Announcement

Collapse
No announcement yet.

Trust not fully working?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Trust not fully working?

    Scenario:
    Two Server 2003 domains in the same physical building, no firewall between them.
    Two-way trust in place between them.

    I think this is possible, not sure. I have Spiceworks on Domain A w/ LDAP authentication against the same domain. I'd like to be able to log into it with a login from Domain B. Now, if a DC on Domain A gets an authentication request for a user from Domain B (clarified with a FQDN in the request), should it contact Domain B automatically and authenticate it, or is this not possible?
    ** Remember to give credit where credit is due and leave reputation points where appropriate **

  • #2
    Re: Trust not fully working?

    I'm not an expert in trusts but it seems to me that you'd like to impersonate a domainA user with a domainB user account, which is how I think a trust does not work. domainA will trust users from domainB but it will not impersonate users from domainB and vice versa. When you access a resource in domainA with a user from domainB it is the domainB user who is accessing the resource because domainA trusts domainB, not a domainA user on behalf of the domainB user. Also, the application doesn't know who domainb\user is, it only knows who domainA\user is. Does this make sense?

    Comment


    • #3
      Re: Trust not fully working?

      Not trying to impersonate anything. Just trying to see if it's possible to enter Domain B credentials within an LDAP application on Domain A, and have Domain A confirm them against Domain B's DC via the trust.
      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Trust not fully working?

        But again, the trust works for accessing resources, not applications. Spiceworks doesn't know who domainB\user is.

        Comment


        • #5
          Re: Trust not fully working?

          Ignore Spiceworks for now. This is really just about LDAP access. In a trust, can Domain A verify authentication information from Domain B if asked to? From what I've researched, it should do this, but for whatever reason it's not.
          Last edited by Wired; 30th October 2008, 14:23.
          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Trust not fully working?

            What rights have you assigned to the user in domain B on Domain A?
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Trust not fully working?

              Wasn't aware you could do that in AD. Just as a reminder, I'm not talking about sharing a file / folder across domains.

              The more I read about this, the more it seems that the domains have to be in the same forest, however my research hasn't been conclusively proven yet.
              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: Trust not fully working?

                I realise you aren't talking about file/folders but I think if a user in Domain B contacts Domain A to do some work then he would need rights assigned to Domain A resource. Domain A will contact Domain B to ensure correct privileges.
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: Trust not fully working?

                  I think this is where I'm limited by not having both domains in the same forest. When I go to the OU for Domain A's Admin SG (just as an example) and attempt to add a new User to it from Domain B, I have no way to change the Location to Domain B.

                  However, it seems the trust is working how it should be, as whenever I remote into a DC on either domain, I can select the domain I want to use to authenticate to.
                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: Trust not fully working?

                    To what are you trying to add them?
                    Group?
                    What kind of group?

                    Comment


                    • #11
                      Re: Trust not fully working?

                      Does a universal group show you a difference?
                      cheers
                      Andy

                      Please read this before you post:


                      Quis custodiet ipsos custodes?

                      Comment

                      Working...
                      X