Enable selective authentication over a forest trust

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Selective authentication over a forest trust restricts access to only those users in a trusted forest who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the trusting forest. To explicitly give authentication permissions to computer objects in the trusting forest to certain users, Administrators must grant those users the Allowed to Authenticate permission in Active Directory. For more information, see Grant the Allowed to Authenticate permission on computers in the trusting domain or forest. For more information about how selective authentication works, see "Security Considerations for Trusts" in the Windows Server 2003 Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=35413).

You can enable selective authentication over a forest trust by using the New Trust Wizard in Active Directory Domains and Trusts or by using the Netdom command-line tool. For more information about how to use the Netdom command-line tool to configure selective authentication settings, see "Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=41700).

Administrative credentials

To complete this procedure, you must be a member of the Domain Admins group (in the forest root domain) or the Enterprise Admins group in Active Directory.

To enable selective authentication over a forest trust

Using the Windows interface

  1. Open Active Directory Domains and Trusts.

  2. In the console tree, right-click the domain node for the forest root domain, and then click Properties.

  3. On the Trusts tab, under Domains trusted by this domain (outgoing trusts), click the forest trust that you want to administer, and then click Properties.

  4. On the Authentication tab, click Selective authentication, and then click OK.

Note

Only the authentication settings for the outgoing trust are displayed when you click Properties and then click the Authentication tab in Active Directory Domains and Trusts. To view the correct authentication settings for the incoming side of a two-way, forest trust, connect to a domain controller in the forest root domain of the trusted forest, and then use Active Directory Domains and Trusts to view the authentication settings for the outgoing side of the same trust.