How does cross domain authentication work in a firewalled environment?

Posted by LVLAaron on Server Fault See other posts from Server Fault or by LVLAaron
Published on 2013-02-07T16:59:41Z Indexed on 2013/10/20 3:57 UTC
Read the original article Hit count: 483

Filed under:

This is a simplification and the names have been changed to protect the innocent.

The assets:

Active Directory Domains

User accounts
[email protected]
[email protected]

dc.corp.lan (domain controller)
dc.saas.lan (domain controller)

A one way trust exists between the domains so user accounts in corp.lan and log into servers in saas.lan

No firewall between dc.corp.lan and dc.saas.lan

server.saas.lan is in a firewalled zone and a set of rules exist so it can talk to dc.saas.lan

I can log into server.saas.lan with [email protected] - But I don't understand how it works. If I watch firewall logs, I see a bunch of login chatter between server.saas.lan and dc.saas.lan

I also see a bunch of DROPPED chatter between server.saas.lan and dc.corp.lan. Presumably, this is because server.saas.lan is trying to authenticate [email protected] But no firewall rule exists that allows communication between these hosts.

However, [email protected] can log in successfully to server.saas.lan - Once logged in, I can "echo %logonserver%" and get \dc.corp.lan.

So.... I am a little confused how the account actually gets authenticated. Does dc.saas.lan eventually talk to dc.corp.lan after server.saas.lan can't talk to dc.corp.lan?

Just trying to figure out what needs to be changed/fixed/altered.

© Server Fault or respective owner

Related posts about active-directory