Announcement

Collapse
No announcement yet.

30 sec authentication delay to external trusted domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 30 sec authentication delay to external trusted domain

    Hi There

    Domain A has a one way trusting external trust Domain B. These domains are in separate forests.
    These domains are separated by firewalls etc, only the domain controllers have firewall rights to talk to each other.

    If we jump on a member server in domain A and try to authenticate using domainB credentials, we get a 30 sec delay before authorisation finishes. (it does work successfully though)
    If we try this same step on a DomainA domain controller, the authentication is instaneous.

    things I have checked:
    -I have confirmed that the member servers are pointing to the domain controller for DNS services. The domain controllers point to themselves for DNS
    -DNS contains no incorrect SRV records or anything like that
    -dcdiag tests come up fine
    -I have run the trust verification option in AD domains and trusts.

    questions:
    -Is there a way to eliminate this delay?
    -Does anyone know of a explanation somewhere of the authentication process at work here? I can find plenty of examples on technet about how a client in domainA would authenticate and get access to a resource in domainB, but nothing on how a domainA computer login using domainB credentials works.


    extra info:

    Domain A:
    DC1 Windows 2000 sp4
    DC2 Windows 2003 sp2
    DC3 Windows 2003 sp2
    2000 mixed mode domain
    separate forest with only 1 domain
    trusts Domain B with an external trust

    Domain B:
    DC1 Windows 2000 sp4
    DC2 Windows 2000 sp4
    2000 native mode domain
    separate forest with only 1 domain

  • #2
    Re: 30 sec authentication delay to external trusted domain

    Read this out, if it help you

    http://blogs.technet.com/askds/archi...est-trust.aspx

    Probably you need to take a netmon trace using wireshark and analyse it.
    Thanks & Regards
    v-2nas

    MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
    Sr. Wintel Eng. (Investment Bank)
    Independent IT Consultant and Architect
    Blog: http://www.exchadtech.blogspot.com

    Show your appreciation for my help by giving reputation points

    Comment


    • #3
      Re: 30 sec authentication delay to external trusted domain

      Originally posted by v-2nas View Post
      Read this out, if it help you

      http://blogs.technet.com/askds/archi...est-trust.aspx

      Probably you need to take a netmon trace using wireshark and analyse it.
      Thanks for the link. Most technet articles I find are great for fixing it if it doesn't work, however not so much help for if it is slow

      Comment


      • #4
        Re: 30 sec authentication delay to external trusted domain

        Make sure that the DC that holds the PDC Emulator Role on both Domains can communicate with each other fully (PDCE is in charge of Trust validation among the other stuff he does).

        Comment


        • #5
          Re: 30 sec authentication delay to external trusted domain

          I've done a packet trace
          The server tries kerberos authentication directly to the external domain controller, since this traffic is blocked it gets no replies, so tries the other domain controller etc. this is where the delay is.
          When it gives up trying kerberos it sends 4 rpc_netlogon packets to the local domain controller which is where the trace ends after working.
          The packets are NetrLogonSamLogonEx request, NetrLogonSamLogonEx response, NetrLogonGetDomaininfo request, NetrLogonGetDomaininfo response,

          So i'm guessing there are settings somewhere to force this behaviour and cut out kerberos

          Comment


          • #6
            Re: 30 sec authentication delay to external trusted domain

            What you're seeing is normal timeout behavior since you have protocols being blocked.

            No idea on how to disable Kerberos or even set NTLM as primary. You'd be moving backwards if you went that route anyway.

            Comment

            Working...
            X