question

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 asked VickyWang-MFST answered

Two-way forest trust - different authentication type for each direction

Hi, I want to create two-way forest trust with different authentication type for each direction. In managed -->management forest direction I want selective authentication whereas in other direction I want forest-wide authentication. Is this doable and if not what are other options on the table and limitations compared to two-way forest trust?





windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered

Hi,
Thank you for posting in our forum.

In general, all domain trusts in a Windows Server 2003 forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain.

In a two-way trust (Transitive), both domains that are involved in a trust relationship trust each other.This means that authentication requests can be passed between the two domains in both directions.Some two-way relationships can be non-transitive or transitive depending on the type of trust being created.

As a solution to configure the different authentication types for different trust ways, we could change the authentication type to Selective Authentication on both of the domain trust way. And then we could try to grant the different Allowed to Authenticate permission for different trust ways to achieve your target.

For detailed information about authentication types, I suggest we could refer to the following article.

Configuring Selective Authentication Settings

http://technet.microsoft.com/en-us/library/cc755844(v=ws.10)

Additionally, please refer to the article below to secure trust.

Security Considerations for Trusts

http://technet.microsoft.com/en-us/library/1f33e9a1-c3c5-431c-a5cc-c3c2bd579ff1

Regards,
Vicky

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered BojanZivkovic-7448 edited

I can not allow selective authentication in both directions - business request is to have forest-wide authentication in direction management forest --> production forests while opposite direction must have only bare minimum (selective authentication) required for various solutions to work properly (PKI for instance). Simply InfoSec team won't allow systems in production forests to authenticate at all in management forest unless that is absolutely necessary for given solution hence selective authentication is obvious choice for that direction of trust - opposite direction is perfectly fine to have forest-wide authentication since whole idea is to manage production forests from management forest.





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered

Thanks for your patience.
I may need some time to study this issue.
But with progress, I will update here as soon as possible.
Thank you for your understanding and support
Best wishes
Vicky

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.