Pass-through authentication for clients on two different non-trusted domains.

  • Thread starter Thread starter Joe Mine
  • Start date Start date
J

Joe Mine

How do I create a pass-through account that can access a share on another
non-trusted domain. Eg . The share I tried to access is in the NARC domain.
And at the moment I am on the HOT domain. If I create a pass-through login
account as: NARCHOT password: PASS in both domains, what it turns out to be
is NARC\NARCHOT and HOT\NARCHOT but not just NARCHOT which doesn't
conform as a pass-through account . So how exactly do I create a pass
through account, please show the steps.Thanks.
 
Joe Mine said:
How do I create a pass-through account that can access a share on another
non-trusted domain. Eg . The share I tried to access is in the NARC domain.
And at the moment I am on the HOT domain. If I create a pass-through login
account as: NARCHOT password: PASS in both domains, what it turns out to be
is NARC\NARCHOT and HOT\NARCHOT but not just NARCHOT which doesn't
conform as a pass-through account . So how exactly do I create a pass
through account, please show the steps.Thanks.

To my knowledge there is no such thing for domains.

(This was a feature of workgroups -- at least in the past --
where an account on one machine, could be used with the
same password as the EQUIVALENT account on another
machine. Technically, they were still different accounts.)

You must either explicitly provide authentication OR there
must be a trust (ok, technically you could open the "Guest"
account to everyone but don't go there.)

An user account is fully qualified by adding the DOMAIN
name (or if a non-domain account, the server name) to the
user name.
 
in message : "Joe Mine" wrote in message : > How do I create a pass-through account that can access a share on
another
: > non-trusted domain. Eg . The share I tried to access is in the NARC
: domain.
: > And at the moment I am on the HOT domain. If I create a pass-through
login
: > account as: NARCHOT password: PASS in both domains, what it turns out to
: be
: > is NARC\NARCHOT and HOT\NARCHOT but not just NARCHOT which doesn't
: > conform as a pass-through account . So how exactly do I create a pass
: > through account, please show the steps.Thanks.
:
: To my knowledge there is no such thing for domains.

Herb is right, AFAIK (disclaimer). (O:=

If you don't trust a domain, why would you allow them to pass through with
credentials on your domain?
If you want to have access, then you access by passing the credentials.

net use * \\server\share password /u:domain\username

That user has to have share and NTFS rights to where it wants to go. If you
do not use the EVERYONE account, as you shouldn't, then all is ok. However,
it is ALWAYS recommended to ONLY set NTFS permissions for groups, even if
the group only has one member. All future maintenance, unless
adding/removing access is handled in ADU&C, and not at the file system
level. Want to add a user? Add them to the group. Done! If this is a
member server, and not a DC, then create the account in the Local Domain.
Create a local group and give the local group rights. Pass credentials when
you want to connect make a permanent mapping.

Now, let's talk about your password. ALL passwords for ALL accounts should
be unique. There is no reason to ever duplicate one, unless by chance.
Trusts are another story and they change their passwords eventually anyway.
You already know that domain0\username is not the same as domain1\username.
So, make the passwords unique. If you get compromised on one computer,
there is no reason why you must make it easier for them to peruse the whole
network.

HTH...
 
Because I need to setup SQL replication between two non-trusted domains. And
the SQL experts says it can be done in this way. Setting up passthrough
authentication for two non-trusted domains.
 
Joe Mine said:
Because I need to setup SQL replication between two non-trusted domains. And
the SQL experts says it can be done in this way. Setting up passthrough
authentication for two non-trusted domains.

I don't think that is what they "really said".

If they did, why don't you ask them for specifics -- and PLEASE do post
it if they offer something useful.

I expect what they meant was for you to create replication accounts for
each server in the OTHER domain.

These are not pass thru accounts but rather "local accounts" which can
(supposedly) be mapped to ONE SPECIFIC external account from an
untrusted domain -- although I don't recall if I ever had this feature work,
even though this was the descriptive difference between a "global" (normal)
user account and a "local" (very unusual) user account in NT.

Note: This has VERY little (or nothing) to do with "Global" and "Local"
groups -- and yes, I do mean USERS.

I don't even know if Win2000+ still supports "Local Users" on the domain.
 
Back
Top