|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
One-way trust, Kerberos & IISI have the following configuration Two Active Directory Domains in two separate forests. Domain A Windows 2000 Domain B Windows 2003 I have a one-way trust between them such that B trusts A I have a web application running on a Windows Server 2003 installation using IIS in Domain B that require Kerberos Authentication using IWA. Currently when I attempt to log on with a client authenticated with a DC in Domain A authentication appears to be using the fall back of NTLM. Do I need to create an SPN in Domain A to allow Domain A’s KDC to provide the client running in Domain A with a referral ticket for Domain B? Many thanks Jim The forest of Domain A is at best Windows 2000 native.
External trusts to other forests is always NTLM based in that scenario. If you want a trust that supports Kerberos you need W2k3 mode forests and a forest-level trust. -- Show quoteHide quoteRoger Abell Microsoft MVP (Windows Server : Security) "Jim" <J**@discussions.microsoft.com> wrote in message news:D2005B36-F90D-4D64-AC10-789CBD785163@microsoft.com... > Hi, > > I have the following configuration > > Two Active Directory Domains in two separate forests. > > Domain A Windows 2000 > > Domain B Windows 2003 > > I have a one-way trust between them such that B trusts A > > I have a web application running on a Windows Server 2003 installation > using > IIS in Domain B that require Kerberos Authentication using IWA. > > Currently when I attempt to log on with a client authenticated with a DC > in > Domain A authentication appears to be using the fall back of NTLM. Do I > need > to create an SPN in Domain A to allow Domain A's KDC to provide the client > running in Domain A with a referral ticket for Domain B? > > Many thanks > > Jim > Thanks Roger,
I have been looking at this for the past couple of days. My understanding is that it is possible to configure a Kerberos realm trust between any non-Windows-based operating system Kerberos version 5 realm and a Windows 2000 Server This trust relationship should allow cross-platform interoperability with security services based on Kerberos version 5 I found the following article on Technet: http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx I guess what I'm asking is, would it be possible to configure a one-way trust based on a non-windows trust to the between the two Windows domains. Ultimately all I require is SSO on the IIS server located in Domain B from clients in Domain A. Many thanks, Jim Show quoteHide quote "Roger Abell [MVP]" wrote: > The forest of Domain A is at best Windows 2000 native. > External trusts to other forests is always NTLM based in > that scenario. If you want a trust that supports Kerberos > you need W2k3 mode forests and a forest-level trust. > > -- > Roger Abell > Microsoft MVP (Windows Server : Security) > > > "Jim" <J**@discussions.microsoft.com> wrote in message > news:D2005B36-F90D-4D64-AC10-789CBD785163@microsoft.com... > > Hi, > > > > I have the following configuration > > > > Two Active Directory Domains in two separate forests. > > > > Domain A Windows 2000 > > > > Domain B Windows 2003 > > > > I have a one-way trust between them such that B trusts A > > > > I have a web application running on a Windows Server 2003 installation > > using > > IIS in Domain B that require Kerberos Authentication using IWA. > > > > Currently when I attempt to log on with a client authenticated with a DC > > in > > Domain A authentication appears to be using the fall back of NTLM. Do I > > need > > to create an SPN in Domain A to allow Domain A's KDC to provide the client > > running in Domain A with a referral ticket for Domain B? > > > > Many thanks > > > > Jim > > > > >
Show quote
Hide quote
"Jim" <J**@discussions.microsoft.com> wrote in message I doubt that route would bear fruit, and the MIT Kerberos realm trustnews:4E2BAF87-EC62-4AD1-9A87-88740A278298@microsoft.com... > Thanks Roger, > > I have been looking at this for the past couple of days. My understanding > is > that it is possible to configure a Kerberos realm trust between any > non-Windows-based operating system Kerberos version 5 realm and a Windows > 2000 Server > > This trust relationship should allow cross-platform interoperability with > security services based on Kerberos version 5 > > I found the following article on Technet: > > http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx > > I guess what I'm asking is, would it be possible to configure a one-way > trust based on a non-windows trust to the between the two Windows domains. > Ultimately all I require is SSO on the IIS server located in Domain B from > clients in Domain A. > > Many thanks, > > Jim > model is less simple than it can seem. Show quoteHide quote > > "Roger Abell [MVP]" wrote: > >> The forest of Domain A is at best Windows 2000 native. >> External trusts to other forests is always NTLM based in >> that scenario. If you want a trust that supports Kerberos >> you need W2k3 mode forests and a forest-level trust. >> >> -- >> Roger Abell >> Microsoft MVP (Windows Server : Security) >> >> >> "Jim" <J**@discussions.microsoft.com> wrote in message >> news:D2005B36-F90D-4D64-AC10-789CBD785163@microsoft.com... >> > Hi, >> > >> > I have the following configuration >> > >> > Two Active Directory Domains in two separate forests. >> > >> > Domain A Windows 2000 >> > >> > Domain B Windows 2003 >> > >> > I have a one-way trust between them such that B trusts A >> > >> > I have a web application running on a Windows Server 2003 installation >> > using >> > IIS in Domain B that require Kerberos Authentication using IWA. >> > >> > Currently when I attempt to log on with a client authenticated with a >> > DC >> > in >> > Domain A authentication appears to be using the fall back of NTLM. Do I >> > need >> > to create an SPN in Domain A to allow Domain A's KDC to provide the >> > client >> > running in Domain A with a referral ticket for Domain B? >> > >> > Many thanks >> > >> > Jim >> > >> >> >> 
Other interesting topics
Kerberos from XP to IIS hosting ASP.NET 2.0 Web Service help
CTL_E_PERMISSIONDENIED IISAdmin on localhost Can't import certificate to IIS Multiple Virtual Sites on One Server Running on Port 443 Can't 'get' from ftp folder viewing text files over internet 401.1 IE Error XMLHTTP no longer works after updates Windows cannot unload your registry file |
|||||||||||||||||||||||
