Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2011-09-07) Kerberos Authentication Over An External Trust – Is It Possible? (Part 5)

Posted by Jorge on 2011-09-07


In PART 1 I explained the setup I will use.

In PART 2 I showed the usage of Kerberos authN accessing the websites on the local web server.

In PART 3 I showed the usage of Kerberos authN accessing the websites from another computer in the same AD forest/domain.

In PART 4 I showed the usage of Kerberos authN when logged on to a computer in another AD forest/domain, while a FOREST TRUST is in place

In this last post I will show the usage of Kerberos authN when logged on to a computer in another AD forest/domain, while a EXTERNAL TRUST is in place

Now, let’s try with an EXTERNAL TRUST. Detailed Configuration of the External Trust is shown below

image

According to the articles mentioned at the beginning of this post, the requirements to be able to leverage Kerberos over an External Trust are:

  • The trust has to be created using the fully qualified domain name (FQDN). Kerberos referral fails if the FQDN is missing from the TDO –> I confirm the trust was setup using the DNS name of the AD domains (created individually on both sides using DNS names!)
  • User name syntax is UPN and the UPN suffix is resolvable to a DC in DNS (implicit UPN) –> Not sure how to understand this
  • UDP 389, UDP/TCP 88, and UDP/TCP 464 (password change requests) ports are open for the domain controllers in the user domain. –> In my environment I do have a firewall, but I confirm I created a top level rule to allow all traffic in all directions
  • The server name in the trusting resource domain has to be the FQDN, and the domain suffix of the server name has to match the AD DS domain’s DNS FQDN. –> I confirm the website has the same FQDN as the server “R2FSMBSVA.ADDMZ.LAN”

So, let’s do this and see what happens. Not nuts, no glory! Smile

In the following picture, I’m logged on to an RWDC (“R1FSRWDC1.ADCORP.LAB”) in the AD CORP domain with the default AD CORP admin account (renamed from “ADCORP\administrator” to “ADCORP\ADM.ROOT”) that’s a domain admin within the AD CORP forest/domain and accessing the website “DELEGCONFIG.ADDMZ.LAN”. As you can see Kerberos authN is being used. In addition the picture contains the proof that a External Trust is in place, which appears to support Kerberos as stated in the Microsoft blog and technical article!

image

In the following picture, I’m logged on to an RWDC (“R1FSRWDC1.ADCORP.LAB”) in the AD CORP domain with the default AD CORP admin account (renamed from “ADCORP\administrator” to “ADCORP\ADM.ROOT”) that’s a domain admin within the AD CORP forest/domain and accessing the website “R2FSMBSVA.ADDMZ.LAN”. As you can see Kerberos authN is being used. In addition the picture contains the proof that a External Trust is in place, which appears to support Kerberos as stated in the Microsoft blog and technical article!

image

You can slap me crazy, but as you can see I have got Kerberos authN working over an external trust!!! YES! Smile Therefore: IT WORKS!!!!!!!!!!!

Try it yourself and enjoy!

To understand HOW it works check out PART 6

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

2 Responses to “(2011-09-07) Kerberos Authentication Over An External Trust – Is It Possible? (Part 5)”

  1. […] continues in PART 5, which is the NEXT and LAST […]

  2. […] PART 5 I showed the usage of Kerberos authN when logged on to a computer in another AD forest/domain, […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: