Yes Ken you have summed it up correctly. Never had to do something like this before, but find it odd that this is no work around to get the Domain B DC to hand off the authentication to the Domain A DC for the client. I've got a call with Microsoft today to discuss this. I think you are right, the only way I'm going to get this to work is to have the application server (client) be allowed to authenticate to domain A after the DC hands it the referral. Ugh...
Thanks Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com From: Ken Schaefer <k...@adopenstatic.com> To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com> Date: 08/29/2012 10:09 PM Subject: RE: LDAP authentication across external trust Unless I’m reading your setup incorrectly: You have a one-way trust with selective authentication. When WebPortal (part of Domain B) contacts a Domain B DC, the Domain B DC would provide a referral to a Domain A DC (assuming the correct external cross-reference object exists). However your web portal server in Domain B would not be able to authenticate to the Domain A DC. So, you either need a two-way trust, or configure your application to bind to a Domain A DC (with Domain A service account) to validate users. Cheers Ken From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Thursday, 30 August 2012 7:16 AM To: NT System Admin Issues Subject: Re: LDAP authentication across external trust Sorry ... separate forests. (acme.com and widgets.com) Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com From: Don Kuhlman <drkuhl...@yahoo.com> To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com > Date: 08/29/2012 04:59 PM Subject: Re: LDAP authentication across external trust Hi Chris. Are they in the same Forest or separate ? eg domaina.company.com and domainb.company.com or domaina.com an domainb.com ? Don K From: Christopher Bodnar <christopher_bod...@glic.com> To: NT System Admin Issues <ntsysadmin@lyris.sunbelt-software.com> Sent: Wednesday, August 29, 2012 2:08 PM Subject: LDAP authentication across external trust We have 2 domains with a one way trust relationship (Domain A is Trusted, Domain B is Trusting). Domain B is in a DMZ. So Domain A users can access resources in domain B with their Domain A credentials. Also using selective authentication for this trust. Works great Working with a vendor to implement a new system. The issue is that they are trying to authenticate Domain A users from within Domain B (web portal is in domain B) across the trust relationship using LDAP. So they are pointing the LDAP bind to a Domain B DC, and it's not working. Anyone doing something like this? Never had to setup anything like this before. Vendor isn't real helpful in this situation. I'm not even positive what domain the base DN should be. Been trying both each time we make a change. So far no luck. Also not seeing any specific errors on the domain controller yet. Bad thing is that not sure what DC the Domain B domain controller is bouncing the request off of in Domain A. We have quite a few, and the logs are pretty hefty. Probably gonna have to put WireShark on this to look at the packets to get a clue. Any help is appreciated. Thanks, Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<image/jpeg>>
<<image/jpeg>>
<<image/jpeg>>
