none
One-Way Trust user authentication! RRS feed

  • Question

  • Hi,

    Assume if I have Domain A and Domain B,

    Domain A trusts Domain B, 

    When a user in Domain B wants to access a resource in domain A, should this user uses his\her AD credential (Domain B)?
    Or he should be provided a credential of domain A?

    Wednesday, July 17, 2019 1:42 PM

Answers

  • Hello,
    Thank you for posting in our TechNet forum.

    If Domain A trusts Domain B, when a user in Domain B wants to access a resource in domain A, he/she can find a machine in A Domain, then he/she should use his/her AD credential of Domain B to logon this machine.

    For example, in my test environment, Domain A trusts Domain B, daisy 12 is one user in Domain B, she can logon to PC in Domain A with credentials of Domain B (B\daisy12 and the corresponding password).

    Then she can access the resource in Domain A.





    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by OudMaster Sunday, July 21, 2019 6:27 AM
    Thursday, July 18, 2019 4:00 AM
    Moderator

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    If Domain A trusts Domain B, when a user in Domain B wants to access a resource in domain A, he/she can find a machine in A Domain, then he/she should use his/her AD credential of Domain B to logon this machine.

    For example, in my test environment, Domain A trusts Domain B, daisy 12 is one user in Domain B, she can logon to PC in Domain A with credentials of Domain B (B\daisy12 and the corresponding password).

    Then she can access the resource in Domain A.





    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by OudMaster Sunday, July 21, 2019 6:27 AM
    Thursday, July 18, 2019 4:00 AM
    Moderator


  • Thank you very much Daisy Zhou for your response, really helpful



    one more please, low level detail, I want to know the authentication request where it starts and ends, 

    so if daisy 12 tried to login to a PC in Domain A, will her credential be sent to Domain A AD server, and then this AD consults Domain B AD server to verify if the login credential is correct?
    Thursday, July 18, 2019 1:32 PM
  • Hi,

    This is a cross-domain authentication question. It is a good question.

    The Daisy 12 account will be sent to the DC (DC in Domain B) of its own domain, and daisy12 will send request to the DC of the B domain: she want to logon the client in Domain A.

    But the DC of the B domain compares the credentials stored on the DC of the B domain and finds that this is the credentials stored on the DC of the other domain (Domain A), because they have a trust relationship, Domain A and Domain B share one inter-domain key, then DC( in Domain B)will give the refer ticket to daisy12, daisy12 holds this refer ticket and Daisy12 will send request to the DC of the A domain: she needs to log in to the client of the A domain.

    It may be difficult to explain this authentication process in a few words, I probably explained the above information.


    If we want to understand the process of Kerberos authentication, I highly recommend reading the article.





    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 19, 2019 10:09 AM
    Moderator
  • thank you very much Daisy Zhou

    I understood it, and will read the Kerberos link in detail.

    Sunday, July 21, 2019 6:27 AM
  • Hi,
    Thank you for your update and marking my reply as answer. I’m very glad that the information is helpful.
     
    As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

    Have a nice day!


     
    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 22, 2019 11:03 AM
    Moderator