Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Selective AuthN’ Category

(2013-12-19) Selective Authentication Broken In W2K12R2 – To Be Fixed

Posted by Jorge on 2013-12-19


UPDATE (2014-01-25): The following "General Availability Update Rollup" has a fix for the issue below

 

While browsing through the DS forum I bumped into the following thread: Server 2012 R2 no longer able to query objects in a trusted domain over a Forest Trust using Selective Authentication

In that same thread a link has been posted, which are the Release Notes For Windows Server 2012 R2.

The release notes specifically mention the following:

Trusts

The Selective Authentication feature of selective trusts is not functional. Access to resources enabled by “Allowed to Authenticate” will fail. There is no workaround at this time.

Ouch….I was quite surprised to read this.

I have not tested this, the following scenario applies:

  • Forest "ADCORP.LAB" — W2K8R2 or W2K12
  • Forest "ADDMZ.LAN" — W2K8R2 or W2K12
  • One-way forest/external trust with selective authentication enabled, where Forest "ADDMZ.LAN" trusts Forest "ADCORP.LAB"

Everything is working.

However, while keeping Forest "ADDMZ.LAN" on W2K8R2 or W2K12 and introducing W2K12R2 DCs into the Forest "ADCORP.LAB" everything over the trust would still work.

However, while keeping Forest "ADCORP.LAB" on W2K8R2 or W2K12 and introducing W2K12R2 DCs into the Forest "ADDMZ.LAN" everything over the trust while the "Allowed To Authenticate" on resources in the Forest "ADDMZ.LAN" would break when the access check is performed by a W2K12R2 DC.

If you have a forest, which is a candidate for a (near) future upgrade to W2K12R2 AND that same forest has an outgoing trust with selective authentication enabled, my suggestion is to NOT upgrade that forest to W2K12R2. Wait until Microsoft has released a fix to solve that issue before you perform the upgrade.

If you are not using Selective Authentication at all, then there is no issue.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Advertisement

Posted in Active Directory Domain Services (ADDS), Selective AuthN, Trusts | Leave a Comment »

 
%d bloggers like this: