Passing authentication off to another domain

Guest · Feb 10, 2005

Hi

Is there a way of setting a domain up to try an authenticate a user locally,
and if it doesn't find a user in it's domain to then go a try an authenticate
that user in a different domain?

What we want to do is to have two seperate doamins, ABC.com and EXT.abc.com.
These domain are seperate domains with a one way trust between them.
EXT.abc.com trusts abc.com. I have corporate users setup in the abc.com
domain with UPN's of @abc.com and I want them to be able to login to the
EXT.abc.com domain using there (e-mail address removed) user and password. Currently
this does not work for the UPN's, but if I use the "Log on to" pull down box
and select the old NT domain name (Corp_abc) from the list it works. It seems
to me that either the EXT.abc.com domain see's the @abc.com and is try to log
that person in locally, or that EXT.abc.com can't find the DC for the abc.com
domain. When I run a nslookup from the dc on the ext.abc.com domain for
abc.com, it returns it's own IP.

I know this may sound wierd to do, but is there anyway of making it happen?

Marty

Chriss3 [MVP] · Feb 10, 2005

Hello Marty,
I'm not sure I understand what you are trying to do, it sounds like you are
about to do some domain name suffix routing.

Have a look at this resources.
Routing name suffixes across forests:
http://www.microsoft.com/resources/.../2003/standard/proddocs/en-us/x_routename.asp

http://www.microsoft.com/resources/...dard/proddocs/en-us/x_changeroutingstatus.asp

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

Herb Martin · Feb 10, 2005

Marty said:
Hi

Is there a way of setting a domain up to try an authenticate a user locally,
and if it doesn't find a user in it's domain to then go a try an authenticate
that user in a different domain?

Not exactly -- after all, the user is specifying their
account by Domain\Username or some other format
that is explicit for both domain and user name (only
thus is the user truly defined) so it really only checks
THAT domain anyway.

You can use a UPN which made hide the explicit
domain in a multi-domain forest: (e-mail address removed)
may resolve to (e-mail address removed) or some
such.

What we want to do is to have two seperate doamins, ABC.com and EXT.abc.com.
These domain are seperate domains with a one way trust between them.
EXT.abc.com trusts abc.com. I have corporate users setup in the abc.com
domain with UPN's of @abc.com and I want them to be able to login to the
EXT.abc.com domain using there (e-mail address removed) user and password.

The UPN method only works completely I believe within on Forest
but I haven't tested that.

But you can try it (with the external) trust easily enough by
setting up a test user.

You are really swimming uphill though by not having a single
Forest and a single account for each user.

Currently

Cary Shultz [A.D. MVP] · Feb 11, 2005

Marty,

Since ext.abc.com is a child domain of abc.com there will be - by default -
trusts already set up. Just make sure that DNS is set up correctly. It
sounds like Herb and Chriss have given you ideas. I am thinking that the
UPN suggestion might be a good one.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

Cary Shultz [A.D. MVP] · Feb 11, 2005

Marty,

Further to my post...

A user account object can only be authenticated against a Domain Controller
from the Domain in which it resides. If there is a user account object in
abc.com then only a Domain Controller from abc.com can authenticate it. It
can not be authenticated against a Domain Controller from ext.abc.com.....

The UPN suggestion simply makes the domain 'irrelevant' - from a user
standpoint. So, all user account objects would have (e-mail address removed) or
(e-mail address removed) - you set this up in the Active Directory Domains and Trusts
MMC...this would apply to all user account objects in the forest....

But, a DC in abc.com would have to be available to authenticate a user
account object from abc.com.....if that is not the case ( no DC is
available ) then that user account object would not be authenticate....even
if there were seven DCs available from ext.abc.com...

Unless, of course, there is something that I am missing....

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

Herb Martin · Feb 11, 2005

Cary Shultz said:
Marty,

Since ext.abc.com is a child domain of abc.com there will be - by default -
trusts already set up. Just make sure that DNS is set up correctly. It
sounds like Herb and Chriss have given you ideas. I am thinking that the
UPN suggestion might be a good one.

Cary, I read him to say that despite the apparent
connection he has set these up as separate forests
with a 1-way trust.

This strongly indicated he has two Forests which is
part of the likely mis-design he is fighting.

Cary Shultz [A.D. MVP] · Feb 11, 2005

Herb,

You might be correct. I read it a bit differently but it could very well be
that I am 'hearing' what I want to hear. You have two domains both ending
in abc.com and you *naturally* have a parent / child domain set up in the
same domain tree ( read: single forest ).

But you are probably reading it correctly.

Maybe Marty can clarify?

Marty, are you talking about two separate Forest....where abc.com is a
single domain-tree Forest and ext. abc.com is a second separate single
domain-tree Forest? or are you talking about one Forest with one Domain
Tree....where ext.abc.com is a child domain of abc.com?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

Herb Martin · Feb 11, 2005

Cary Shultz said:
Herb,

You might be correct. I read it a bit differently but it could very well be
that I am 'hearing' what I want to hear. You have two domains both ending
in abc.com and you *naturally* have a parent / child domain set up in the
same domain tree ( read: single forest ).

We'll see.

But you are probably reading it correctly.

FYI: Some of my training is on the structure of language
and how it channels what we think depending on the words
AND the structure of those words.

Maybe Marty can clarify?

Yes, we pretty much have to see what he says.

Marty, are you talking about two separate Forest....where abc.com is a
single domain-tree Forest and ext. abc.com is a second separate single
domain-tree Forest? or are you talking about one Forest with one Domain
Tree....where ext.abc.com is a child domain of abc.com?

Guest · Feb 11, 2005

Cary;

These are two seperate forests, they just share the abc.com part of a domain
name.

In reality, what i have is.

Domain one: abc.com (Parent) (nt doamin name = corp_abc)
ca.abc.com (child)

Domain two: ext.abc.com
Marty

Guest · Feb 11, 2005

Cary;

Sorry, in my reply I didn't say that they are two seperate forests.

Marty

Copy User Accounts to Another Domain - DIAMOND	1	Mar 30, 2006
Wrong domain DNS suffix being used.	7	Feb 14, 2005
Outlook Outlook 2003 - signature selection as per domain from to or cc	0	Nov 24, 2009
Single Forest Merge	2	Aug 26, 2004
Connecting Win2000 Domains	2	Mar 9, 2004
New Active Directory	4	Jul 1, 2005
Active Direcotory for Internet Authentication	1	Dec 5, 2003
Migrating objects from one Domain to Another	1	Sep 22, 2003

Passing authentication off to another domain

Guest

Chriss3 [MVP]

Herb Martin

Cary Shultz [A.D. MVP]

Cary Shultz [A.D. MVP]

Herb Martin

Cary Shultz [A.D. MVP]

Herb Martin

Guest

Guest

Ask a Question

Similar Threads