Sign in with
Sign up | Sign in
Your question

Cross Domain Authentication Issue

Last response: in Windows 2000/NT
Share
Anonymous
June 6, 2005 11:51:03 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Kinda complicated question for those who would like to show off their chops...

Background:
4 Domains of Windows 2003 DCs in a forest running in Windows 2000 native.
All domains are running Windows 2000 native. 1 root domain, 1 child domain
and 2 grandchild domains. There is an application making LDAP queries of
each domain in the context of an account I'll call LDAPAcct that lives in the
child domain without using the fully qualified name of the account. The
application will not accept the FQDN of the account when making the LDAP
query.

Issue:
When the application runs the LDAP query against either grandchild domain
the grandchild DC doesn't find the account in the local domain DB, so it
prepends another domain name to the username in the request and sends it to
that domain for authentication. The issue is that one grandchild domain
prepends the root domain name (rootdomain\LDAPAcct) and the other grandchild
domain prepends the correct child domain name (childdomain\LDAPAcct). Since
the account lives in the child domain, when the root domain is prepended the
query fails.

Question:
Is there anyone who understands the mechanism that a DC will use in a
situation like this when referring an unqualified account name to another
domain for authentication? If so can you give me some guidance?

Thanks for any insight
Mark
Anonymous
June 8, 2005 10:46:08 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Mark

Split your zones over dns servers. i.e have secondary zones on the child
domain dns server for your grand child domains, update your suffixes to
include the grandchild zones. that will do the trick:) 


"Mark Gaines" wrote:

> Kinda complicated question for those who would like to show off their chops...
>
> Background:
> 4 Domains of Windows 2003 DCs in a forest running in Windows 2000 native.
> All domains are running Windows 2000 native. 1 root domain, 1 child domain
> and 2 grandchild domains. There is an application making LDAP queries of
> each domain in the context of an account I'll call LDAPAcct that lives in the
> child domain without using the fully qualified name of the account. The
> application will not accept the FQDN of the account when making the LDAP
> query.
>
> Issue:
> When the application runs the LDAP query against either grandchild domain
> the grandchild DC doesn't find the account in the local domain DB, so it
> prepends another domain name to the username in the request and sends it to
> that domain for authentication. The issue is that one grandchild domain
> prepends the root domain name (rootdomain\LDAPAcct) and the other grandchild
> domain prepends the correct child domain name (childdomain\LDAPAcct). Since
> the account lives in the child domain, when the root domain is prepended the
> query fails.
>
> Question:
> Is there anyone who understands the mechanism that a DC will use in a
> situation like this when referring an unqualified account name to another
> domain for authentication? If so can you give me some guidance?
>
> Thanks for any insight
> Mark
!