Sign in with
Sign up | Sign in
Your question

Passing authentication off to another domain

Last response: in Windows 2000/NT
Share
February 10, 2005 3:07:06 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi

Is there a way of setting a domain up to try an authenticate a user locally,
and if it doesn't find a user in it's domain to then go a try an authenticate
that user in a different domain?

What we want to do is to have two seperate doamins, ABC.com and EXT.abc.com.
These domain are seperate domains with a one way trust between them.
EXT.abc.com trusts abc.com. I have corporate users setup in the abc.com
domain with UPN's of @abc.com and I want them to be able to login to the
EXT.abc.com domain using there John.Doe@abc.com user and password. Currently
this does not work for the UPN's, but if I use the "Log on to" pull down box
and select the old NT domain name (Corp_abc) from the list it works. It seems
to me that either the EXT.abc.com domain see's the @abc.com and is try to log
that person in locally, or that EXT.abc.com can't find the DC for the abc.com
domain. When I run a nslookup from the dc on the ext.abc.com domain for
abc.com, it returns it's own IP.

I know this may sound wierd to do, but is there anyway of making it happen?

Marty
Anonymous
February 10, 2005 7:37:01 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Marty" <Marty@discussions.microsoft.com> wrote in message
news:3CAE5796-0CF1-420E-BA1A-3ED03B41D8C6@microsoft.com...
> Hi
>
> Is there a way of setting a domain up to try an authenticate a user
locally,
> and if it doesn't find a user in it's domain to then go a try an
authenticate
> that user in a different domain?

Not exactly -- after all, the user is specifying their
account by Domain\Username or some other format
that is explicit for both domain and user name (only
thus is the user truly defined) so it really only checks
THAT domain anyway.

You can use a UPN which made hide the explicit
domain in a multi-domain forest: user@forestname.com
may resolve to user@child.forestname.com or some
such.


> What we want to do is to have two seperate doamins, ABC.com and
EXT.abc.com.
> These domain are seperate domains with a one way trust between them.
> EXT.abc.com trusts abc.com. I have corporate users setup in the abc.com
> domain with UPN's of @abc.com and I want them to be able to login to the
> EXT.abc.com domain using there John.Doe@abc.com user and password.


The UPN method only works completely I believe within on Forest
but I haven't tested that.

But you can try it (with the external) trust easily enough by
setting up a test user.

You are really swimming uphill though by not having a single
Forest and a single account for each user.

Currently
> this does not work for the UPN's, but if I use the "Log on to" pull down
box
> and select the old NT domain name (Corp_abc) from the list it works. It
seems
> to me that either the EXT.abc.com domain see's the @abc.com and is try to
log
> that person in locally, or that EXT.abc.com can't find the DC for the
abc.com
> domain. When I run a nslookup from the dc on the ext.abc.com domain for
> abc.com, it returns it's own IP.
>
> I know this may sound wierd to do, but is there anyway of making it
happen?
>
> Marty
>
>
Anonymous
February 10, 2005 10:29:40 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Marty,

Since ext.abc.com is a child domain of abc.com there will be - by default -
trusts already set up. Just make sure that DNS is set up correctly. It
sounds like Herb and Chriss have given you ideas. I am thinking that the
UPN suggestion might be a good one.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Marty" <Marty@discussions.microsoft.com> wrote in message
news:3CAE5796-0CF1-420E-BA1A-3ED03B41D8C6@microsoft.com...
> Hi
>
> Is there a way of setting a domain up to try an authenticate a user
> locally,
> and if it doesn't find a user in it's domain to then go a try an
> authenticate
> that user in a different domain?
>
> What we want to do is to have two seperate doamins, ABC.com and
> EXT.abc.com.
> These domain are seperate domains with a one way trust between them.
> EXT.abc.com trusts abc.com. I have corporate users setup in the abc.com
> domain with UPN's of @abc.com and I want them to be able to login to the
> EXT.abc.com domain using there John.Doe@abc.com user and password.
> Currently
> this does not work for the UPN's, but if I use the "Log on to" pull down
> box
> and select the old NT domain name (Corp_abc) from the list it works. It
> seems
> to me that either the EXT.abc.com domain see's the @abc.com and is try to
> log
> that person in locally, or that EXT.abc.com can't find the DC for the
> abc.com
> domain. When I run a nslookup from the dc on the ext.abc.com domain for
> abc.com, it returns it's own IP.
>
> I know this may sound wierd to do, but is there anyway of making it
> happen?
>
> Marty
>
>
Related resources
Anonymous
February 10, 2005 10:29:41 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:uPTPLD9DFHA.3368@TK2MSFTNGP10.phx.gbl...
> Marty,
>
> Since ext.abc.com is a child domain of abc.com there will be - by
default -
> trusts already set up. Just make sure that DNS is set up correctly. It
> sounds like Herb and Chriss have given you ideas. I am thinking that the
> UPN suggestion might be a good one.

Cary, I read him to say that despite the apparent
connection he has set these up as separate forests
with a 1-way trust.

This strongly indicated he has two Forests which is
part of the likely mis-design he is fighting.
Anonymous
February 10, 2005 10:38:42 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Marty,

Further to my post...

A user account object can only be authenticated against a Domain Controller
from the Domain in which it resides. If there is a user account object in
abc.com then only a Domain Controller from abc.com can authenticate it. It
can not be authenticated against a Domain Controller from ext.abc.com.....

The UPN suggestion simply makes the domain 'irrelevant' - from a user
standpoint. So, all user account objects would have joeblow@xyz.com or
janedoe@xyz.com - you set this up in the Active Directory Domains and Trusts
MMC...this would apply to all user account objects in the forest....

But, a DC in abc.com would have to be available to authenticate a user
account object from abc.com.....if that is not the case ( no DC is
available ) then that user account object would not be authenticate....even
if there were seven DCs available from ext.abc.com...

Unless, of course, there is something that I am missing....

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Marty" <Marty@discussions.microsoft.com> wrote in message
news:3CAE5796-0CF1-420E-BA1A-3ED03B41D8C6@microsoft.com...
> Hi
>
> Is there a way of setting a domain up to try an authenticate a user
> locally,
> and if it doesn't find a user in it's domain to then go a try an
> authenticate
> that user in a different domain?
>
> What we want to do is to have two seperate doamins, ABC.com and
> EXT.abc.com.
> These domain are seperate domains with a one way trust between them.
> EXT.abc.com trusts abc.com. I have corporate users setup in the abc.com
> domain with UPN's of @abc.com and I want them to be able to login to the
> EXT.abc.com domain using there John.Doe@abc.com user and password.
> Currently
> this does not work for the UPN's, but if I use the "Log on to" pull down
> box
> and select the old NT domain name (Corp_abc) from the list it works. It
> seems
> to me that either the EXT.abc.com domain see's the @abc.com and is try to
> log
> that person in locally, or that EXT.abc.com can't find the DC for the
> abc.com
> domain. When I run a nslookup from the dc on the ext.abc.com domain for
> abc.com, it returns it's own IP.
>
> I know this may sound wierd to do, but is there anyway of making it
> happen?
>
> Marty
>
>
Anonymous
February 10, 2005 11:32:54 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Herb,

You might be correct. I read it a bit differently but it could very well be
that I am 'hearing' what I want to hear. You have two domains both ending
in abc.com and you *naturally* have a parent / child domain set up in the
same domain tree ( read: single forest ).

But you are probably reading it correctly.

Maybe Marty can clarify?

Marty, are you talking about two separate Forest....where abc.com is a
single domain-tree Forest and ext. abc.com is a second separate single
domain-tree Forest? or are you talking about one Forest with one Domain
Tree....where ext.abc.com is a child domain of abc.com?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Herb Martin" <news@LearnQuick.com> wrote in message
news:ulld4Z9DFHA.1012@TK2MSFTNGP14.phx.gbl...
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:uPTPLD9DFHA.3368@TK2MSFTNGP10.phx.gbl...
>> Marty,
>>
>> Since ext.abc.com is a child domain of abc.com there will be - by
> default -
>> trusts already set up. Just make sure that DNS is set up correctly. It
>> sounds like Herb and Chriss have given you ideas. I am thinking that the
>> UPN suggestion might be a good one.
>
> Cary, I read him to say that despite the apparent
> connection he has set these up as separate forests
> with a 1-way trust.
>
> This strongly indicated he has two Forests which is
> part of the likely mis-design he is fighting.
>
>
Anonymous
February 10, 2005 11:47:48 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:eBJKhm9DFHA.4052@TK2MSFTNGP09.phx.gbl...
> Herb,
>
> You might be correct. I read it a bit differently but it could very well
be
> that I am 'hearing' what I want to hear. You have two domains both ending
> in abc.com and you *naturally* have a parent / child domain set up in the
> same domain tree ( read: single forest ).

We'll see.

> But you are probably reading it correctly.

FYI: Some of my training is on the structure of language
and how it channels what we think depending on the words
AND the structure of those words.

> Maybe Marty can clarify?

Yes, we pretty much have to see what he says.

> Marty, are you talking about two separate Forest....where abc.com is a
> single domain-tree Forest and ext. abc.com is a second separate single
> domain-tree Forest? or are you talking about one Forest with one Domain
> Tree....where ext.abc.com is a child domain of abc.com?


--
Herb Martin


"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:eBJKhm9DFHA.4052@TK2MSFTNGP09.phx.gbl...
> Herb,
>
> You might be correct. I read it a bit differently but it could very well
be
> that I am 'hearing' what I want to hear. You have two domains both ending
> in abc.com and you *naturally* have a parent / child domain set up in the
> same domain tree ( read: single forest ).
>
> But you are probably reading it correctly.
>
> Maybe Marty can clarify?
>
> Marty, are you talking about two separate Forest....where abc.com is a
> single domain-tree Forest and ext. abc.com is a second separate single
> domain-tree Forest? or are you talking about one Forest with one Domain
> Tree....where ext.abc.com is a child domain of abc.com?
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:ulld4Z9DFHA.1012@TK2MSFTNGP14.phx.gbl...
> > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> > news:uPTPLD9DFHA.3368@TK2MSFTNGP10.phx.gbl...
> >> Marty,
> >>
> >> Since ext.abc.com is a child domain of abc.com there will be - by
> > default -
> >> trusts already set up. Just make sure that DNS is set up correctly.
It
> >> sounds like Herb and Chriss have given you ideas. I am thinking that
the
> >> UPN suggestion might be a good one.
> >
> > Cary, I read him to say that despite the apparent
> > connection he has set these up as separate forests
> > with a 1-way trust.
> >
> > This strongly indicated he has two Forests which is
> > part of the likely mis-design he is fighting.
> >
> >
>
>
Anonymous
February 11, 2005 12:27:40 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello Marty,
I'm not sure I understand what you are trying to do, it sounds like you are
about to do some domain name suffix routing.

Have a look at this resources.
Routing name suffixes across forests:
http://www.microsoft.com/resources/documentation/Window...

http://www.microsoft.com/resources/documentation/Window...

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

"Marty" <Marty@discussions.microsoft.com> skrev i meddelandet
news:3CAE5796-0CF1-420E-BA1A-3ED03B41D8C6@microsoft.com...
> Hi
>
> Is there a way of setting a domain up to try an authenticate a user
> locally,
> and if it doesn't find a user in it's domain to then go a try an
> authenticate
> that user in a different domain?
>
> What we want to do is to have two seperate doamins, ABC.com and
> EXT.abc.com.
> These domain are seperate domains with a one way trust between them.
> EXT.abc.com trusts abc.com. I have corporate users setup in the abc.com
> domain with UPN's of @abc.com and I want them to be able to login to the
> EXT.abc.com domain using there John.Doe@abc.com user and password.
> Currently
> this does not work for the UPN's, but if I use the "Log on to" pull down
> box
> and select the old NT domain name (Corp_abc) from the list it works. It
> seems
> to me that either the EXT.abc.com domain see's the @abc.com and is try to
> log
> that person in locally, or that EXT.abc.com can't find the DC for the
> abc.com
> domain. When I run a nslookup from the dc on the ext.abc.com domain for
> abc.com, it returns it's own IP.
>
> I know this may sound wierd to do, but is there anyway of making it
> happen?
>
> Marty
>
>
February 11, 2005 5:55:03 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Cary;

These are two seperate forests, they just share the abc.com part of a domain
name.

In reality, what i have is.

Domain one: abc.com (Parent) (nt doamin name = corp_abc)
ca.abc.com (child)

Domain two: ext.abc.com
Marty

"Cary Shultz [A.D. MVP]" wrote:

> Marty,
>
> Since ext.abc.com is a child domain of abc.com there will be - by default -
> trusts already set up. Just make sure that DNS is set up correctly. It
> sounds like Herb and Chriss have given you ideas. I am thinking that the
> UPN suggestion might be a good one.
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Marty" <Marty@discussions.microsoft.com> wrote in message
> news:3CAE5796-0CF1-420E-BA1A-3ED03B41D8C6@microsoft.com...
> > Hi
> >
> > Is there a way of setting a domain up to try an authenticate a user
> > locally,
> > and if it doesn't find a user in it's domain to then go a try an
> > authenticate
> > that user in a different domain?
> >
> > What we want to do is to have two seperate doamins, ABC.com and
> > EXT.abc.com.
> > These domain are seperate domains with a one way trust between them.
> > EXT.abc.com trusts abc.com. I have corporate users setup in the abc.com
> > domain with UPN's of @abc.com and I want them to be able to login to the
> > EXT.abc.com domain using there John.Doe@abc.com user and password.
> > Currently
> > this does not work for the UPN's, but if I use the "Log on to" pull down
> > box
> > and select the old NT domain name (Corp_abc) from the list it works. It
> > seems
> > to me that either the EXT.abc.com domain see's the @abc.com and is try to
> > log
> > that person in locally, or that EXT.abc.com can't find the DC for the
> > abc.com
> > domain. When I run a nslookup from the dc on the ext.abc.com domain for
> > abc.com, it returns it's own IP.
> >
> > I know this may sound wierd to do, but is there anyway of making it
> > happen?
> >
> > Marty
> >
> >
>
>
>
February 11, 2005 5:59:04 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Cary;

Sorry, in my reply I didn't say that they are two seperate forests.

Marty

"Cary Shultz [A.D. MVP]" wrote:

> Herb,
>
> You might be correct. I read it a bit differently but it could very well be
> that I am 'hearing' what I want to hear. You have two domains both ending
> in abc.com and you *naturally* have a parent / child domain set up in the
> same domain tree ( read: single forest ).
>
> But you are probably reading it correctly.
>
> Maybe Marty can clarify?
>
> Marty, are you talking about two separate Forest....where abc.com is a
> single domain-tree Forest and ext. abc.com is a second separate single
> domain-tree Forest? or are you talking about one Forest with one Domain
> Tree....where ext.abc.com is a child domain of abc.com?
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:ulld4Z9DFHA.1012@TK2MSFTNGP14.phx.gbl...
> > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> > news:uPTPLD9DFHA.3368@TK2MSFTNGP10.phx.gbl...
> >> Marty,
> >>
> >> Since ext.abc.com is a child domain of abc.com there will be - by
> > default -
> >> trusts already set up. Just make sure that DNS is set up correctly. It
> >> sounds like Herb and Chriss have given you ideas. I am thinking that the
> >> UPN suggestion might be a good one.
> >
> > Cary, I read him to say that despite the apparent
> > connection he has set these up as separate forests
> > with a 1-way trust.
> >
> > This strongly indicated he has two Forests which is
> > part of the likely mis-design he is fighting.
> >
> >
>
>
>
!