Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2011-09-07) Kerberos Authentication Over An External Trust – Is It Possible? (Part 1)

Posted by Jorge on 2011-09-07


About a year or so ago I read this blog post which leads this Microsoft technical article. My first reaction was “WTF!”, because everybody has always thought, and you can read it anywhere that:

  • External Trust –> NTLM AuthN only
  • Forest Trust –> Kerberos AuthN and NTLM AuthN

I could not believe this and I had to try it out myself of course. Today was that day! Smile So here goes!

Before continuing, let’s briefly discuss the infrastructure I used to test this.

  • AD forest “ADCORP.LAB”
    • AD domain “ADCORP.LAB”
      • RWDC “R1FSRWDC1.ADCORP.LAB”
  • AD forest “ADDMZ.LAN”
    • AD domain “ADDMZ.LAN”
      • RWDC “R2FSRWDC1.ADDMZ.LAN”
      • RWDC “R2FSRWDC2.ADDMZ.LAN”
      • RODC “R2FSRODC5.ADDMZ.LAN”
      • SERVER “R2FSMBSVA.ADDMZ.LAN”
  • TEST1 –> One-way Forest Trust (as shown below)
    • Trusting AD forest = “ADDMZ.LAN”
    • Trusted AD forest = “ADCORP.LAB”
    • Forest Wide Authentication enabled

image

  • TEST2 –> One-way External Trust (as shown below)
    • Trusting AD domain = “ADDMZ.LAN”
    • Trusted AD domain = “ADCORP.LAB”
    • Domain Wide Authentication enabled

image

In all cases/tests, the application server “R2FSMBSVA” hosted 5 website as shown below

image

The web sites are configured as follows:

  • DELEGCONFIG.ADDMZ.LAN:81 (DelegConfig v2 Beta)
    • Application Pool = Kerberos AppPool
    • Application Pool Account = ADDMZ\SVC_R2_KERBAPP
    • servicePrincipalName on application pool account = HTTP/DELEGCONFIG.ADDMZ.LAN
    • Report option will show which authN protocol is used
  • R2FSMBSVA.ADDMZ.LAN:82 (DelegConfig v2 Beta)
    • Application Pool = Kerberos AppPool
    • Application Pool Account = ADDMZ\SVC_R2_KERBAPP
    • servicePrincipalName on application pool account = HTTP/R2FSMBSVA.ADDMZ.LAN
    • Report option will show which authN protocol is used
  • SHAREPOINT.ADDMZ.LAN (Windows Sharepoint Services configured with NTLM AuthN)
    • Application Pool = SharePoint – 80
    • Application Pool Account = ADDMZ\SVC_R2_KERBAPP
    • servicePrincipalName on application pool account = HTTP/SHAREPOINT.ADDMZ.LAN
  • KERBAPP.ADDMZ.LAN:8080 (Windows Sharepoint Services configured for Kerberos AuthN)
    • Application Pool = SharePoint – KERBAPP.ADDMZ.LAN8080
    • Application Pool Account = ADDMZ\SVC_R2_KERBAPP
    • servicePrincipalName on application pool account = HTTP/KERBAPP.ADDMZ.LAN
  • NTLMAPP.ADDMZ.LAN:8081 (Windows Sharepoint Services configured for NTLM AuthN)
    • Application Pool = SharePoint – NTLMAPP.ADDMZ.LAN8081
    • Application Pool Account = ADDMZ\SVC_R2_KERBAPP
    • servicePrincipalName on application pool account = HTTP/NTLMAPP.ADDMZ.LAN

For the tests I’m going to only use the websites:

  • DELEGCONFIG.ADDMZ.LAN:81 (DelegConfig v2 Beta) –> To prove Kerberos AuthN with a Forest Trust in place
  • R2FSMBSVA.ADDMZ.LAN:82 (DelegConfig v2 Beta)–> To prove Kerberos AuthN with an External Trust in place

To prove what type of authN is being used, I’m using DelegConfig, which you can download from here. DelegConfig is an ASP.NET application that can be used to help troubleshoot and configure IIS and Active Directory to allow Kerberos and delegating Kerberos credentials. Very handy!!!

To prove Kerberos AuthN IS WORKING against BOTH websites on server “R2FSMBSVA” I will target those first with a user account from the AD domain ADDMZ.LAN from a computer also within the AD domain ADDMZ.LAN

  • The user account will be “ADDMZ\ADM.ADM_ADLCL_R2FSRODC5” and the computer will be “R2FSMBSVA.ADDMZ.LAN”.
  • The user account will be “ADDMZ\ADM.ROOT” and the computer will be “R2FSRWDC1.ADDMZ.LAN”.

This continues in PART 2, which is the NEXT post.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

11 Responses to “(2011-09-07) Kerberos Authentication Over An External Trust – Is It Possible? (Part 1)”

  1. […] Trust – Is It Possible? (Part 2) 2011-09-07 Jorge Leave a comment Go to comments In PART 1 I explained the setup I will […]

  2. […] Trust – Is It Possible? (Part 3) 2011-09-07 Jorge Leave a comment Go to comments In PART 1 I explained the setup I will […]

  3. […] Trust – Is It Possible? (Part 4) 2011-09-07 Jorge Leave a comment Go to comments In PART 1 I explained the setup I will […]

  4. […] Trust – Is It Possible? (Part 5) 2011-09-07 Jorge Leave a comment Go to comments In PART 1 I explained the setup I will […]

  5. […] Trust – Is It Possible? (Part 6) 2011-09-14 Jorge Leave a comment Go to comments In PART 1 I explained the setup I will […]

  6. Matej said

    Thx, for this series, great explanation.

    I have same problem with External trust and the “KDC_ERR_S_PRINCIPAL_UNKNOWN
    ” error. But as i don’t have any 2008R2 DC or 2008R2 servers (only 2008) i don’t have GPO Setting called “Use forest search order”.
    So, it thare any other solution for kerberos and external trust vith 2003 and 2008 DC, because on microsoft blog + tehnical article can’t find requirements for 2008R2?

    lp m

    • Jorge said

      Hello,

      As I know, the piece you need (Use Forest Search Order) is only available in W2K8R2 and higher. For this to work the trusted forest/domain must be W2K8R2.

      Regards,
      Jorge

  7. […] https://jorgequestforknowledge.wordpress.com/2011/09/07/kerberos-authentication-over-an-external-trus… Answered by Ryan Ries […]

  8. Solly said

    Maybe it works in this case, I mean when you have 2 forests with only Root Domains.
    But when you have 2 forests with multi-domains, and you set an external Trust between the child Domains ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: