Re: IAS/RADIUS question - solved (almost)
- From: "Manos" <zaffodb@xxxxxxxxxxx>
- Date: Thu, 11 May 2006 14:15:59 +0300
Hi all,
As a first step of trial, we chose the easy way first
(since the more elegant proxy-based solution involves
setting up the radius service on one.foo.com in
addition to the proxy server itself).
So we removed the 1-way external trusts and created a
pair of 2-way external trusts on each domain.
Fortunately, this solved our problem and lets
users authenticate successfully through the
RADIUS server on domain TWO.
Yet, we are now facing an annoying feature:
the TWO domain appears on the Logon-To
list of the logon dialog box of the workstations
that belong in domain ONE.
Since we still want to be able to login to
a workstation using a local user account
(usually adminstrator), we wouldn't want
to force the Logon-To list to completely dissapear
from the logon dialog box (which is possible
through GPO).
Is there any way to somehow manage the
(filter entries out from or explicitly set the)
contents of the Logon-To list (preferrably
through GPO) in domain ONE so that the
domain TWO does not appear in it?
I know that this question is off-topic but a hint
would be greatly appreciated!
TIA
Manos
"Thomas K" <thomas@xxxxxxxxx> wrote in message
news:4460faf2$0$32735$ba620e4c@xxxxxxxxxxxxxxxxx
Hi Manos,http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
Thinking is correct and I would be interested to hear whether MS has bug
raised on this one.
My recommendation would be to follow the proxy-radius route to abstract
yourself from the MS forest trust thing ...
T
"Manos" <zaffodb@xxxxxxxxxxx> wrote in message
news:OpItOB2cGHA.4576@xxxxxxxxxxxxxxxxxxxxxxx
Hello all,
In our organization we have two separate *forests*,
whose root domains are: one.foo.com and two.foo.com.
one.foo.com runs on a pair of identical WS 2003
Enterprise / SP1 systems, while two.foo.com runs
on a single WS2003 Enterprise R2 system.
Our goal is to enable user authentication for both
domains through an IAS/RADIUS server installed
on two.foo.com.
We have established an 1-way trust on each side as follows:
[one.foo.com]
* 1-way incoming external trust with two.foo.com
[two.foo.com]
* 1-way outgoing external trust with one.foo.com
Authentication scope is set to 'Domain-wide
authentication' on two.foo.com, for testing purposes.
The problem we are experiencing can be described as follows:
When a user of one.foo.com attempts to authenticate
(e.g via wi-fi) through two.foo.com, we get the
following error events in the log:
------------------
EventID 5052
Source IAS
Desc
There is no domain controller available for domain ONE.
------------------
EventID 3
Source IAS
Desc
Access request for user ONE\someuser was discarded.
...
Reason-Code=5
Reason=The user account domain cannot be accessed
------------------
The error described above only occurs when users
of domain two.foo.com try to authenticate; users
in one.foo.com authenticate successfully through
the IAS server.
Digging into docs, we found that there are two
different potential solutions, based on different
design paradigms, as stated in
a) The trust type should be two-way, yet this *seems* to be
the case where the two domains belong to the same forest
b) Both domains should be equipped with a pair of
IAS servers each and a RADIUS proxy should be
used to route the authentication requests to
the appropriate one.
We have not tried any of the above solutions yet,
since we prefer to make sure that we are thinking
in the correct way.
Any help would be greatly appreciated.
Thanks in advance,
Manos
.
- References:
- IAS/RADIUS question
- From: Manos
- Re: IAS/RADIUS question
- From: Thomas K
- IAS/RADIUS question
- Prev by Date: Re: IAS/RADIUS question
- Next by Date: !! DOWNLOAD THE MOST POPULAR 2006's CRACKED SOFTWARE(CAD/CAE/CAM/EDA/PCB/GIS/CNC/FEA)
- Previous by thread: Re: IAS/RADIUS question
- Next by thread: !! DOWNLOAD THE MOST POPULAR 2006's CRACKED SOFTWARE(CAD/CAE/CAM/EDA/PCB/GIS/CNC/FEA)
- Index(es):
Relevant Pages
|
