Re: IAS and trusted domains

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Sam Salhi [MSFT] (samers_at_online.microsoft.com)
Date: 12/01/04

  • Next message: NoBoDy: "Re: RADIUS CERTIFICATES WPA PEAP" 
    Date: Wed, 1 Dec 2004 08:43:02 -0800

    Don't say that, there's always a way

    Cross domain (full trust, or NT4 style trust) works with IAS and I have to
    add, works great

    To ease up your problems I would suggest using PEAP over EAP-TLS because
    it's easier to do trusts with

    Your options are:
    A) Add the IAS server to the RAS and IAS Servers group in Both domains
    B) Add a second IAS server in the second domain (Win2k) and have your Win2k3
    IAS proxy Win2k users to that server (The server can co-exist on the DC if
    you don't want additional hardware)

    When using EAP-TLS, you will need to issue each one of your clients a
    certificate to allow them access. The certificate normally contains the full
    user information and allows IAS to know where to send the request

    I would recommend option A above with PEAP (no certificate needed on the
    clients) and easier to deploy.

    If you get stuck, let us know, well help you more. But trust me, its very
    simple to do, and you can do it

    Good luck.

    Sam
    PS: Cross forest trust is different than NT4 style trust and requires
    domains to be running in Win2k3 forest mode. In the case of two domains only
    (not two forests with many domains in each) there is no much gain in
    Cross-forest authentication. At least in your case 

    -- 
      =============================================
  This posting is provided "AS IS" with no warranties, and confers no rights
      =============================================
"Mimmus" <viggiani@hotmail.com> wrote in message 
news:9Alrd.60218$Ni.2054537@twister1.libero.it...
> My domain is Wk2003 but trusted domain is Wk2000.
>
> According to this excerpt:
>
> "IAS supports authentication across forests without a RADIUS proxy when 
> the
> two forests contain only domains that consist of domain controllers 
> running
> Microsoft Windows Server 2003, Standard Edition; Windows Server 2003,
> Enterprise Edition; and Windows Server 2003, Datacenter Edition. The 
> forest
> functional level must be Windows Server 2003, and there must be a two-way
> trust relationship between forests. "
>
> my attempt is without hope.
>
> :-((
>
>
> Mimmus
>
  • Next message: NoBoDy: "Re: RADIUS CERTIFICATES WPA PEAP"

    Relevant Pages

    • Re: DNS in DMZ
      ... the design chosen for this release is multiple forests ... server.company.dmz and is forwarded to a AD/DNS server in the DMZ. ... one way trust would work well if needed. ...
      (microsoft.public.windows.server.dns)
    • RE: One-Way nontransitive Trust from one forest to another
      ... In order to create forest-level trusts, both forests must be in Windows 2003 ... > I am wanting to install a active-directory server on my DMZ so that users ... > can verify against it via LDAP so that they can use a proxy server. ... > my DMZ to trust my internal AD DC but I do not want the internal to trust ...
      (microsoft.public.windows.server.active_directory)
    • Re: Only able to access through one trust
      ... configure DNS name resolution between forests? ... Kerberos-based forest trust between them. ... and Terminal Server. ...
      (microsoft.public.windows.server.active_directory)
    • Need help on WIN 2000 server domain trust
      ... I am trying to get tech support to setup a one-way trust ... between 2 WIN 2000 server domain controllers in different ... trust between domains in seperate forests, ...
      (microsoft.public.win2000.advanced_server)
    • WIN 2000 domain trust
      ... I am trying to get tech support to setup a one-way trust ... between 2 WIN 2000 server domain controllers in different ... trust between domains in seperate forests, ...
      (microsoft.public.win2000.networking)