Cross Domain Authentication Issue

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Kinda complicated question for those who would like to show off their chops...

Background:
4 Domains of Windows 2003 DCs in a forest running in Windows 2000 native.
All domains are running Windows 2000 native. 1 root domain, 1 child domain
and 2 grandchild domains. There is an application making LDAP queries of
each domain in the context of an account I'll call LDAPAcct that lives in the
child domain without using the fully qualified name of the account. The
application will not accept the FQDN of the account when making the LDAP
query.

Issue:
When the application runs the LDAP query against either grandchild domain
the grandchild DC doesn't find the account in the local domain DB, so it
prepends another domain name to the username in the request and sends it to
that domain for authentication. The issue is that one grandchild domain
prepends the root domain name (rootdomain\LDAPAcct) and the other grandchild
domain prepends the correct child domain name (childdomain\LDAPAcct). Since
the account lives in the child domain, when the root domain is prepended the
query fails.

Question:
Is there anyone who understands the mechanism that a DC will use in a
situation like this when referring an unqualified account name to another
domain for authentication? If so can you give me some guidance?

Thanks for any insight
Mark
1 answer Last reply
More about cross domain authentication issue
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Mark

    Split your zones over dns servers. i.e have secondary zones on the child
    domain dns server for your grand child domains, update your suffixes to
    include the grandchild zones. that will do the trick:)


    "Mark Gaines" wrote:

    > Kinda complicated question for those who would like to show off their chops...
    >
    > Background:
    > 4 Domains of Windows 2003 DCs in a forest running in Windows 2000 native.
    > All domains are running Windows 2000 native. 1 root domain, 1 child domain
    > and 2 grandchild domains. There is an application making LDAP queries of
    > each domain in the context of an account I'll call LDAPAcct that lives in the
    > child domain without using the fully qualified name of the account. The
    > application will not accept the FQDN of the account when making the LDAP
    > query.
    >
    > Issue:
    > When the application runs the LDAP query against either grandchild domain
    > the grandchild DC doesn't find the account in the local domain DB, so it
    > prepends another domain name to the username in the request and sends it to
    > that domain for authentication. The issue is that one grandchild domain
    > prepends the root domain name (rootdomain\LDAPAcct) and the other grandchild
    > domain prepends the correct child domain name (childdomain\LDAPAcct). Since
    > the account lives in the child domain, when the root domain is prepended the
    > query fails.
    >
    > Question:
    > Is there anyone who understands the mechanism that a DC will use in a
    > situation like this when referring an unqualified account name to another
    > domain for authentication? If so can you give me some guidance?
    >
    > Thanks for any insight
    > Mark
Ask a new question

Read More

Domain Authentication Active Directory Windows