|
Home > Archive > IIS Server Security > April 2006 > One-way trust, Kerberos & IIS
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
One-way trust, Kerberos & IIS
|
|
|
| Hi,
I have the following configuration
Two Active Directory Domains in two separate forests.
Domain A Windows 2000
Domain B Windows 2003
I have a one-way trust between them such that B trusts A
I have a web application running on a Windows Server 2003 installation using
IIS in Domain B that require Kerberos Authentication using IWA.
Currently when I attempt to log on with a client authenticated with a DC in
Domain A authentication appears to be using the fall back of NTLM. Do I need
to create an SPN in Domain A to allow Domain A’s KDC to provide the client
running in Domain A with a referral ticket for Domain B?
Many thanks
Jim
| |
| Roger Abell [MVP] 2006-04-11, 9:53 am |
| The forest of Domain A is at best Windows 2000 native.
External trusts to other forests is always NTLM based in
that scenario. If you want a trust that supports Kerberos
you need W2k3 mode forests and a forest-level trust.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
"Jim" <Jim@discussions.microsoft.com> wrote in message
news:D2005B36-F90D-4D64-AC10-789CBD785163@microsoft.com...
> Hi,
>
> I have the following configuration
>
> Two Active Directory Domains in two separate forests.
>
> Domain A Windows 2000
>
> Domain B Windows 2003
>
> I have a one-way trust between them such that B trusts A
>
> I have a web application running on a Windows Server 2003 installation
> using
> IIS in Domain B that require Kerberos Authentication using IWA.
>
> Currently when I attempt to log on with a client authenticated with a DC
> in
> Domain A authentication appears to be using the fall back of NTLM. Do I
> need
> to create an SPN in Domain A to allow Domain A's KDC to provide the client
> running in Domain A with a referral ticket for Domain B?
>
> Many thanks
>
> Jim
>
| |
|
| Thanks Roger,
I have been looking at this for the past couple of days. My understanding is
that it is possible to configure a Kerberos realm trust between any
non-Windows-based operating system Kerberos version 5 realm and a Windows
2000 Server
This trust relationship should allow cross-platform interoperability with
security services based on Kerberos version 5
I found the following article on Technet:
http://www.microsoft.com/technet/pr...o/kerbstep.mspx
I guess what I'm asking is, would it be possible to configure a one-way
trust based on a non-windows trust to the between the two Windows domains.
Ultimately all I require is SSO on the IIS server located in Domain B from
clients in Domain A.
Many thanks,
Jim
"Roger Abell [MVP]" wrote:
> The forest of Domain A is at best Windows 2000 native.
> External trusts to other forests is always NTLM based in
> that scenario. If you want a trust that supports Kerberos
> you need W2k3 mode forests and a forest-level trust.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
>
>
> "Jim" <Jim@discussions.microsoft.com> wrote in message
> news:D2005B36-F90D-4D64-AC10-789CBD785163@microsoft.com...
>
>
>
| |
| Roger Abell [MVP] 2006-04-27, 7:52 am |
|
"Jim" <Jim@discussions.microsoft.com> wrote in message
news:4E2BAF87-EC62-4AD1-9A87-88740A278298@microsoft.com...
> Thanks Roger,
>
> I have been looking at this for the past couple of days. My understanding
> is
> that it is possible to configure a Kerberos realm trust between any
> non-Windows-based operating system Kerberos version 5 realm and a Windows
> 2000 Server
>
> This trust relationship should allow cross-platform interoperability with
> security services based on Kerberos version 5
>
> I found the following article on Technet:
>
> http://www.microsoft.com/technet/pr...o/kerbstep.mspx
>
> I guess what I'm asking is, would it be possible to configure a one-way
> trust based on a non-windows trust to the between the two Windows domains.
> Ultimately all I require is SSO on the IIS server located in Domain B from
> clients in Domain A.
>
> Many thanks,
>
> Jim
>
I doubt that route would bear fruit, and the MIT Kerberos realm trust
model is less simple than it can seem.
[vbcol=seagreen]
>
> "Roger Abell [MVP]" wrote:
>
|
|
|
|
|