Jorge's Quest For Knowledge!

All about Windows Server, ADDS, ADFS & ILM/FIM (It is just like an addiction, The more you have, the more you want to have!)

«
»

(2011-09-07) Kerberos Authentication Over An External Trust – Is It Possible? (Part 1)

Posted by Jorge on 2011-09-07


About a year or so ago I read this blog post which leads this Microsoft technical article. My first reaction was “WTF!”, because everybody has always thought, and you can read it anywhere that:

  • External Trust –> NTLM AuthN only
  • Forest Trust –> Kerberos AuthN and NTLM AuthN

-

I could not believe this and I had to try it out myself of course. Today was that day! Smile So here goes!

-

Before continuing, let’s briefly discuss the infrastructure I used to test this.

  • AD forest “ADCORP.LAB”
    • AD domain “ADCORP.LAB”
      • RWDC “R1FSRWDC1.ADCORP.LAB”
  • AD forest “ADDMZ.LAN”
    • AD domain “ADDMZ.LAN”
      • RWDC “R2FSRWDC1.ADDMZ.LAN”
      • RWDC “R2FSRWDC2.ADDMZ.LAN”
      • RODC “R2FSRODC5.ADDMZ.LAN”
      • SERVER “R2FSMBSVA.ADDMZ.LAN”
  • TEST1 –> One-way Forest Trust (as shown below)
    • Trusting AD forest = “ADDMZ.LAN”
    • Trusted AD forest = “ADCORP.LAB”
    • Forest Wide Authentication enabled

-

image

-

-

  • TEST2 –> One-way External Trust (as shown below)
    • Trusting AD domain = “ADDMZ.LAN”
    • Trusted AD domain = “ADCORP.LAB”
    • Domain Wide Authentication enabled

-

image

-

-

In all cases/tests, the application server “R2FSMBSVA” hosted 5 website as shown below

image

The web sites are configured as follows:

  • DELEGCONFIG.ADDMZ.LAN:81 (DelegConfig v2 Beta)
    • Application Pool = Kerberos AppPool
    • Application Pool Account = ADDMZ\SVC_R2_KERBAPP
    • servicePrincipalName on application pool account = HTTP/DELEGCONFIG.ADDMZ.LAN
    • Report option will show which authN protocol is used
  • R2FSMBSVA.ADDMZ.LAN:82 (DelegConfig v2 Beta)
    • Application Pool = Kerberos AppPool
    • Application Pool Account = ADDMZ\SVC_R2_KERBAPP
    • servicePrincipalName on application pool account = HTTP/R2FSMBSVA.ADDMZ.LAN
    • Report option will show which authN protocol is used
  • SHAREPOINT.ADDMZ.LAN (Windows Sharepoint Services configured with NTLM AuthN)
    • Application Pool = SharePoint – 80
    • Application Pool Account = ADDMZ\SVC_R2_KERBAPP
    • servicePrincipalName on application pool account = HTTP/SHAREPOINT.ADDMZ.LAN
  • KERBAPP.ADDMZ.LAN:8080 (Windows Sharepoint Services configured for Kerberos AuthN)
    • Application Pool = SharePoint – KERBAPP.ADDMZ.LAN8080
    • Application Pool Account = ADDMZ\SVC_R2_KERBAPP
    • servicePrincipalName on application pool account = HTTP/KERBAPP.ADDMZ.LAN
  • NTLMAPP.ADDMZ.LAN:8081 (Windows Sharepoint Services configured for NTLM AuthN)
    • Application Pool = SharePoint – NTLMAPP.ADDMZ.LAN8081
    • Application Pool Account = ADDMZ\SVC_R2_KERBAPP
    • servicePrincipalName on application pool account = HTTP/NTLMAPP.ADDMZ.LAN

-

For the tests I’m going to only use the websites:

  • DELEGCONFIG.ADDMZ.LAN:81 (DelegConfig v2 Beta) –> To prove Kerberos AuthN with a Forest Trust in place
  • R2FSMBSVA.ADDMZ.LAN:82 (DelegConfig v2 Beta)–> To prove Kerberos AuthN with an External Trust in place

-

To prove what type of authN is being used, I’m using DelegConfig, which you can download from here. DelegConfig is an ASP.NET application that can be used to help troubleshoot and configure IIS and Active Directory to allow Kerberos and delegating Kerberos credentials. Very handy!!!

-

To prove Kerberos AuthN IS WORKING against BOTH websites on server “R2FSMBSVA” I will target those first with a user account from the AD domain ADDMZ.LAN from a computer also within the AD domain ADDMZ.LAN

  • The user account will be “ADDMZ\ADM.ADM_ADLCL_R2FSRODC5” and the computer will be “R2FSMBSVA.ADDMZ.LAN”.
  • The user account will be “ADDMZ\ADM.ROOT” and the computer will be “R2FSRWDC1.ADDMZ.LAN”.

-

This continues in PART 2, which is the NEXT post.

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

This entry was posted on 2011-09-07 at 23:38 and is filed under Active Directory Domain Services (ADDS), Blog Post Series. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

9 Responses to “(2011-09-07) Kerberos Authentication Over An External Trust – Is It Possible? (Part 1)”

  1. Kerberos Authentication Over An External Trust – Is It Possible? (Part 2) « Jorge's Quest For Knowledge! said

    2011-09-07 at 23:41

    [...] Trust – Is It Possible? (Part 2) 2011-09-07 Jorge Leave a comment Go to comments In PART 1 I explained the setup I will [...]

    Reply

  2. Kerberos Authentication Over An External Trust – Is It Possible? (Part 3) « Jorge's Quest For Knowledge! said

    2011-09-07 at 23:43

    [...] Trust – Is It Possible? (Part 3) 2011-09-07 Jorge Leave a comment Go to comments In PART 1 I explained the setup I will [...]

    Reply

  3. Kerberos Authentication Over An External Trust – Is It Possible? (Part 4) « Jorge's Quest For Knowledge! said

    2011-09-07 at 23:44

    [...] Trust – Is It Possible? (Part 4) 2011-09-07 Jorge Leave a comment Go to comments In PART 1 I explained the setup I will [...]

    Reply

  4. (2011-09-07) Kerberos Authentication Over An External Trust – Is It Possible? (Part 5) « Jorge's Quest For Knowledge! said

    2011-09-07 at 23:52

    [...] Trust – Is It Possible? (Part 5) 2011-09-07 Jorge Leave a comment Go to comments In PART 1 I explained the setup I will [...]

    Reply

  5. Kerberos Authentication Over An External Trust – Is It Possible? (Part 6) « Jorge's Quest For Knowledge! said

    2011-09-14 at 13:18

    [...] Trust – Is It Possible? (Part 6) 2011-09-14 Jorge Leave a comment Go to comments In PART 1 I explained the setup I will [...]

    Reply

  6. Matej said

    2012-01-27 at 11:21

    Thx, for this series, great explanation.

    I have same problem with External trust and the “KDC_ERR_S_PRINCIPAL_UNKNOWN
    ” error. But as i don’t have any 2008R2 DC or 2008R2 servers (only 2008) i don’t have GPO Setting called “Use forest search order”.
    So, it thare any other solution for kerberos and external trust vith 2003 and 2008 DC, because on microsoft blog + tehnical article can’t find requirements for 2008R2?

    lp m

    Reply

    • Jorge said

      2012-01-30 at 16:11

      Hello,

      As I know, the piece you need (Use Forest Search Order) is only available in W2K8R2 and higher. For this to work the trusted forest/domain must be W2K8R2.

      Regards,
      Jorge

      Reply

  7. PowerShell remoting with a one-way trust - Admins Goodies said

    2012-02-29 at 18:33

    [...] http://jorgequestforknowledge.wordpress.com/2011/09/07/kerberos-authentication-over-an-external-trus… Answered by Ryan Ries [...]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

«
»