Win2k AD:User Authentication Across Forests? (technical)

[imported_ryaneverett]

This ones not for the noobs.

I have two forests (both native mode), am admin in both. I have users logging into Forest A and they need to connect to a broker service (atria) in Forest B.

Is there some way I can setup user mappings in Forest B to accept the users from Forest A (the reverse is not needed)? Maybe enter their SIDs into a universal group?

Any help would be greatly appreciated!!

Thanks,
Ryan

 

[spyordie007]

I believe you would need to set up a trust in Forrest B (so that it trusts Forrest A). Than in forrest B give the forrest A accounts access to your broker service.

No need to map accounts, once the trust is established forrest B will be able to make use of forrest A accounts in ACLs (and just about everything else).

 

[imported_ryaneverett]

Originally posted by: spyordie007
I believe you would need to set up a trust in Forrest B (so that it trusts Forrest A). Than in forrest B give the forrest A accounts access to your broker service.

No need to map accounts, once the trust is established forrest B will be able to make use of forrest A accounts in ACLs (and just about everything else).

I appreciate your responce, but the trust is impossible due to "office politics". We may end up setting up a seperate OU in Forrest B, with only the Admins from Forrest A to run it.

If one has another idea, that would be great!

Thanks,
Ryan

 

[djdrastic]

I honestly cant see how you will be doing this without any trusts . We did this at work , with trusts and things more or less worked ok

 

[Sideswipe001]

I agree. I think you need to have trust to do this - it's what they are for. No Domain Controller is going to let a user from an untrusted domain log in.

 

[Phoenix86]

Agree on trusts, that's how you connect across forests... Only other option would be to unify the domains.

 

[stash]

Trust++

A forest will never know about accounts in other forests without a trust. That's basic Windows enterprise networking.

 

[AlmostInsane]

You can do this if you issue certificates. You need a cert server in Forest A and one in B that trust each other. Issue the certs in Forest A to the user and create another account in Forest B for the user. Apply the same cert to both accounts.

 

[stash]

Originally posted by: AlmostInsane
You can do this if you issue certificates. You need a cert server in Forest A and one in B that trust each other. Issue the certs in Forest A to the user and create another account in Forest B for the user. Apply the same cert to both accounts.

That will have no effect on permissions, which is what would control access to a service in forest A.

 

[djdrastic]

I think take the word from Stash my man , he really seems like the goto guy when it comes to MS Neworking here on these here forums

Why would a trust be such a bad thing ?

 

[AlmostInsane]

Originally posted by: STaSh

Originally posted by: AlmostInsane
You can do this if you issue certificates. You need a cert server in Forest A and one in B that trust each other. Issue the certs in Forest A to the user and create another account in Forest B for the user. Apply the same cert to both accounts.

That will have no effect on permissions, which is what would control access to a service in forest A.

He didn't say anything about permissioning, just authentication.

 

[stash]

You're assuming the application the OP needs users to access will authenticate with PKI. If it does, then yes you can map certificates to user accounts.

The user presents the cert to the application, the application checks AD for the user account and if it finds it, the user is authenticated and has all the associated rights.

Here's some info on certificate mapping: http://www.microsoft.com/resou...ki_cyek.asp?frame=true

 

[mikecel79]

One thing you may want to look into is SID filtering. Another resource for this is here. This may help you out. But like everyone else suggested you will have to create some kind of trust.

 

[biscuitboy]

just setup a one way external trust so Forest B trust Forest A.
dont know much about certificates, but maybe something like setting up a standalone certificate authority using web enrollment to obtain certificate, with accounts in the Forest B for external users.

what about a VPN?

 

[Phoenix86]

Publish the app. on a citrix server?

 

[imported_ryaneverett]

Thanks for all your responces.

The issue is the Atria Broker Service, it uses Windows creds to determine whether or not remote clients can attach. We ended up just making new OU's and for our client machines.

As for the trust, I know that is the smart way to go... but office politics are more powerful than truth.

Thanks again.

 

[stash]

but office politics are more powerful than truth

Then the execs are not going to get what they are looking for. I'm curious about what their position is on a trust. In this case, the trust would only need to be a one-way trust.

 

[mikecel79]

Being that it's a financial service I can see them being very paranoid about trusts. The IT staff at Atria is probably has a policy of no external trusts because it increases the chance of privledge elevation attacks. SID filtering helps prevent this but does not stop it. Since they are relying on AD for authentication it becomes extra important to protect your forest.