How does cross domain authentication work in a firewalled environment?
on Server Fault
See other posts from Server Fault
or by LVLAaron
Published on 2013-02-07T16:59:41Z Indexed on 2013/10/20 3:57 UTC
Read the original article Hit count: 483
This is a simplification and the names have been changed to protect the innocent.
The assets: Active Directory Domains corp.lan saas.lan User accounts [email protected] [email protected] Servers dc.corp.lan (domain controller) dc.saas.lan (domain controller) server.saas.lan
A one way trust exists between the domains so user accounts in corp.lan and log into servers in saas.lan
No firewall between dc.corp.lan and dc.saas.lan
server.saas.lan is in a firewalled zone and a set of rules exist so it can talk to dc.saas.lan
I can log into server.saas.lan with [email protected] - But I don't understand how it works. If I watch firewall logs, I see a bunch of login chatter between server.saas.lan and dc.saas.lan
I also see a bunch of DROPPED chatter between server.saas.lan and dc.corp.lan. Presumably, this is because server.saas.lan is trying to authenticate [email protected] But no firewall rule exists that allows communication between these hosts.
However, [email protected] can log in successfully to server.saas.lan - Once logged in, I can "echo %logonserver%" and get \dc.corp.lan.
So.... I am a little confused how the account actually gets authenticated. Does dc.saas.lan eventually talk to dc.corp.lan after server.saas.lan can't talk to dc.corp.lan?
Just trying to figure out what needs to be changed/fixed/altered.
© Server Fault or respective owner