question

GOne-3896 avatar image
0 Votes"
GOne-3896 asked FanFan-MSFT commented

Trust and access token related query

Hello,

Scenario 1: A trust relationship is a link that is established between domains to enable users in one domain to be authenticated by a domain controller in the other domain. Trust relationships are authentication pipelines that must be present so that users in one domain can be authorized for access to resources in another domain.

Suppose there are 2 domains Domain A and Domain B. Domain A is trusting domain and Domain B is trusted domain. It means users in Domain B can access resources in Domain A. Before accessing resources, users in Domain B must be authenticated by Domain A. According to above definition, Domain B users must be authenticated by Domain Controller in Domain A.

Question 1: How does authentication of Domain B users takes place by Domain Controller in Domain A as user account of Domain B users does not reside in Domain Controller of Domain A. How exactly that authentication happens with respect to trust? How exactly trusted domain user able to access resources in trusting domain? Is it because of group membership in trusting domain OR is this because of adding trusted domain security principals to ACLs in trusting domain?

Scenario 2: Suppose if user is added to Global group and that Global group is nested inside Domain Local group. Domain Local group is applied in resource ACL. Server containing resource and user account both resides in same domain. If user login to same domain joined workstation as server's domain and try to access resource, then initial access token will include Sid of Domain Local group of server's domain as server's domain and workstation domain both are same.

Question 2: While trying to access resource on server(same domain as workstation and user), is new access token generated by server as well & access is possible because of new access token having Sid of Domain Local group of server's domain? OR access is possible because of initial token (after logging to workstation) having Sid of Domain Local group of server's domain (since workstation and server both in same domain) ?

Please provide answers specific to questions and explain.

windows-active-directorywindows-server-securitywindows-server-infrastructurewindows-server-migrationwindows-server-management
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
 
Just checking in to see if the information provided was helpful.
 
If the reply helped you, please remember to accept it as an answer.
If no, please reply and tell us about the current situation to provide further help

Best Regards,

0 Votes 0 ·
Crypt32 avatar image
0 Votes"
Crypt32 answered

Answer to Q1:

  1. User1@domainB contacts its own domain controller (say, dc1.domainB) and asks for access to a resource in DomainA.

  2. KDC (dc1.domainB) don't find SPN of resource in Active Directory, because resource belongs to another domain/forest.

  3. dc1@domainB looks for SPN in global catalog, which in turn will check all trusts).

  4. If corresponding SPN and trust is found, GC returns a referral record back to dc1.domainB.

  5. dc1.domainB issues a referral TGT to access domainA KDC to user1@domainB.

  6. User1@domainB contacts domainA and present referral TGT.

  7. KDC in domainA checks if there is such SPN as specified in incoming TGT.

  8. KDC in domainA issues a service ticket to access particular resource in its domain to User1@domainB which includes SIDs the user belongs in domainA.

  9. User1@domainB presents service ticket to remote resource. Remote resource has a list of SIDs the user belongs to and determine access level.

Answer to Q2:
It is simpler form of scenario on Q1:

  1. User1 logs in to a workstation in domain

  2. KDC issues a TGT to User1 that contains user membership. This will include all domain local, global and universal groups.

  3. User1 contacts KDC to access server resource and presents a TGT obtained in previous step.

  4. KDC generates a service ticket to access requested resource and returns to User1

  5. User1 connects to server resource and present service ticket. Server resource will validate this ticket with KDC and then make decision on access level.

read this document for more and detailed information: https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT edited

Hi,

To understand the Kerberos authentication, you can refer to the following link firstly.
This article introduces the entire process in detail both for the authentication within domain and across the trust.
How the Kerberos Version 5 Authentication Protocol Works
Feel free to let us know if you have questions about it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.