Limiting Authenication across a trust

-

we own domaina running ad on 2008 sp2 2008 functional level domain , forest. third party owns domainb. there outgoing trust in domaina trusts domainb, , incoming trust in domainb domaina (ie. one-way trust of domaina trusting domainb).

we have configured selective authentication on our side of trust (domaina) and granted "allowed authenicate" permissions to a group of users domainb specific servers (servera , serverb) in domaina. authentication of users domainb servers servera , serverb works expected.

there several services have internet access can authenticate against domaina (ie. exchange owa - we'll call serverc) have not been granted "allowed authenticate" permission. if attempts login serverc using user account exists in domainb, authentication takes place against domain controller in domaina sends domainb , locks out account in domainb. administrator in domainb contacts asking why serverc attempting authenticate users of domainb, when servera , serverb allowed access.

how can limit authentication serverc in domaina not allowed request authentication domainb users?

jeff graves, orcs web, inc.

you can't prevent or implement performing ldap query against resources in trusting domain. if try block query using firewall rule there more problem good.

 

regards

awinish vishwakarma| check blog 

disclaimer: posting provided as-is no warranties or guarantees , confers no rights.



Windows Server  >  Directory Services



Comments

Post a Comment

Popular posts from this blog

for loop and start-job from cmd.exe

-
hello, i have simple script developed debug purposes: $serverlist = @( "sca-c1cor01", "scb-c1cor01" ) ($i=0; $i -lt $serverlist.length; $i++) { start-job -scriptblock {$x=0} } i have saved script off file called test.ps1.  when run ./test.ps1 within interactive powershell runs fine.  i trying to call script dos window, sql server agent command job, or start->run line.  here syntax using: cmd.exe /c powershell -nologo -noninteractive "c:\scripts\powershell\test.ps1" when run way (from dos window), diaglog box pops says: powershell has stopped working  problem caused program stop working correctly.  windows close program , notify if solution available. i close , open eventvwr.msc.  2 pieces of info.  1 application , services log (windows powershell): engine state changed available stopped. details:  newenginestate=stopped  previousenginestate...
Read more

Edit Group Policy

-
i have pc has power settings pushed out default domain policy in ad environment. of course on local machine "some settings managed system adminstrator". the machine temporarily no longer in contact domain controller (it's been physically moved , not on same network now) can't updated gpo settings. i believe if edit local group policy won't make difference because of group policy processing , precedence. since it's temporary away ad network, still want use settings of ad user. is there somewhere in registry stored can edit power plan manually until can sync domain? (i need prevent sleeping while plugged in - it's set 1 hour) thanks! allen crist i found site: http://gpsearch.azurewebsites.net/#7916 i able add policy to hkey_local_machine\software\policies\microsoft\power using specs found on site. looks solved issue. i'll report if didn't. thanks! allen crist ...
Read more

File Share Witness is not a valid File share path

-
i have 2 windows 2008 r2 vms (esxi) running double-take. we have health-check running on our netscaler force failover primary vm secondary vm if netscaler cannot access smb share on primary vm. this hasn't proven method of providing fault tolerance, trying cluster these 2 vms using file share witness. (i should add client engineers solution, implement according requirements). the witness share has been created on emc vnx. domain account , domain cluster computer name account both have full control permissions on share. i have installed the file services role failover clustering feature on both vms. to configure quorum, selecting node , file share majority (for clusters special configuration). i providing ip address , share name in form of \\<ipaddress>\<sharename>. the wizard returns \\<ipaddress>\<sharename> not valid share path. reading documentation microsoft, there statement saying witness share should have nothing else stored or u...
Read more