RE: Authentication in a multi-domain forest
- From: JSilva <JSilva@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 16 Aug 2005 12:18:02 -0700
Steve, what you are speaking of involves Kerberos referall paths.
See this whitepaper - How Kerberos Authentication Works
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/4a1daa3e-b45c-44ea-a0b6-fe8910f92f28.mspx
In particular, read of the 3-domain authentication example.
Hope this helps.
Jason Silva
"Steve Athanas" wrote:
> Hey, everyone:
>
> I'm looking for a bit of information about how clients in one domain can
> authenticate to resources in another domain (provided that both are in
> the same forest, with all default transitive trusts in place and no
> shortcut trusts.)
>
> Suppose a forest has three domains: a parent named company.com, and two
> child domains named sales.company.com, and research.company.com. What we
> have noticed in our environment, similar to the one above, is that if a
> sales user logs on to a computer in the research domain, and attempts to
> access a resource in the company domain, there are requests for Kerberos
> and LDAP that go to the root, company.com DCs.
>
> Does anyone know why this would be? I thought that the user would
> authenticate to their DC, and that credentials would be passed from DC
> to DC. If there is a white paper on intra-forest authentication, I would
> love to read it, I searched the KB articles, but couldn't find one.
>
> Thanks for any information!
>
> -Steve Athanas
>
.
- References:
- Authentication in a multi-domain forest
- From: Steve Athanas
- Authentication in a multi-domain forest
- Prev by Date: Re: Cannot add XP client to 2003DC
- Next by Date: RE: Group Policy Issues
- Previous by thread: Authentication in a multi-domain forest
- Next by thread: Dial-In Tab not working after August Security Updates
- Index(es):
Relevant Pages
|
