locked
Listing Domain Objects from External Trusted Domain (One-way external trust) RRS feed

  • Question

  • I am working with sharing of resources between 2 domains - specifically sharing computers. This might be a long post because I will try to clarify exactly what all I have tried. I have setup the following scenario and have a number of questions (some minor):

    Domain RESOURCES.COM has computer machines. Domain ACCOUNTS.COM has user accounts. Consider that the two domains do not belong to the same corporation (so there cannot be 2-way trust or sharing of domain account credentials). Users from ACCOUNTS.COM domain should be able to login (either RDP or interactive login) into the computers on the RESOURCES.COM domain using their ACCOUNTS.COM domain credentials. For example: testUser@ACCOUNTS.COM.

    Q1: According to my understanding, this can be achieved using Trusts. I know ADFS is also used to allow cross-domain authentication but this specific use case of computer login cannot be achieved using ADFS. ADFS is suitable for SSO to web applications and other such authentication requirements. Is my understanding correct?

    Q2: I have gone through many blog posts and tech net articles and questions and think that in a cross-enterprise situation like this - External Trusts should be referred, but I am not sure. Am I correct or can forest-level trusts be also used in a secure way?

    Q3: I have disabled firewalls on all the machines and have the DNS configuration correctly working. All resources in RESOURCES.COM are resolvable from ACCOUNTS.COM and vice-versa. I configured a one-way trust so that RESOURCES.COM TRUSTS ACCOUNTS.COM but not the other way round.  So RESOURCES.COM is the "trusting domain" and ACCOUNTS.COM is the trusted domain. I have created some users in trusted domain whom I want to allow access to resources in the trusting domain and added them to a global group called ResourcelUsers (in the trusted domain). I have a domain-local group in RESOURCES.COM called AccountUsers. This has been suggested as the way to go to allow cross-domain access. Now comes the part that perplexes me. When I go to add the ResourceUsers group from the trusted domain as a member of the AccountUsers group, I am unable to list the contents of the ACCOUNTS.COM Active directory and I am asked
    for credentials to an ACCOUNTS.COM account. I searched some more and I understand that anonymous listing of active directory is not allowed.  Is my understanding correct and is there no way or configuration around this? I would prefer not requiring any ACCOUNTS.COM credentials for any changes to be done on the RESOURCES.COM side. However, if that is not possible, could you suggest the best way to get this done so that it will be acceptable to an enterprise IT security guy?

    Friday, September 21, 2012 12:54 AM

Answers

  • Q1: Active Directory Federation Services (ADFS) is based on the emerging, industry-supported Web Services Architecture, which is defined in WS-* specifications. ADFS helps you use single sign-on (SS0) to authenticate users to multiple, related Web applications over the life of a single online session. ADFS accomplishes this by securely sharing digital identity and entitlement rights across security and enterprise boundaries.

    Q2: If these enterprises are unrelatable, forest-level trust is OK and secure. You may read the following article for more information.

    Understanding When to Create a Forest Trust

    http://technet.microsoft.com/en-us/library/cc771397.aspx

    Q3: Please read and following the Microsoft TechNet article below for how to list objects across forest.

    Accessing resources across forests

    http://technet.microsoft.com/en-us/library/cc772808(v=WS.10).aspx

    Regards,


    Arthur Li

    TechNet Community Support

    Monday, September 24, 2012 8:33 AM
  • @Arthur and @Manish,

    Thanks for your replies. They have been helpful to answer my first 2 questions. However, my 3rd question which is the most important still remains unanswered. Maybe I was vague in my original post.

    Arthur, The link that you provided gives an idea about how cross-domain access to objects works, however it does not address the problem which I am facing which I have explained again below. Please let me know if I am missing something from that link. I tried the other links going out from that page as well but nothing helps me.

    Manish, I am exactly following the AGUDLP approach. I have created the corresponding groups on each domain. Now in one of the domain I need to add the group of users from the other domain to a domain-local group. When I open up the Object Picker (Right-Click Group -> Properties -> Members Tab -> Add), I am unable to choose the group from the other domain because it asks me for username and password of an account from the other domain. My question was to know whether we can get around this. Since these are 2 different corporations, we cannot have user account credentials from the other corporation.

    Thanks for your help.

    The password prompt confirm trust is working fine. The problem of the password prompt is due to one way trust, becasue both the domain doesn't trust each other & it is same like i can get access to you place w/o being stopped by security but you are not allowed since, i have not informed my security guard to allow you. The reason for the password prompt is trusting is flowing in only one direction & being trusted by the trusting domain where as other domain doesn't trust this user because one way trust & hence the prompt is expected & by design. The only way to get away with prompt is implementing two way trust.

    In one way trust trusted domain user can access resources in the trusting domain, but where as trusted domain doesn't trust trusting domain users as well as systems, hence you get prompt.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by ajp86 Tuesday, October 2, 2012 4:29 PM
    Tuesday, September 25, 2012 10:40 AM

All replies

  • Q1: Active Directory Federation Services (ADFS) is based on the emerging, industry-supported Web Services Architecture, which is defined in WS-* specifications. ADFS helps you use single sign-on (SS0) to authenticate users to multiple, related Web applications over the life of a single online session. ADFS accomplishes this by securely sharing digital identity and entitlement rights across security and enterprise boundaries.

    Q2: If these enterprises are unrelatable, forest-level trust is OK and secure. You may read the following article for more information.

    Understanding When to Create a Forest Trust

    http://technet.microsoft.com/en-us/library/cc771397.aspx

    Q3: Please read and following the Microsoft TechNet article below for how to list objects across forest.

    Accessing resources across forests

    http://technet.microsoft.com/en-us/library/cc772808(v=WS.10).aspx

    Regards,


    Arthur Li

    TechNet Community Support

    Monday, September 24, 2012 8:33 AM
  • I am working with sharing of resources between 2 domains - specifically sharing computers. This might be a long post because I will try to clarify exactly what all I have tried. I have setup the following scenario and have a number of questions (some minor):

    Domain RESOURCES.COM has computer machines. Domain ACCOUNTS.COM has user accounts. Consider that the two domains do not belong to the same corporation (so there cannot be 2-way trust or sharing of domain account credentials). Users from ACCOUNTS.COM domain should be able to login (either RDP or interactive login) into the computers on the RESOURCES.COM domain using their ACCOUNTS.COM domain credentials. For example: testUser@ACCOUNTS.COM.

    Q1: According to my understanding, this can be achieved using Trusts. I know ADFS is also used to allow cross-domain authentication but this specific use case of computer login cannot be achieved using ADFS. ADFS is suitable for SSO to web applications and other such authentication requirements. Is my understanding correct?

    Your understanding is correct. Using ADFS users can't login, becasue ADFS is web based SSO solution using claim/identity.

    Q2: I have gone through many blog posts and tech net articles and questions and think that in a cross-enterprise situation like this - External Trusts should be referred, but I am not sure. Am I correct or can forest-level trusts be also used in a secure way?

    Simply by establishing a trust, you don't provide access to users in different domain, but you define a communication channel, where both domain can understand each other. Microsoft says, Kerberos is supported between cross forest, but personally i haven't tested it. Also, to make it more secure, you can use selective authentication.

    Security Considerations for Trusts  http://technet.microsoft.com/en-us/library/cc755321%28v=ws.10%29.aspx

    Kerberos over external trust

    http://jorgequestforknowledge.wordpress.com/2011/09/14/kerberos-authentication-over-an-external-trust-is-it-possible-part-6/

    Selective Authentication  http://technet.microsoft.com/en-us/library/cc816580%28v=ws.10%29.aspx

    Q3: I have disabled firewalls on all the machines and have the DNS configuration correctly working. All resources in RESOURCES.COM are resolvable from ACCOUNTS.COM and vice-versa. I configured a one-way trust so that RESOURCES.COM TRUSTS ACCOUNTS.COM but not the other way round.  So RESOURCES.COM is the "trusting domain" and ACCOUNTS.COM is the trusted domain. I have created some users in trusted domain whom I want to allow access to resources in the trusting domain and added them to a global group called ResourcelUsers (in the trusted domain). I have a domain-local group in RESOURCES.COM called AccountUsers. This has been suggested as the way to go to allow cross-domain access. Now comes the part that perplexes me. When I go to add the ResourceUsers group from the trusted domain as a member of the AccountUsers group, I am unable to list the contents of the ACCOUNTS.COM Active directory and I am asked

    for credentials to an ACCOUNTS.COM account. I searched some more and I understand that anonymous listing of active directory is not allowed.  Is my understanding correct and is there no way or configuration around this? I would prefer not requiring any ACCOUNTS.COM credentials for any changes to be done on the RESOURCES.COM side. However, if that is not possible, could you suggest the best way to get this done so that it will be acceptable to an enterprise IT security guy?

    You need to use AGUDLP (Accounts, Global, Universal, Domain Local, Permissions.) method to add users/groups.
    -Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups > Domain Local Groups to the group you want to assign the permission.
    It is better to always use groups instead of the individual to assign permission.

    http://msmvps.com/blogs/acefekay/archive/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy.aspx

    See my inline comments. Its difficult to troubleshoot external trust, instead i would prefer forest trust with selective authentication setting, if you want to have more security of the resources.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.


    • Edited by Awinish Monday, September 24, 2012 11:21 AM
    Monday, September 24, 2012 11:19 AM
  • @Arthur and @Manish,

    Thanks for your replies. They have been helpful to answer my first 2 questions. However, my 3rd question which is the most important still remains unanswered. Maybe I was vague in my original post.

    Arthur, The link that you provided gives an idea about how cross-domain access to objects works, however it does not address the problem which I am facing which I have explained again below. Please let me know if I am missing something from that link. I tried the other links going out from that page as well but nothing helps me.

    Manish, I am exactly following the AGUDLP approach. I have created the corresponding groups on each domain. Now in one of the domain I need to add the group of users from the other domain to a domain-local group. When I open up the Object Picker (Right-Click Group -> Properties -> Members Tab -> Add), I am unable to choose the group from the other domain because it asks me for username and password of an account from the other domain. My question was to know whether we can get around this. Since these are 2 different corporations, we cannot have user account credentials from the other corporation.

    Thanks for your help.

    Monday, September 24, 2012 8:10 PM
  • @Arthur and @Manish,

    Thanks for your replies. They have been helpful to answer my first 2 questions. However, my 3rd question which is the most important still remains unanswered. Maybe I was vague in my original post.

    Arthur, The link that you provided gives an idea about how cross-domain access to objects works, however it does not address the problem which I am facing which I have explained again below. Please let me know if I am missing something from that link. I tried the other links going out from that page as well but nothing helps me.

    Manish, I am exactly following the AGUDLP approach. I have created the corresponding groups on each domain. Now in one of the domain I need to add the group of users from the other domain to a domain-local group. When I open up the Object Picker (Right-Click Group -> Properties -> Members Tab -> Add), I am unable to choose the group from the other domain because it asks me for username and password of an account from the other domain. My question was to know whether we can get around this. Since these are 2 different corporations, we cannot have user account credentials from the other corporation.

    Thanks for your help.

    The password prompt confirm trust is working fine. The problem of the password prompt is due to one way trust, becasue both the domain doesn't trust each other & it is same like i can get access to you place w/o being stopped by security but you are not allowed since, i have not informed my security guard to allow you. The reason for the password prompt is trusting is flowing in only one direction & being trusted by the trusting domain where as other domain doesn't trust this user because one way trust & hence the prompt is expected & by design. The only way to get away with prompt is implementing two way trust.

    In one way trust trusted domain user can access resources in the trusting domain, but where as trusted domain doesn't trust trusting domain users as well as systems, hence you get prompt.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by ajp86 Tuesday, October 2, 2012 4:29 PM
    Tuesday, September 25, 2012 10:40 AM