Windows Trust Relationship & IIS Authentication

• Friday, November 30, 2012 12:22 AM

   

   
  

  0
  Good Morning,

   

  I have a quick question relating to IIS authentication and Windows 2003 trusts. Here is my scenario (I hope I explain it correctly).

   

  I have 3 domains (Domain A, Domain B, Domain C).

  Domain A contains all the users for the organisation. Domain B is purely a machine domain which contains a virtual desktop environment where members of domain A can log onto Domain A using a virtual desktop located in Domain B. Domain C (which I am responsible for) contains Windows 2003 servers only as well and hosts IIS 6.0 servers for domain A.

   

  Domain A has a one-way incoming external trust with Domain C (domain C is one-way outgoing).

  Domain A also has a trust relationship with Domain B (type is unknown).

  Domain B has a one-way incoming external trust with Domain C (domain C is one-way outgoing).

   

  The IIS server within Domain C has 'Anonymous Access' disabled and 'Integrated Authentication' selected.

   

  Now, if a user from Domain A logging onto a workstation in Domain A visits the IIS server in Domain C the user is able to view the content that the IIS server is hosting. However, if a user from Domain A logging into a virtual desktop through Domain B tries to visit the IIS server in Domain C the user is challenged with logon credentials to view the content the IIS server is hosting. If the Domain A user enters the credentials (eg. DomainA\username & password) the user is able to view the content.

   

  My initial thoughts point the the type of trust that has been set up between Domain B and Domain C. Would changing the trust type from one-way 'External' to one-way 'Forest' solve this problem. Knowing that an External trust is non-transitive and a Forest trust is transitive.

   

  Any help with this would be most appreciated.
  • Reply
  • Quote