Authentication across untrusted domains

Authentication across untrusted domains
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Authentication across untrusted domains Swapnil D 03-29-2006
Posted by Swapnil D on March 29, 2006, 1:16 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello all,
Heres my senario. I have two untrusted domains(in 2 diffrent untrusted
forests), domain1 and domain2.
Machine1 is a machine in domain1.
Machine2 is a machine in domain2 which runs SQL Server 2000.

I am trying to connect to the sql server on machine2(in domain2)
from machine1 using the credentials 'domain2\administrator'.

I use 'LogonUser' with the LOGON32_LOGON_NEW_CREDENTIALS flag and do a
ImpersonateLoggedOnUser later.

accoding to MSDN documentation for using the LOGON32_LOGON_NEW_CREDENTIALS
flag

" This logon type allows the caller to clone its current token and specify
new credentials for outbound connections. The new logon session has the same
local identifier but uses different credentials for other network
connections. This logon type is supported only by the
LOGON32_PROVIDER_WINNT50 logon provider. Windows NT: This value is not
supported. ".

Both LogonUser and ImpersonateLoggedOnUser succeed. This is expected

Later when i do a 'Open' call on a ADODB::Connection object (to connect to
the SQL Server on machine2.domain2 ) i can connect to it successfully

I am curious to know how this work?
Does it work using Kerberos or NTLM ?

i expected it to be NTML.

I used ethereal to trap the communication. I noticed that machine1 tries to
authenticate with the domain controlller of domain2.

i would like to know how a machine (here machine1 in domain1) can
authenticate with a domain controller in an untrusted forest.

Its kinda of a longish question. Thanks for the patience.

Regards
Swapnil D.



Posted by S. Pidgorny on March 29, 2006, 5:25 am
If you were  Registered and logged in, you could reply and use other advanced thread options
The short answer is - because it can. An analogy is that any client, using
IE or Mozilla Firefox, can browse to the resources that use integrated
authentication. Computer membership in the forest is only required to
integrate access to resources on that computer - that does include
interactive logon.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Swapnil D" <none> wrote in message
> Hello all,
> Heres my senario. I have two untrusted domains(in 2 diffrent untrusted
> forests), domain1 and domain2.
> Machine1 is a machine in domain1.
> Machine2 is a machine in domain2 which runs SQL Server 2000.
>
> I am trying to connect to the sql server on machine2(in domain2)
> from machine1 using the credentials 'domain2\administrator'.
>
> I use 'LogonUser' with the LOGON32_LOGON_NEW_CREDENTIALS flag and do a
> ImpersonateLoggedOnUser later.
>
> accoding to MSDN documentation for using the LOGON32_LOGON_NEW_CREDENTIALS
> flag
>
> " This logon type allows the caller to clone its current token and specify
> new credentials for outbound connections. The new logon session has the
> same local identifier but uses different credentials for other network
> connections. This logon type is supported only by the
> LOGON32_PROVIDER_WINNT50 logon provider. Windows NT: This value is not
> supported. ".
>
> Both LogonUser and ImpersonateLoggedOnUser succeed. This is expected
>
> Later when i do a 'Open' call on a ADODB::Connection object (to connect
> to the SQL Server on machine2.domain2 ) i can connect to it successfully
>
> I am curious to know how this work?
> Does it work using Kerberos or NTLM ?
>
> i expected it to be NTML.
>
> I used ethereal to trap the communication. I noticed that machine1 tries
> to authenticate with the domain controlller of domain2.
>
> i would like to know how a machine (here machine1 in domain1) can
> authenticate with a domain controller in an untrusted forest.
>
> Its kinda of a longish question. Thanks for the patience.
>
> Regards
> Swapnil D.
>
>



Similar ThreadsPosted
Existing untrusted Root CA May 13, 2008, 1:11 pm
Additional Software Restriction Policies: Basic User, Untrusted, Restricted December 7, 2006, 1:10 am
Corporate Network Connection w/ additional Untrusted Network via E February 24, 2006, 8:41 pm
Setting up 2 domains with one way trust to dmz November 14, 2006, 5:58 pm
Domain Admin can't log into child domains February 15, 2006, 7:19 pm
New domains / workgroups aopearing in our MS Network September 13, 2006, 4:01 pm
Assigning Security through W2k3 to W2k Trusted Domains March 14, 2006, 1:52 pm
domaine vergabe free de domains domain de eu domain name registrieren de be domain July 28, 2008, 4:14 pm
USB Authentication in TS December 13, 2005, 9:58 am
USB Authentication in TS December 13, 2005, 9:58 am

The site map in XML format XML site map

Contact Us | Privacy Policy