locked
Kerberos/NTLM Authentication Failures across 2-Way Forest Trusts RRS feed

  • Question

  • Hello,

    In a 2-Way Transitive Forest Trust, for client authentications to work successfully for Kerberos and NTLM, do all DCs in a trusting domain must be able to establish secure channels with all DCs in a trusted domain? 

    So if a Firewall blocks a DC in a Trusting domain from establishing a secure channel with a DC in a Trusted domain, an authentication request will fail, however if at least one or two DCs in a Trusting domain can establish secure channels with one or two DCs in the Trusted domain, the authentication request will succeed, correct? 

    The essence of this question is if we have 25 DCs in Domain A and 50 DCs in Domain B, we don't have to open Firewall ports for the 25 in Domain A to establish secure channels with the 50 in Domain B and vice versa?  In this case, all we need to do is open Firewall ports for the PDCe DC in Domain A and Domain B, then 2 or 3 DCs in Domain A to communicate with 2 or 3 DCs in Domain B, correct?


    Thanks for your help! SdeDot

    Tuesday, August 20, 2013 11:36 AM

Answers

  • Like the avatar you are using.  I am old enough to remember when it was originally used to advertise speakers, the name of the company slips me.

    No you don't need all DC's in each forest to be able to talk to one another.  You will need each PDCe to have certain ports open to each other though.  Beyond that it will depend on the trust type you have (NTLM or Kerberos).

    If NTLM the DC's do all the work and if Kerberos then the clients need to reach out.  Think about having both domains DC's within the same site so when a client needs to authentiate within a site then the client shouldn't have to traverse any FW and open up replication ports between DC's to keep the Dc's in sync.

    Complete details
    http://technet.microsoft.com/en-us/library/bb742516.aspx


    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    • Proposed as answer by Ace Fekay [MCT] Tuesday, August 20, 2013 2:53 PM
    • Marked as answer by Amy Wang_ Monday, August 26, 2013 1:47 AM
    Tuesday, August 20, 2013 12:17 PM
  • I remember that ad. Looking it up, it was for Hitachi Maxell. It was called the Blown Away Man.
    http://iconicphotos.wordpress.com/2010/05/31/blown-away-man/

    -

    Anyway, as Paul implied, it's a bit complicated. If you do open the firewall ports between just the DCs across the trust, you'll cover Kerberos authentication, and if it fails, NTLM "pass-through" authentication, too, which needs all DCs available.

    More specifics to help you make a decision:

    The authentication path, whether between domains in a forest or across a trust, must use the trust path, so the user needs to identify the domain, whether in netbiosDomName\user or the UPN (user@domain.local). For forest based trusts uses Kerberos, but Kerberos does not rely on Pass-through, rather it specifically contacts the KDC of each domain in the trust path requesting a WT (workstation ticket) from the KDC's TGT (ticket granting ticket service), which is presented to the next KDC TGT for a WT for a resources in that domain or the next domain in the trust path, etc). 

    However, if the KDC cannot be contacted, then NTLM Pass-Through kicks in. In this process, any DC can be selected, which the Netlogon service uses a process called Discovery, which will discover all DCs in the trusted domain, therefore all DCs must be available.

    The older NTLM style authentication process across an NTLM based trust is referred to this as Pass-Through Authentication.

    Please keep in mind too, that NTLM is NetBIOS based, therefore it requires NetBIOS support to work. If NetBIOS support is not provided (using WINS or LMHOSTS files), or NetBIOS ports are blocked, then this will fail, too.

    More info and specifics here:
    Accessing resources across domains [and trusts]
     http://technet.microsoft.com/en-us/library/cc787646(v=ws.10).aspx

    NTLM user authentication in Windows
    (scroll down to "Pass-through Authentication section")
    http://support.microsoft.com/kb/102716

    Trust between a Windows NT domain and an Active Directory domain
    This describes trust configuration issues and how to create an LMHOSTS file on the PDC EMulators to support an NTLM style trust.
    http://support.microsoft.com/kb/889030


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by Awinish Wednesday, August 21, 2013 1:43 AM
    • Marked as answer by Amy Wang_ Monday, August 26, 2013 1:47 AM
    Tuesday, August 20, 2013 3:14 PM
  • I will agree with Paul & Ace. I would like to add few more things, indeed PDCe store the trust password & its point for the verification, but if there are apps using NTLM based authentication, i would allow all DC to be communicating to other DC's. There is no harm if communication is opened to all the DC, ultimately, its going to be the one (randomly selected DC) of the DC in the domain which will perform authentication & authorization.

    http://blogs.msdn.com/b/anthonw/archive/2006/08/02/686041.aspx

    If you just want to open PDCe to PDCe, i would make sure there is no apps using NTLM authentication in order to prevent apps downtime due to authentication issues. The above article will help you to understand bit more.

    http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx

    http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Amy Wang_ Monday, August 26, 2013 1:47 AM
    Wednesday, August 21, 2013 1:43 AM
  • Through additional research I found out we will be implementing 2-Way Forest Trusts which should minimize NTLM pass-thru auth as well as the number of NTLM apps are minimal.  To allow a finite number of DCs to be available we will have most of our domain controllers in our non-chosen sites not register generic (non-site-specific) domain controller locator DNS records via a Group Policy. These records will be registered only by the domain controllers and global catalogs in the 'preferred' sites.  This 'targeting' of DCs will allow us to ensure the right firewalls are open as well. 

    As with everything, we will try this out in a lab first.


    Thanks for your help! SdeDot

    • Marked as answer by Amy Wang_ Monday, August 26, 2013 1:47 AM
    Sunday, August 25, 2013 11:52 PM

All replies

  • Like the avatar you are using.  I am old enough to remember when it was originally used to advertise speakers, the name of the company slips me.

    No you don't need all DC's in each forest to be able to talk to one another.  You will need each PDCe to have certain ports open to each other though.  Beyond that it will depend on the trust type you have (NTLM or Kerberos).

    If NTLM the DC's do all the work and if Kerberos then the clients need to reach out.  Think about having both domains DC's within the same site so when a client needs to authentiate within a site then the client shouldn't have to traverse any FW and open up replication ports between DC's to keep the Dc's in sync.

    Complete details
    http://technet.microsoft.com/en-us/library/bb742516.aspx


    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    • Proposed as answer by Ace Fekay [MCT] Tuesday, August 20, 2013 2:53 PM
    • Marked as answer by Amy Wang_ Monday, August 26, 2013 1:47 AM
    Tuesday, August 20, 2013 12:17 PM
  • Thanks for the response Paul.

    Yeah, I don't remember the name of the company either, but I had a framed 4x8 poster of this hanging in my college dorm room, then Den, but then it was confiscated from my wall by my son for his room, college dorm room, and now apartment!  So it is a popular shot!

    So based the info you provided, I think what would be safe is to open up the firewalls to each PDCe, then to 4 or 5 DCs in each domain which would reside in 3 different sites or so for redundancy.  This should then cover us for both NTLM and Kerberos authentications in either domain. 

    Would you agree with this approach or advise on a different approach?


    Thanks for your help! SdeDot

    Tuesday, August 20, 2013 1:11 PM
  • I remember that ad. Looking it up, it was for Hitachi Maxell. It was called the Blown Away Man.
    http://iconicphotos.wordpress.com/2010/05/31/blown-away-man/

    -

    Anyway, as Paul implied, it's a bit complicated. If you do open the firewall ports between just the DCs across the trust, you'll cover Kerberos authentication, and if it fails, NTLM "pass-through" authentication, too, which needs all DCs available.

    More specifics to help you make a decision:

    The authentication path, whether between domains in a forest or across a trust, must use the trust path, so the user needs to identify the domain, whether in netbiosDomName\user or the UPN (user@domain.local). For forest based trusts uses Kerberos, but Kerberos does not rely on Pass-through, rather it specifically contacts the KDC of each domain in the trust path requesting a WT (workstation ticket) from the KDC's TGT (ticket granting ticket service), which is presented to the next KDC TGT for a WT for a resources in that domain or the next domain in the trust path, etc). 

    However, if the KDC cannot be contacted, then NTLM Pass-Through kicks in. In this process, any DC can be selected, which the Netlogon service uses a process called Discovery, which will discover all DCs in the trusted domain, therefore all DCs must be available.

    The older NTLM style authentication process across an NTLM based trust is referred to this as Pass-Through Authentication.

    Please keep in mind too, that NTLM is NetBIOS based, therefore it requires NetBIOS support to work. If NetBIOS support is not provided (using WINS or LMHOSTS files), or NetBIOS ports are blocked, then this will fail, too.

    More info and specifics here:
    Accessing resources across domains [and trusts]
     http://technet.microsoft.com/en-us/library/cc787646(v=ws.10).aspx

    NTLM user authentication in Windows
    (scroll down to "Pass-through Authentication section")
    http://support.microsoft.com/kb/102716

    Trust between a Windows NT domain and an Active Directory domain
    This describes trust configuration issues and how to create an LMHOSTS file on the PDC EMulators to support an NTLM style trust.
    http://support.microsoft.com/kb/889030


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by Awinish Wednesday, August 21, 2013 1:43 AM
    • Marked as answer by Amy Wang_ Monday, August 26, 2013 1:47 AM
    Tuesday, August 20, 2013 3:14 PM
  • I will agree with Paul & Ace. I would like to add few more things, indeed PDCe store the trust password & its point for the verification, but if there are apps using NTLM based authentication, i would allow all DC to be communicating to other DC's. There is no harm if communication is opened to all the DC, ultimately, its going to be the one (randomly selected DC) of the DC in the domain which will perform authentication & authorization.

    http://blogs.msdn.com/b/anthonw/archive/2006/08/02/686041.aspx

    If you just want to open PDCe to PDCe, i would make sure there is no apps using NTLM authentication in order to prevent apps downtime due to authentication issues. The above article will help you to understand bit more.

    http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx

    http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Amy Wang_ Monday, August 26, 2013 1:47 AM
    Wednesday, August 21, 2013 1:43 AM
  •  Wonderful!

    Helps me a lot!

    Wednesday, August 21, 2013 4:34 AM
  • Thanks all.

    This is all great info.  Im digesting it and will respond shortly cause the real-life issue here is do we open up the Firewalls to all DCs?  In an environment where domains have 50-100 DCs and the Firewalls span continents and countries, this gets complex and costly.


    Thanks for your help! SdeDot

    Wednesday, August 21, 2013 3:05 PM
  • Thanks all.

    This is all great info.  Im digesting it and will respond shortly cause the real-life issue here is do we open up the Firewalls to all DCs?  In an environment where domains have 50-100 DCs and the Firewalls span continents and countries, this gets complex and costly.


    Thanks for your help! SdeDot


    Yes, that would be a challenge. The point is if you want to allow NTLM failover, then that's what would need to be done. If all Kerberos, then no. But that all depends on the applications looking for auth and how users or the apps have credentials hard-coded (domain\user is NTLM, and user@domain.com is Kerb).

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, August 21, 2013 4:32 PM
  • Thanks all.

    This is all great info.  Im digesting it and will respond shortly cause the real-life issue here is do we open up the Firewalls to all DCs?  In an environment where domains have 50-100 DCs and the Firewalls span continents and countries, this gets complex and costly.


    Thanks for your help! SdeDot

    Even though firewall is open to all the DC, all the DC is not going to replicate to each other, it will be actually DC with BHS role which will be replicating to the time defined in the replication schedule.

    Secondly, if you have sites/subnets/sitelinks configured, a DC will replicate to its replicating partner based on the site/subnet & site link info.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, August 22, 2013 1:20 AM
  • Through additional research I found out we will be implementing 2-Way Forest Trusts which should minimize NTLM pass-thru auth as well as the number of NTLM apps are minimal.  To allow a finite number of DCs to be available we will have most of our domain controllers in our non-chosen sites not register generic (non-site-specific) domain controller locator DNS records via a Group Policy. These records will be registered only by the domain controllers and global catalogs in the 'preferred' sites.  This 'targeting' of DCs will allow us to ensure the right firewalls are open as well. 

    As with everything, we will try this out in a lab first.


    Thanks for your help! SdeDot

    • Marked as answer by Amy Wang_ Monday, August 26, 2013 1:47 AM
    Sunday, August 25, 2013 11:52 PM
  • Through additional research I found out we will be implementing 2-Way Forest Trusts which should minimize NTLM pass-thru auth as well as the number of NTLM apps are minimal.  To allow a finite number of DCs to be available we will have most of our domain controllers in our non-chosen sites not register generic (non-site-specific) domain controller locator DNS records via a Group Policy. These records will be registered only by the domain controllers and global catalogs in the 'preferred' sites.  This 'targeting' of DCs will allow us to ensure the right firewalls are open as well. 

    As with everything, we will try this out in a lab first.


    Thanks for your help! SdeDot

    Sounds like a good plan. Please do post back with your results. I'm curious, as well as others here, I'm sure, if everything will work as planned.

    Cheers!


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, August 26, 2013 2:08 PM