Re: IAS/RADIUS question

Hi Manos,

Thinking is correct and I would be interested to hear whether MS has bug
raised on this one.
My recommendation would be to follow the proxy-radius route to abstract
yourself from the MS forest trust thing ...

T

"Manos" <zaffodb@xxxxxxxxxxx> wrote in message
news:OpItOB2cGHA.4576@xxxxxxxxxxxxxxxxxxxxxxx
Hello all,

In our organization we have two separate *forests*,
whose root domains are: one.foo.com and two.foo.com.

one.foo.com runs on a pair of identical WS 2003
Enterprise / SP1 systems, while two.foo.com runs
on a single WS2003 Enterprise R2 system.

Our goal is to enable user authentication for both
domains through an IAS/RADIUS server installed
on two.foo.com.

We have established an 1-way trust on each side as follows:
[one.foo.com]
* 1-way incoming external trust with two.foo.com
[two.foo.com]
* 1-way outgoing external trust with one.foo.com
Authentication scope is set to 'Domain-wide
authentication' on two.foo.com, for testing purposes.

The problem we are experiencing can be described as follows:

When a user of one.foo.com attempts to authenticate
(e.g via wi-fi) through two.foo.com, we get the
following error events in the log:

------------------
EventID 5052
Source IAS
Desc
There is no domain controller available for domain ONE.
------------------
EventID 3
Source IAS
Desc
Access request for user ONE\someuser was discarded.
...
Reason-Code=5
Reason=The user account domain cannot be accessed
------------------

The error described above only occurs when users
of domain two.foo.com try to authenticate; users
in one.foo.com authenticate successfully through
the IAS server.

Digging into docs, we found that there are two
different potential solutions, based on different
design paradigms, as stated in
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

a) The trust type should be two-way, yet this *seems* to be
the case where the two domains belong to the same forest

b) Both domains should be equipped with a pair of
IAS servers each and a RADIUS proxy should be
used to route the authentication requests to
the appropriate one.

We have not tried any of the above solutions yet,
since we prefer to make sure that we are thinking
in the correct way.
Any help would be greatly appreciated.

Thanks in advance,

Manos




.

Relevant Pages

  • RE: Guidence required in the low level workings of Domain Trusts
    ... Everything is working fine with the trust and DNS but that doesn't mean it ... How to optimize pass-through authentication of user accounts after you ... How Domain Controllers Are Located in Windows ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain Trust Questions
    ... Best Regards. ... Scroll down/search for "Kerberos Authentication Process Over Forest Trusts" ... - I have 2 forest, x.lab and y.local, I configure the Trust between ... or a global/universal group from the other ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain Trust Questions
    ... Scroll down/search for "Kerberos Authentication Process Over Forest Trusts" in: ... - I have 2 forest, x.lab and y.local, I configure the Trust between ... or a global/universal group from the other ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Trust Breaks - object found same name as domain. Help Pleas
    ... There are currently no logon servers available to service the logon request. ... This may lead to authentication problems. ... The session setup to the Windows NT or Windows 2000 Domain Controller ... This was when I realised the trust was playing up! ...
    (microsoft.public.windows.server.active_directory)
  • Re: External Trust Question
    ... Its a two way trust with domain wide authentication. ... from domainA.com to resources in domainB.com - Using the mmc snap-in i ... domainA.com - cant connect to domainB.com's AD - cant add users or groups ...
    (microsoft.public.windows.server.active_directory)
Loading