Passing authentication off to another domain

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi

Is there a way of setting a domain up to try an authenticate a user locally,
and if it doesn't find a user in it's domain to then go a try an authenticate
that user in a different domain?

What we want to do is to have two seperate doamins, ABC.com and EXT.abc.com.
These domain are seperate domains with a one way trust between them.
EXT.abc.com trusts abc.com. I have corporate users setup in the abc.com
domain with UPN's of @abc.com and I want them to be able to login to the
EXT.abc.com domain using there (e-mail address removed) user and password. Currently
this does not work for the UPN's, but if I use the "Log on to" pull down box
and select the old NT domain name (Corp_abc) from the list it works. It seems
to me that either the EXT.abc.com domain see's the @abc.com and is try to log
that person in locally, or that EXT.abc.com can't find the DC for the abc.com
domain. When I run a nslookup from the dc on the ext.abc.com domain for
abc.com, it returns it's own IP.

I know this may sound wierd to do, but is there anyway of making it happen?

Marty
 
Marty said:
Hi

Is there a way of setting a domain up to try an authenticate a user locally,
and if it doesn't find a user in it's domain to then go a try an authenticate
that user in a different domain?
Click to expand...

Not exactly -- after all, the user is specifying their
account by Domain\Username or some other format
that is explicit for both domain and user name (only
thus is the user truly defined) so it really only checks
THAT domain anyway.

You can use a UPN which made hide the explicit
domain in a multi-domain forest: (e-mail address removed)
may resolve to (e-mail address removed) or some
such.

What we want to do is to have two seperate doamins, ABC.com and EXT.abc.com.
These domain are seperate domains with a one way trust between them.
EXT.abc.com trusts abc.com. I have corporate users setup in the abc.com
domain with UPN's of @abc.com and I want them to be able to login to the
EXT.abc.com domain using there (e-mail address removed) user and password.
Click to expand...


The UPN method only works completely I believe within on Forest
but I haven't tested that.

But you can try it (with the external) trust easily enough by
setting up a test user.

You are really swimming uphill though by not having a single
Forest and a single account for each user.

Currently
 
Marty,

Further to my post...

A user account object can only be authenticated against a Domain Controller
from the Domain in which it resides. If there is a user account object in
abc.com then only a Domain Controller from abc.com can authenticate it. It
can not be authenticated against a Domain Controller from ext.abc.com.....

The UPN suggestion simply makes the domain 'irrelevant' - from a user
standpoint. So, all user account objects would have (e-mail address removed) or
(e-mail address removed) - you set this up in the Active Directory Domains and Trusts
MMC...this would apply to all user account objects in the forest....

But, a DC in abc.com would have to be available to authenticate a user
account object from abc.com.....if that is not the case ( no DC is
available ) then that user account object would not be authenticate....even
if there were seven DCs available from ext.abc.com...

Unless, of course, there is something that I am missing....

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Cary Shultz said:
Marty,

Since ext.abc.com is a child domain of abc.com there will be - by default -
trusts already set up. Just make sure that DNS is set up correctly. It
sounds like Herb and Chriss have given you ideas. I am thinking that the
UPN suggestion might be a good one.
Click to expand...

Cary, I read him to say that despite the apparent
connection he has set these up as separate forests
with a 1-way trust.

This strongly indicated he has two Forests which is
part of the likely mis-design he is fighting.
 
Herb,

You might be correct. I read it a bit differently but it could very well be
that I am 'hearing' what I want to hear. You have two domains both ending
in abc.com and you *naturally* have a parent / child domain set up in the
same domain tree ( read: single forest ).

But you are probably reading it correctly.

Maybe Marty can clarify?

Marty, are you talking about two separate Forest....where abc.com is a
single domain-tree Forest and ext. abc.com is a second separate single
domain-tree Forest? or are you talking about one Forest with one Domain
Tree....where ext.abc.com is a child domain of abc.com?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Cary Shultz said:
Herb,

You might be correct. I read it a bit differently but it could very well be
that I am 'hearing' what I want to hear. You have two domains both ending
in abc.com and you *naturally* have a parent / child domain set up in the
same domain tree ( read: single forest ).
Click to expand...

We'll see.
But you are probably reading it correctly.
Click to expand...

FYI: Some of my training is on the structure of language
and how it channels what we think depending on the words
AND the structure of those words.
Maybe Marty can clarify?
Click to expand...

Yes, we pretty much have to see what he says.
Marty, are you talking about two separate Forest....where abc.com is a
single domain-tree Forest and ext. abc.com is a second separate single
domain-tree Forest? or are you talking about one Forest with one Domain
Tree....where ext.abc.com is a child domain of abc.com?
Click to expand...
 
Cary;

These are two seperate forests, they just share the abc.com part of a domain
name.

In reality, what i have is.

Domain one: abc.com (Parent) (nt doamin name = corp_abc)
ca.abc.com (child)

Domain two: ext.abc.com
Marty
 
Back
Top