, Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected]<mailto:> [cid:[email protected]] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<inline: image001.jpg>>
