Domain/Forest logon, trust, groups and token related questions

G-ONE 166 Reputation points
2021-01-23T05:11:20.873+00:00

Hello,

Suppose there are 2 domains Domain A and Domain B. Resource is in Domain B joined server. User belongs to Domain A. So when user login on Domain A and try to access resource in Domain B joined server. So in this case, I just want to confirm that Authenticating Domain is only Domain A not Domain B. Correct?

So it means it can contain only Domain A Global groups, Domain A Universal groups and Domain B Universal groups. So forest global groups mean all universal groups of all domains in a forest (intra-forest logon). Correct?

In Inter-forest logon, there are 2 situations: external trust and forest trust.

So incase of external trust: Global groups with in trusted domain are not included in the token, only universal groups with in trusted domain are included in the token. Correct?

But in case of forest trust: Both Global groups from authenticating domain and all Universal groups within trusted forest are included in token. Correct?

So in case of external trust: Only universal groups (within trusted domain) Sids will cross trust boundary. Correct?

But in case of forest trust: Sids of Global groups from authenticating domain as well as Sids of Universal groups with in trusted forest will cross trust boundary. Correct?

So in short, only Global groups Sids and Universal groups Sids cross trust boundary always. Domain Local groups Sids never cross trust boundary. Correct?

Please reply with explanations on all above mentioned points and confirm if my understanding is correct. Kindly share official Microsoft support articles or reference articles that answers and explains above mentioned scenarios and questions.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,171 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
421 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,729 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
515 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fan Fan 15,291 Reputation points Microsoft Vendor
    2021-01-25T06:41:26.423+00:00

    Hi,
    Based on my understanding :If clients want to access resource in other domain as you mentioned ,the service tickets should be issued by the KDC in the target domain .(which the resource located).

    Reference: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)
    When a client requests a service ticket for a server in a remote Kerberos realm, the request is sent to the KDC in the client account's realm. The KDC determines that the server is in another realm, so it cannot issue a service ticket. This can only be done by a KDC in the target server's realm. So, instead of issuing the service ticket, the KDC in the client account's realm issues a TGS referral.

    For your question:
    So it means it can contain only Domain A Global groups, Domain A Universal groups and Domain B Universal groups. So forest global groups mean all universal groups of all domains in a forest (intra-forest logon). Correct?

    I'm afraid i didn't understand you clearly, please tell more details. For example ,how did you assign the permission to users on the resource and the group membership for the user.
    Do you mean the SIDs in the access token when user to access resource in other domain.

    Generally speaking ,
    Since the domain local group's scope is limited to the domain in which they reside they are only added to a user’s token when a user authenticates to a resource within the same domain as the domain local group.
    No matter where a user authenticates, all of the user’s global groups will be included in the user’s access token.
    Universal groups also add a SID to a user’s access token no matter what domain the group or user reside.
    If you still have questions, feel free to let us know.
    Following link for your reference:
    Active Directory Security Groups:https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
    https://www.giac.org/paper/gsec/5111/kerberos-access-token-limitations/104962(Third-party link)
    This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.
    Best Regards,

  2. Fan Fan 15,291 Reputation points Microsoft Vendor
    2021-01-26T03:31:00.6+00:00

    Hi,

    I thought i answered you questions.

    1,So in this case, what is authenticating domain?

    There are 3 steps for the kerberos authentication.
    The AS process: when user logon to the computer ,it will be authenticated by KDC in domain A which in the same domain with the user.
    But the the TGS,TGT need to be issued by the KDC in the domain which the resource located in.
    For the whole processes , you can refer to the following link:
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)
    2,
    In Inter-forest logon, there are 2 situations: external trust and forest trust.
    So incase of external trust: I heard that Global groups with in trusted domain are not included in the token, only universal groups with in trusted domain are included in the token. But in case of forest trust: Both Global groups from authenticating domain and all Universal groups within trusted forest are included in token. Can you research on this and confirm official article that validates the statement?

    No mater external trust or forest trust ,the token will contain the sids of the Global groups and Universal groups.

    Both the global and universal groups can be used to assign permission in any domain.
    As said above:
    The domain local group's scope is limited to the domain in which they reside they are only added to a user’s token when a user authenticates to a resource within the same domain as the domain local group.
    No matter where a user authenticates, all of the user’s global groups will be included in the user’s access token.
    Universal groups also add a SID to a user’s access token no matter what domain the group or user reside.

    Only Global & Universal groups Sids cross trust boundary always. Domain Local groups Sids never cross trust boundary? Yes.
    Reference link:
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755692(v=ws.10)?redirectedfrom=MSDN

    Regards,

    0 comments