Jorge's Quest For Knowledge!

About Windows Server, ADDS, ADFS, Azure AD, FIM/MIM & AADSync (Just Like An Addiction, The More You Have, The More You Want To Have!)

(2013-12-19) Selective Authentication Broken In W2K12R2 – To Be Fixed

Posted by Jorge on 2013-12-19


UPDATE (2014-01-25): The following "General Availability Update Rollup" has a fix for the issue below

- 

While browsing through the DS forum I bumped into the following thread: Server 2012 R2 no longer able to query objects in a trusted domain over a Forest Trust using Selective Authentication

-

In that same thread a link has been posted, which are the Release Notes For Windows Server 2012 R2.

-

The release notes specifically mention the following:

Trusts

The Selective Authentication feature of selective trusts is not functional. Access to resources enabled by “Allowed to Authenticate” will fail. There is no workaround at this time.

-

Ouch….I was quite surprised to read this.

-

I have not tested this, the following scenario applies:

  • Forest "ADCORP.LAB" — W2K8R2 or W2K12
  • Forest "ADDMZ.LAN" — W2K8R2 or W2K12
  • One-way forest/external trust with selective authentication enabled, where Forest "ADDMZ.LAN" trusts Forest "ADCORP.LAB"

Everything is working.

However, while keeping Forest "ADDMZ.LAN" on W2K8R2 or W2K12 and introducing W2K12R2 DCs into the Forest "ADCORP.LAB" everything over the trust would still work.

However, while keeping Forest "ADCORP.LAB" on W2K8R2 or W2K12 and introducing W2K12R2 DCs into the Forest "ADDMZ.LAN" everything over the trust while the "Allowed To Authenticate" on resources in the Forest "ADDMZ.LAN" would break when the access check is performed by a W2K12R2 DC.

-

If you have a forest, which is a candidate for a (near) future upgrade to W2K12R2 AND that same forest has an outgoing trust with selective authentication enabled, my suggestion is to NOT upgrade that forest to W2K12R2. Wait until Microsoft has released a fix to solve that issue before you perform the upgrade.

If you are not using Selective Authentication at all, then there is no issue.

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: