Failure of Win API LsaQueryTrustedDomainInfo(..) on a WinNT machine with IN parameter to information

S

Soumen Das

We have a trust relationship set up between domain servers Win 2003
and WinNT PDC(SP4) machine. We have verified that an NT user could log
on to a Win2k3 domain and vice-versa indicating mixed domain trust was
successfully created.

Question 1: Is this a supported configuration?

Now, we are trying to obtain trust relationship properties for the Win
NT PDC machine containing information as/similar stored in
TRUSTED_DOMAIN_INFORMATION_EX structure.

The problem is -
Win API LsaQueryTrustedDomainInfo(..) fails with "Access is denied"
error on a Windows NT machine when the IN parameter to Information
class is TrustedDomainInformationEx (even though the Trust
Relationship has been successfully created).

The Win API Call Sequence is
- LsaOpenPolicy (..) // null to systemname, POLICY_ALL_ACCESS was
granted to in parameter ACCESS_MASK
- LsaEnumerateTrustedDomains(..) // valid SIDs of one or more trusted
domains returned in out parameter Buffer
- LsaQueryTrustedDomainInfo(..) // in parameter to Information class
as TrustedDomainInformationEx

Reference -
http://msdn.microsoft.com/library/d...ecmgmt/security/lsaquerytrusteddomaininfo.asp
This link mentions support for WinNT server 3.51 and later.

Our executable was made to run as an administrative account and/or as
a local system user on WinNT PDC.

Question 2 - Is there any alternative API to obtain trust relationship
properties on a Win NT PDC machine containing information as/similar
stored in TRUSTED_DOMAIN_INFORMATION_EX structure? OR Are we doing
anything that is incorrect?

Regards,
Soumen
 
R

Roger Abell

I am only addressing the question "Is this a supported config?"
to which I believe the answer is no. SP4 for NT was released
with some back-port of what was envisioned would be needed
for AD inter-op but this was back when it was still call Windows
NT5 instead of Windows 2000.
Have you tried with the NT domain at SP 6a?

You issues of course may be due to other reasons, but I do
believe it is true to say that trust of W2k3 with NT4 at SP 4
is not a supported config.
 
S

soumen

Have you tried with the NT domain at SP 6a?

Yes, we did try with NT domain at SP 6a and are facing the exact same
issues as described earlier.

Regards,
Soumen
 
R

Roger Abell

Then I would try taking this up in the MSDN forums as
it seems either something in your calling parms, or the
implemention of the APIs
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top