| Author | Messages | |
Johnchristie11
Posts:47
 | | 03/03/2010 8:44 PM |
| Forest A = Windows 2003 single forest, single domain
Forest B = Windows 2008 single forest, single domain
I want to create a one way trust that will only allow users from Forest B
access to resources in Forest A. Users in the Forest A must not be able to
access Forest B
Would I create a one way trust in Forest B or Forest A or do I have to
configure it in both?
Also, I'm deliberating whether I need to create a cross forest trust or an
external trust.
Am I correct in saying that if I used an external trust between the Forest A
and Forest B, any additional domain created in Forest A would not be trusted
by the Forest B because Forest B only trusts the root domain in Forest A. To
trust all domains I'd need a cross forest trust for that (transitive)
thanks
JC
| | | |
| bdesmond
Posts:996
| | 03/03/2010 8:50 PM |
| The trust needs to be represented on both sides. The wizard can do the remote configuration for you given the correct credentials. Otherwise you need to do half on each side.
Your assessment is otherwise correct
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of John Christie
Sent: Wednesday, March 03, 2010 2:45 PM
To: activedir
Subject: [ActiveDir] Trusts between Forests
Forest A = Windows 2003 single forest, single domain
Forest B = Windows 2008 single forest, single domain
I want to create a one way trust that will only allow users from Forest B access to resources in Forest A. Users in the Forest A must not be able to access Forest B
Would I create a one way trust in Forest B or Forest A or do I have to configure it in both?
Also, I'm deliberating whether I need to create a cross forest trust or an external trust.
Am I correct in saying that if I used an external trust between the Forest A and Forest B, any additional domain created in Forest A would not be trusted by the Forest B because Forest B only trusts the root domain in Forest A. To trust all domains I'd need a cross forest trust for that (transitive)
thanks
JC
| | | |
| Johnchristie11
Posts:47
| | 03/03/2010 9:01 PM |
| Cheers Brian
I've found the wizard will only do both sides with supplied credentials if
it's a two way trust, one way trusts require you to do one on each side...is
that what you meant?
On Wed, Mar 3, 2010 at 8:49 PM, Brian Desmond <brian@briandesmond.com>wrote:
> *The trust needs to be represented on both sides. The wizard can do the
> remote configuration for you given the correct credentials. Otherwise you
> need to do half on each side. *
>
> * *
>
> *Your assessment is otherwise correct*
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *brian@briandesmond.com*
>
> * *
>
> *c – 312.731.3132*
>
> * *
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *John Christie
> *Sent:* Wednesday, March 03, 2010 2:45 PM
> *To:* activedir
> *Subject:* [ActiveDir] Trusts between Forests
>
>
>
>
>
> Forest A = Windows 2003 single forest, single domain
>
> Forest B = Windows 2008 single forest, single domain
>
>
>
> I want to create a one way trust that will only allow users from Forest B
> access to resources in Forest A. Users in the Forest A must not be able to
> access Forest B
>
>
>
> Would I create a one way trust in Forest B or Forest A or do I have to
> configure it in both?
>
>
>
> Also, I'm deliberating whether I need to create a cross forest trust or an
> external trust.
>
>
>
> Am I correct in saying that if I used an external trust between the Forest
> A and Forest B, any additional domain created in Forest A would not be
> trusted by the Forest B because Forest B only trusts the root domain in
> Forest A. To trust all domains I'd need a cross forest trust for that
> (transitive)
>
>
>
> thanks
>
> JC
>
>
>
| | | |
| bdesmond
Posts:996
| | 03/03/2010 9:15 PM |
| No it can do on way ones too
Brian Desmond from my phone
________________________________
From: John Christie <johnchristie11@googlemail.com>
Sent: Wednesday, March 03, 2010 1:01 PM
To: activedir@mail.activedir.org <activedir@mail.activedir.org>
Subject: Re: [ActiveDir] Trusts between Forests
Cheers Brian
I've found the wizard will only do both sides with supplied credentials if it's a two way trust, one way trusts require you to do one on each side...is that what you meant?
On Wed, Mar 3, 2010 at 8:49 PM, Brian Desmond <brian@briandesmond.com<mailto:brian@briandesmond.com>> wrote:
The trust needs to be represented on both sides. The wizard can do the remote configuration for you given the correct credentials. Otherwise you need to do half on each side.
Your assessment is otherwise correct
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c – 312.731.3132
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of John Christie
Sent: Wednesday, March 03, 2010 2:45 PM
To: activedir
Subject: [ActiveDir] Trusts between Forests
Forest A = Windows 2003 single forest, single domain
Forest B = Windows 2008 single forest, single domain
I want to create a one way trust that will only allow users from Forest B access to resources in Forest A. Users in the Forest A must not be able to access Forest B
Would I create a one way trust in Forest B or Forest A or do I have to configure it in both?
Also, I'm deliberating whether I need to create a cross forest trust or an external trust.
Am I correct in saying that if I used an external trust between the Forest A and Forest B, any additional domain created in Forest A would not be trusted by the Forest B because Forest B only trusts the root domain in Forest A. To trust all domains I'd need a cross forest trust for that (transitive)
thanks
JC
| | | |
| RickSheikh
Posts:373
| | 03/03/2010 9:55 PM |
| Here is a good read on understanding the incoming and outgoing trusts based
on your original question.
http://www.topbits.com/understanding-trust-relationships.html
And yes the wizard's third step is to define whether it will be two-way,
one-way incoming, or one-way outgoing.
For your need, If you choose to create two one-ways on both sides (as oppose
to having the wizard creating the other side's trust for you i.e the fourth
step on the wizard) you will be creating an one-way incoming at Forest B and
a one-way outgoing at Forest A. In which Forest A becomes Trusting domain
and the Forest B the Trusted.
.
On Wed, Mar 3, 2010 at 3:13 PM, Brian Desmond <brian@briandesmond.com>wrote:
> No it can do on way ones too
>
> Brian Desmond from my phone
>
> ------------------------------
> From: John Christie <johnchristie11@googlemail.com>
> Sent: Wednesday, March 03, 2010 1:01 PM
> To: activedir@mail.activedir.org <activedir@mail.activedir.org>
> Subject: Re: [ActiveDir] Trusts between Forests
>
> Cheers Brian
>
> I've found the wizard will only do both sides with supplied credentials if
> it's a two way trust, one way trusts require you to do one on each side...is
> that what you meant?
>
> On Wed, Mar 3, 2010 at 8:49 PM, Brian Desmond <brian@briandesmond.com>wrote:
>
>> *The trust needs to be represented on both sides. The wizard can do the
>> remote configuration for you given the correct credentials. Otherwise you
>> need to do half on each side. *
>>
>> * *
>>
>> *Your assessment is otherwise correct*
>>
>> * *
>>
>> *Thanks,*
>>
>> *Brian Desmond*
>>
>> *brian@briandesmond.com*
>>
>> * *
>>
>> *c – 312.731.3132*
>>
>> * *
>>
>> *From:* activedir-owner@mail.activedir.org [mailto:
>> activedir-owner@mail.activedir.org] *On Behalf Of *John Christie
>> *Sent:* Wednesday, March 03, 2010 2:45 PM
>> *To:* activedir
>> *Subject:* [ActiveDir] Trusts between Forests
>>
>>
>>
>>
>>
>> Forest A = Windows 2003 single forest, single domain
>>
>> Forest B = Windows 2008 single forest, single domain
>>
>>
>>
>> I want to create a one way trust that will only allow users from Forest B
>> access to resources in Forest A. Users in the Forest A must not be able to
>> access Forest B
>>
>>
>>
>> Would I create a one way trust in Forest B or Forest A or do I have to
>> configure it in both?
>>
>>
>>
>> Also, I'm deliberating whether I need to create a cross forest trust or an
>> external trust.
>>
>>
>>
>> Am I correct in saying that if I used an external trust between the Forest
>> A and Forest B, any additional domain created in Forest A would not be
>> trusted by the Forest B because Forest B only trusts the root domain in
>> Forest A. To trust all domains I'd need a cross forest trust for that
>> (transitive)
>>
>>
>>
>> thanks
>>
>> JC
>>
>>
>>
>
>
| | | |
| barkills
Posts:214
| | 03/03/2010 10:22 PM |
| Right, both sides of a one way trust can be created at the same time. And if you are using a forest trust, then you don't need to specify admin creds on both sides either. You can leverage the built-in group called "incoming forest trust builders" to give a non-admin permissions to create that side of the forest trust.
We regularly leverage this functionality, putting the cost of setting up a trust with our central accounts forest back on the requestor. This saves us a lot of work in either getting admin creds or communicating the shared secret to the other side of the trust can successfully get created.
There are other implications to the choice between external vs forest trust. They include NTLM vs Kerberos auth (respectively), whether the trusted domain's netbios name is populated in the trusting forest/domain domain drop-down list (for Windows clients older than vista), and a few other bits and pieces.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, March 03, 2010 1:14 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts between Forests
No it can do on way ones too
Brian Desmond from my phone
________________________________
From: John Christie <johnchristie11@googlemail.com>
Sent: Wednesday, March 03, 2010 1:01 PM
To: activedir@mail.activedir.org <activedir@mail.activedir.org>
Subject: Re: [ActiveDir] Trusts between Forests
Cheers Brian
I've found the wizard will only do both sides with supplied credentials if it's a two way trust, one way trusts require you to do one on each side...is that what you meant?
On Wed, Mar 3, 2010 at 8:49 PM, Brian Desmond <brian@briandesmond.com<mailto:brian@briandesmond.com>> wrote:
The trust needs to be represented on both sides. The wizard can do the remote configuration for you given the correct credentials. Otherwise you need to do half on each side.
Your assessment is otherwise correct
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c - 312.731.3132
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of John Christie
Sent: Wednesday, March 03, 2010 2:45 PM
To: activedir
Subject: [ActiveDir] Trusts between Forests
Forest A = Windows 2003 single forest, single domain
Forest B = Windows 2008 single forest, single domain
I want to create a one way trust that will only allow users from Forest B access to resources in Forest A. Users in the Forest A must not be able to access Forest B
Would I create a one way trust in Forest B or Forest A or do I have to configure it in both?
Also, I'm deliberating whether I need to create a cross forest trust or an external trust.
Am I correct in saying that if I used an external trust between the Forest A and Forest B, any additional domain created in Forest A would not be trusted by the Forest B because Forest B only trusts the root domain in Forest A. To trust all domains I'd need a cross forest trust for that (transitive)
thanks
JC
| | | |
| adamsgreene
Posts:6
| | 03/06/2010 4:58 AM |
| The security of the two forests is an important consideration in your choice
of trust type. Forest trusts introduce a security vulnerability, and not for
the forest you would normally think.
The fact that "incoming forest trust builders" is available implies that the
"trusted" domain has less to worry about, and the creation of these inbound
trusts can (should?) be delegated away from administrators. This is false in
the case of forest trusts. Why? Unconstrained Kerberos delegations.
Unconstrained Kerberos delegations present a security risk, as they allow a
computer or user to impersonate a user and request service tickets for
*any*service as that user. Pretty powerful stuff, and laughably easy
to setup and
abuse. The issues with unconstrained delegation led to the Kerberos
extension added with Windows Server 2003 (S4U2Proxy) that allows you to
configure *constrained* delegation and limit the systems the delegated
account can access as the impersonated user. But even these should be
limited.
So as a good admin, you don't set up any unconstrained delegations in your
forest. You carefully control the usage of constrained delegations. All is
well.
But now you (or one of these delegated sub-admins) add an inbound forest
trust. Kerberos is now allowed across that trust boundary. Any unconstrained
delegations in the *trusting* forest are now a risk to the *trusted* forest.
A user in the trusted forest that accesses a resource in the trusting forest
can get their account used on any Kerberized service in the trusted forest
without their knowledge. There's often a lot of good information sitting
behind websites using integrated Windows authentication and dutifully
created serviceprincipalnames that enable Kerberos.
Tinfoil hat time? I don't think so. If you have multiple forests it is most
likely because there is some separation of administrators, security levels,
perhaps even legal ownership. The administrators of the other forest may not
pay as much attention to security as you do. They may delegate
administration heavily. Whatever the case, unless you are entirely
comfortable with the set of people running that other forest and how they
run it, you should not set up a forest trust. Even then you should watch for
these delegations.
*TL;DR* Forest trusts can be a security risk for the trusting forest. Don't
use them unless you really need to and you trust the people who administer
the other forest. Watch them anyway. Don't delegate the creation of trusts.
Adam
On Wed, Mar 3, 2010 at 2:13 PM, Brian Arkills <barkills@washington.edu>wrote:
> Right, both sides of a one way trust can be created at the same time. And
> if you are using a forest trust, then you don't need to specify admin creds
> on both sides either. You can leverage the built-in group called "incoming
> forest trust builders" to give a non-admin permissions to create that side
> of the forest trust.
>
>
>
> We regularly leverage this functionality, putting the cost of setting up a
> trust with our central accounts forest back on the requestor. This saves us
> a lot of work in either getting admin creds or communicating the shared
> secret to the other side of the trust can successfully get created.
>
>
>
> There are other implications to the choice between external vs forest
> trust. They include NTLM vs Kerberos auth (respectively), whether the
> trusted domain's netbios name is populated in the trusting forest/domain
> domain drop-down list (for Windows clients older than vista), and a few
> other bits and pieces.
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Brian Desmond
> *Sent:* Wednesday, March 03, 2010 1:14 PM
>
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Trusts between Forests
>
>
>
> No it can do on way ones too
>
> Brian Desmond from my phone
> ------------------------------
>
> *From: *John Christie <johnchristie11@googlemail.com>
> *Sent: *Wednesday, March 03, 2010 1:01 PM
> *To: *activedir@mail.activedir.org <activedir@mail.activedir.org>
> *Subject: *Re: [ActiveDir] Trusts between Forests
>
> Cheers Brian
>
>
>
> I've found the wizard will only do both sides with supplied credentials if
> it's a two way trust, one way trusts require you to do one on each side...is
> that what you meant?
>
> On Wed, Mar 3, 2010 at 8:49 PM, Brian Desmond <brian@briandesmond.com>
> wrote:
>
> *The trust needs to be represented on both sides. The wizard can do the
> remote configuration for you given the correct credentials. Otherwise you
> need to do half on each side. *
>
> * *
>
> *Your assessment is otherwise correct*
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *brian@briandesmond.com*
>
> * *
>
> *c – 312.731.3132*
>
> * *
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *John Christie
> *Sent:* Wednesday, March 03, 2010 2:45 PM
> *To:* activedir
> *Subject:* [ActiveDir] Trusts between Forests
>
>
>
>
>
> Forest A = Windows 2003 single forest, single domain
>
> Forest B = Windows 2008 single forest, single domain
>
>
>
> I want to create a one way trust that will only allow users from Forest B
> access to resources in Forest A. Users in the Forest A must not be able to
> access Forest B
>
>
>
> Would I create a one way trust in Forest B or Forest A or do I have to
> configure it in both?
>
>
>
> Also, I'm deliberating whether I need to create a cross forest trust or an
> external trust.
>
>
>
> Am I correct in saying that if I used an external trust between the Forest
> A and Forest B, any additional domain created in Forest A would not be
> trusted by the Forest B because Forest B only trusts the root domain in
> Forest A. To trust all domains I'd need a cross forest trust for that
> (transitive)
>
>
>
> thanks
>
> JC
>
>
>
>
>
| | | |
| barkills
Posts:214
| | 03/08/2010 12:16 AM |
| Yep. We ran into this one ourselves. And this issue is not really highlighted anywhere in any of the security guides or Microsoft documentation. In fact, in our experience 3 out of 4 Microsoft consultants we asked about this scenario told us that Kerberos delegation doesn't work at all across domains; many of them are blithely ignorant of forest trusts and that unconstrained delegation works just fine.
We handle this issue via policy. If you get a forest trust with us, then you agree that you have to get our sign-off if you want to use delegation. I don't like this approach, as there's no real way to ensure it isn't being abused, but it's better than nothing.
It would be nice to having something like sidfiltering here; maybe delegation filtering.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Adam Greene
Sent: Friday, March 05, 2010 8:58 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Trusts between Forests
The security of the two forests is an important consideration in your choice of trust type. Forest trusts introduce a security vulnerability, and not for the forest you would normally think.
The fact that "incoming forest trust builders" is available implies that the "trusted" domain has less to worry about, and the creation of these inbound trusts can (should?) be delegated away from administrators. This is false in the case of forest trusts. Why? Unconstrained Kerberos delegations.
Unconstrained Kerberos delegations present a security risk, as they allow a computer or user to impersonate a user and request service tickets for any service as that user. Pretty powerful stuff, and laughably easy to setup and abuse. The issues with unconstrained delegation led to the Kerberos extension added with Windows Server 2003 (S4U2Proxy) that allows you to configure constrained delegation and limit the systems the delegated account can access as the impersonated user. But even these should be limited.
So as a good admin, you don't set up any unconstrained delegations in your forest. You carefully control the usage of constrained delegations. All is well.
But now you (or one of these delegated sub-admins) add an inbound forest trust. Kerberos is now allowed across that trust boundary. Any unconstrained delegations in the trusting forest are now a risk to the trusted forest. A user in the trusted forest that accesses a resource in the trusting forest can get their account used on any Kerberized service in the trusted forest without their knowledge. There's often a lot of good information sitting behind websites using integrated Windows authentication and dutifully created serviceprincipalnames that enable Kerberos.
Tinfoil hat time? I don't think so. If you have multiple forests it is most likely because there is some separation of administrators, security levels, perhaps even legal ownership. The administrators of the other forest may not pay as much attention to security as you do. They may delegate administration heavily. Whatever the case, unless you are entirely comfortable with the set of people running that other forest and how they run it, you should not set up a forest trust. Even then you should watch for these delegations.
TL;DR Forest trusts can be a security risk for the trusting forest. Don't use them unless you really need to and you trust the people who administer the other forest. Watch them anyway. Don't delegate the creation of trusts.
Adam
On Wed, Mar 3, 2010 at 2:13 PM, Brian Arkills <barkills@washington.edu<mailto:barkills@washington.edu>> wrote:
Right, both sides of a one way trust can be created at the same time. And if you are using a forest trust, then you don't need to specify admin creds on both sides either. You can leverage the built-in group called "incoming forest trust builders" to give a non-admin permissions to create that side of the forest trust.
We regularly leverage this functionality, putting the cost of setting up a trust with our central accounts forest back on the requestor. This saves us a lot of work in either getting admin creds or communicating the shared secret to the other side of the trust can successfully get created.
There are other implications to the choice between external vs forest trust. They include NTLM vs Kerberos auth (respectively), whether the trusted domain's netbios name is populated in the trusting forest/domain domain drop-down list (for Windows clients older than vista), and a few other bits and pieces.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Brian Desmond
Sent: Wednesday, March 03, 2010 1:14 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Trusts between Forests
No it can do on way ones too
Brian Desmond from my phone
________________________________
From: John Christie <johnchristie11@googlemail.com<mailto:johnchristie11@googlemail.com>>
Sent: Wednesday, March 03, 2010 1:01 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org> <activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>>
Subject: Re: [ActiveDir] Trusts between Forests
Cheers Brian
I've found the wizard will only do both sides with supplied credentials if it's a two way trust, one way trusts require you to do one on each side...is that what you meant?
On Wed, Mar 3, 2010 at 8:49 PM, Brian Desmond <brian@briandesmond.com<mailto:brian@briandesmond.com>> wrote:
The trust needs to be represented on both sides. The wizard can do the remote configuration for you given the correct credentials. Otherwise you need to do half on each side.
Your assessment is otherwise correct
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c - 312.731.3132
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of John Christie
Sent: Wednesday, March 03, 2010 2:45 PM
To: activedir
Subject: [ActiveDir] Trusts between Forests
Forest A = Windows 2003 single forest, single domain
Forest B = Windows 2008 single forest, single domain
I want to create a one way trust that will only allow users from Forest B access to resources in Forest A. Users in the Forest A must not be able to access Forest B
Would I create a one way trust in Forest B or Forest A or do I have to configure it in both?
Also, I'm deliberating whether I need to create a cross forest trust or an external trust.
Am I correct in saying that if I used an external trust between the Forest A and Forest B, any additional domain created in Forest A would not be trusted by the Forest B because Forest B only trusts the root domain in Forest A. To trust all domains I'd need a cross forest trust for that (transitive)
thanks
JC
| | | |
| ken
Posts:174
| | 03/09/2010 1:26 AM |
| Hmm - is this still an issue with NTLM, if the trusting forest sets up protocol transition on a server somewhere?
Cheers
Ken
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Adam Greene
Sent: Saturday, 6 March 2010 12:58 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Trusts between Forests
The security of the two forests is an important consideration in your choice of trust type. Forest trusts introduce a security vulnerability, and not for the forest you would normally think.
The fact that "incoming forest trust builders" is available implies that the "trusted" domain has less to worry about, and the creation of these inbound trusts can (should?) be delegated away from administrators. This is false in the case of forest trusts. Why? Unconstrained Kerberos delegations.
Unconstrained Kerberos delegations present a security risk, as they allow a computer or user to impersonate a user and request service tickets for any service as that user. Pretty powerful stuff, and laughably easy to setup and abuse. The issues with unconstrained delegation led to the Kerberos extension added with Windows Server 2003 (S4U2Proxy) that allows you to configure constrained delegation and limit the systems the delegated account can access as the impersonated user. But even these should be limited.
So as a good admin, you don't set up any unconstrained delegations in your forest. You carefully control the usage of constrained delegations. All is well.
But now you (or one of these delegated sub-admins) add an inbound forest trust. Kerberos is now allowed across that trust boundary. Any unconstrained delegations in the trusting forest are now a risk to the trusted forest. A user in the trusted forest that accesses a resource in the trusting forest can get their account used on any Kerberized service in the trusted forest without their knowledge. There's often a lot of good information sitting behind websites using integrated Windows authentication and dutifully created serviceprincipalnames that enable Kerberos.
Tinfoil hat time? I don't think so. If you have multiple forests it is most likely because there is some separation of administrators, security levels, perhaps even legal ownership. The administrators of the other forest may not pay as much attention to security as you do. They may delegate administration heavily. Whatever the case, unless you are entirely comfortable with the set of people running that other forest and how they run it, you should not set up a forest trust. Even then you should watch for these delegations.
TL;DR Forest trusts can be a security risk for the trusting forest. Don't use them unless you really need to and you trust the people who administer the other forest. Watch them anyway. Don't delegate the creation of trusts.
Adam
On Wed, Mar 3, 2010 at 2:13 PM, Brian Arkills <barkills@washington.edu<mailto:barkills@washington.edu>> wrote:
Right, both sides of a one way trust can be created at the same time. And if you are using a forest trust, then you don't need to specify admin creds on both sides either. You can leverage the built-in group called "incoming forest trust builders" to give a non-admin permissions to create that side of the forest trust.
We regularly leverage this functionality, putting the cost of setting up a trust with our central accounts forest back on the requestor. This saves us a lot of work in either getting admin creds or communicating the shared secret to the other side of the trust can successfully get created.
There are other implications to the choice between external vs forest trust. They include NTLM vs Kerberos auth (respectively), whether the trusted domain's netbios name is populated in the trusting forest/domain domain drop-down list (for Windows clients older than vista), and a few other bits and pieces.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Brian Desmond
Sent: Wednesday, March 03, 2010 1:14 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Trusts between Forests
No it can do on way ones too
Brian Desmond from my phone
________________________________
From: John Christie <johnchristie11@googlemail.com<mailto:johnchristie11@googlemail.com>>
Sent: Wednesday, March 03, 2010 1:01 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org> <activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>>
Subject: Re: [ActiveDir] Trusts between Forests
Cheers Brian
I've found the wizard will only do both sides with supplied credentials if it's a two way trust, one way trusts require you to do one on each side...is that what you meant?
On Wed, Mar 3, 2010 at 8:49 PM, Brian Desmond <brian@briandesmond.com<mailto:brian@briandesmond.com>> wrote:
The trust needs to be represented on both sides. The wizard can do the remote configuration for you given the correct credentials. Otherwise you need to do half on each side.
Your assessment is otherwise correct
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c - 312.731.3132
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of John Christie
Sent: Wednesday, March 03, 2010 2:45 PM
To: activedir
Subject: [ActiveDir] Trusts between Forests
Forest A = Windows 2003 single forest, single domain
Forest B = Windows 2008 single forest, single domain
I want to create a one way trust that will only allow users from Forest B access to resources in Forest A. Users in the Forest A must not be able to access Forest B
Would I create a one way trust in Forest B or Forest A or do I have to configure it in both?
Also, I'm deliberating whether I need to create a cross forest trust or an external trust.
Am I correct in saying that if I used an external trust between the Forest A and Forest B, any additional domain created in Forest A would not be trusted by the Forest B because Forest B only trusts the root domain in Forest A. To trust all domains I'd need a cross forest trust for that (transitive)
thanks
JC
| | | |
| adamsgreene
Posts:6
| | 03/09/2010 3:10 AM |
| I haven't tested that, but protocol transition (S4U2Self) is a constrained
delegation, so it should be limited to a single domain. I have validated
that you cannot combine unconstrained delegation with protocol transition.
There are some bugs in Active Directory Users and Computers in this space as
well...you have to be careful if you manually set any
msDS-AllowedToDelegateTo values (as required for some SPNs). If
userAccountControl is set to unconstrained delegation and there is a value
in msDS-AllowedToDelegateTo, the GUI will show constrained delegation but
the KDC will allow unconstrained.
Adam
On Mon, Mar 8, 2010 at 5:24 PM, Ken Schaefer <Ken@adopenstatic.com> wrote:
> Hmm – is this still an issue with NTLM, if the trusting forest sets up
> protocol transition on a server somewhere?
>
>
>
> Cheers
>
> Ken
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Adam Greene
> *Sent:* Saturday, 6 March 2010 12:58 PM
>
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Trusts between Forests
>
>
>
> The security of the two forests is an important consideration in your
> choice of trust type. Forest trusts introduce a security vulnerability, and
> not for the forest you would normally think.
>
>
>
> The fact that "incoming forest trust builders" is available implies that
> the "trusted" domain has less to worry about, and the creation of these
> inbound trusts can (should?) be delegated away from administrators. This is
> false in the case of forest trusts. Why? Unconstrained Kerberos delegations.
>
>
>
> Unconstrained Kerberos delegations present a security risk, as they allow a
> computer or user to impersonate a user and request service tickets for *
> any* service as that user. Pretty powerful stuff, and laughably easy to
> setup and abuse. The issues with unconstrained delegation led to the
> Kerberos extension added with Windows Server 2003 (S4U2Proxy) that allows
> you to configure *constrained* delegation and limit the systems the
> delegated account can access as the impersonated user. But even these should
> be limited.
>
>
>
> So as a good admin, you don't set up any unconstrained delegations in your
> forest. You carefully control the usage of constrained delegations. All is
> well.
>
>
>
> But now you (or one of these delegated sub-admins) add an inbound forest
> trust. Kerberos is now allowed across that trust boundary. Any unconstrained
> delegations in the *trusting* forest are now a risk to the *trusted*forest. A user in the trusted forest that accesses a resource in the
> trusting forest can get their account used on any Kerberized service in the
> trusted forest without their knowledge. There's often a lot of good
> information sitting behind websites using integrated Windows authentication
> and dutifully created serviceprincipalnames that enable Kerberos.
>
>
>
> Tinfoil hat time? I don't think so. If you have multiple forests it is most
> likely because there is some separation of administrators, security levels,
> perhaps even legal ownership. The administrators of the other forest may not
> pay as much attention to security as you do. They may delegate
> administration heavily. Whatever the case, unless you are entirely
> comfortable with the set of people running that other forest and how they
> run it, you should not set up a forest trust. Even then you should watch for
> these delegations.
>
>
>
> *TL;DR* Forest trusts can be a security risk for the trusting forest.
> Don't use them unless you really need to and you trust the people who
> administer the other forest. Watch them anyway. Don't delegate the creation
> of trusts.
>
>
>
>
>
> Adam
>
>
>
> On Wed, Mar 3, 2010 at 2:13 PM, Brian Arkills <barkills@washington.edu>
> wrote:
>
> Right, both sides of a one way trust can be created at the same time. And
> if you are using a forest trust, then you don't need to specify admin creds
> on both sides either. You can leverage the built-in group called "incoming
> forest trust builders" to give a non-admin permissions to create that side
> of the forest trust.
>
>
>
> We regularly leverage this functionality, putting the cost of setting up a
> trust with our central accounts forest back on the requestor. This saves us
> a lot of work in either getting admin creds or communicating the shared
> secret to the other side of the trust can successfully get created.
>
>
>
> There are other implications to the choice between external vs forest
> trust. They include NTLM vs Kerberos auth (respectively), whether the
> trusted domain's netbios name is populated in the trusting forest/domain
> domain drop-down list (for Windows clients older than vista), and a few
> other bits and pieces.
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Brian Desmond
> *Sent:* Wednesday, March 03, 2010 1:14 PM
>
>
> *To:* activedir@mail.activedir.org
>
> *Subject:* RE: [ActiveDir] Trusts between Forests
>
>
>
> No it can do on way ones too
>
> Brian Desmond from my phone
> ------------------------------
>
> *From: *John Christie <johnchristie11@googlemail.com>
> *Sent: *Wednesday, March 03, 2010 1:01 PM
> *To: *activedir@mail.activedir.org <activedir@mail.activedir.org>
> *Subject: *Re: [ActiveDir] Trusts between Forests
>
> Cheers Brian
>
>
>
> I've found the wizard will only do both sides with supplied credentials if
> it's a two way trust, one way trusts require you to do one on each side...is
> that what you meant?
>
> On Wed, Mar 3, 2010 at 8:49 PM, Brian Desmond <brian@briandesmond.com>
> wrote:
>
> *The trust needs to be represented on both sides. The wizard can do the
> remote configuration for you given the correct credentials. Otherwise you
> need to do half on each side. *
>
> * *
>
> *Your assessment is otherwise correct*
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *brian@briandesmond.com*
>
> * *
>
> *c – 312.731.3132*
>
> * *
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *John Christie
> *Sent:* Wednesday, March 03, 2010 2:45 PM
> *To:* activedir
> *Subject:* [ActiveDir] Trusts between Forests
>
>
>
>
>
> Forest A = Windows 2003 single forest, single domain
>
> Forest B = Windows 2008 single forest, single domain
>
>
>
> I want to create a one way trust that will only allow users from Forest B
> access to resources in Forest A. Users in the Forest A must not be able to
> access Forest B
>
>
>
> Would I create a one way trust in Forest B or Forest A or do I have to
> configure it in both?
>
>
>
> Also, I'm deliberating whether I need to create a cross forest trust or an
> external trust.
>
>
>
> Am I correct in saying that if I used an external trust between the Forest
> A and Forest B, any additional domain created in Forest A would not be
> trusted by the Forest B because Forest B only trusts the root domain in
> Forest A. To trust all domains I'd need a cross forest trust for that
> (transitive)
>
>
>
> thanks
>
> JC
>
>
>
>
>
>
>
| | | |
| ken
Posts:174
| | 03/09/2010 4:39 AM |
| I'm wondering about:
User-DomainA connects to Server1-DomainB using NTLM, and Protocol Transition is setup on Server1-DomainB, and allows an application to connect Server2-DomainB as User-DomainA
Is that a risk? The delegation is happening entirely within DomainB
Cheers
Ken
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Adam Greene
Sent: Tuesday, 9 March 2010 11:10 AM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Trusts between Forests
I haven't tested that, but protocol transition (S4U2Self) is a constrained delegation, so it should be limited to a single domain. I have validated that you cannot combine unconstrained delegation with protocol transition.
There are some bugs in Active Directory Users and Computers in this space as well...you have to be careful if you manually set any msDS-AllowedToDelegateTo values (as required for some SPNs). If userAccountControl is set to unconstrained delegation and there is a value in msDS-AllowedToDelegateTo, the GUI will show constrained delegation but the KDC will allow unconstrained.
Adam
On Mon, Mar 8, 2010 at 5:24 PM, Ken Schaefer <Ken@adopenstatic.com<mailto:Ken@adopenstatic.com>> wrote:
Hmm - is this still an issue with NTLM, if the trusting forest sets up protocol transition on a server somewhere?
Cheers
Ken
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Adam Greene
Sent: Saturday, 6 March 2010 12:58 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] Trusts between Forests
The security of the two forests is an important consideration in your choice of trust type. Forest trusts introduce a security vulnerability, and not for the forest you would normally think.
The fact that "incoming forest trust builders" is available implies that the "trusted" domain has less to worry about, and the creation of these inbound trusts can (should?) be delegated away from administrators. This is false in the case of forest trusts. Why? Unconstrained Kerberos delegations.
Unconstrained Kerberos delegations present a security risk, as they allow a computer or user to impersonate a user and request service tickets for any service as that user. Pretty powerful stuff, and laughably easy to setup and abuse. The issues with unconstrained delegation led to the Kerberos extension added with Windows Server 2003 (S4U2Proxy) that allows you to configure constrained delegation and limit the systems the delegated account can access as the impersonated user. But even these should be limited.
So as a good admin, you don't set up any unconstrained delegations in your forest. You carefully control the usage of constrained delegations. All is well.
But now you (or one of these delegated sub-admins) add an inbound forest trust. Kerberos is now allowed across that trust boundary. Any unconstrained delegations in the trusting forest are now a risk to the trusted forest. A user in the trusted forest that accesses a resource in the trusting forest can get their account used on any Kerberized service in the trusted forest without their knowledge. There's often a lot of good information sitting behind websites using integrated Windows authentication and dutifully created serviceprincipalnames that enable Kerberos.
Tinfoil hat time? I don't think so. If you have multiple forests it is most likely because there is some separation of administrators, security levels, perhaps even legal ownership. The administrators of the other forest may not pay as much attention to security as you do. They may delegate administration heavily. Whatever the case, unless you are entirely comfortable with the set of people running that other forest and how they run it, you should not set up a forest trust. Even then you should watch for these delegations.
TL;DR Forest trusts can be a security risk for the trusting forest. Don't use them unless you really need to and you trust the people who administer the other forest. Watch them anyway. Don't delegate the creation of trusts.
Adam
On Wed, Mar 3, 2010 at 2:13 PM, Brian Arkills <barkills@washington.edu<mailto:barkills@washington.edu>> wrote:
Right, both sides of a one way trust can be created at the same time. And if you are using a forest trust, then you don't need to specify admin creds on both sides either. You can leverage the built-in group called "incoming forest trust builders" to give a non-admin permissions to create that side of the forest trust.
We regularly leverage this functionality, putting the cost of setting up a trust with our central accounts forest back on the requestor. This saves us a lot of work in either getting admin creds or communicating the shared secret to the other side of the trust can successfully get created.
There are other implications to the choice between external vs forest trust. They include NTLM vs Kerberos auth (respectively), whether the trusted domain's netbios name is populated in the trusting forest/domain domain drop-down list (for Windows clients older than vista), and a few other bits and pieces.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Brian Desmond
Sent: Wednesday, March 03, 2010 1:14 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Trusts between Forests
No it can do on way ones too
Brian Desmond from my phone
________________________________
From: John Christie <johnchristie11@googlemail.com<mailto:johnchristie11@googlemail.com>>
Sent: Wednesday, March 03, 2010 1:01 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org> <activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>>
Subject: Re: [ActiveDir] Trusts between Forests
Cheers Brian
I've found the wizard will only do both sides with supplied credentials if it's a two way trust, one way trusts require you to do one on each side...is that what you meant?
On Wed, Mar 3, 2010 at 8:49 PM, Brian Desmond <brian@briandesmond.com<mailto:brian@briandesmond.com>> wrote:
The trust needs to be represented on both sides. The wizard can do the remote configuration for you given the correct credentials. Otherwise you need to do half on each side.
Your assessment is otherwise correct
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c - 312.731.3132
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of John Christie
Sent: Wednesday, March 03, 2010 2:45 PM
To: activedir
Subject: [ActiveDir] Trusts between Forests
Forest A = Windows 2003 single forest, single domain
Forest B = Windows 2008 single forest, single domain
I want to create a one way trust that will only allow users from Forest B access to resources in Forest A. Users in the Forest A must not be able to access Forest B
Would I create a one way trust in Forest B or Forest A or do I have to configure it in both?
Also, I'm deliberating whether I need to create a cross forest trust or an external trust.
Am I correct in saying that if I used an external trust between the Forest A and Forest B, any additional domain created in Forest A would not be trusted by the Forest B because Forest B only trusts the root domain in Forest A. To trust all domains I'd need a cross forest trust for that (transitive)
thanks
JC
| | | |
| adamsgreene
Posts:6
| | 03/09/2010 6:48 AM |
| Understand that with protocol transition, no initial authentication by a
user is actually required. An account that can do S4U2Self can request
service tickets with just the username (just takes a few lines in .NET). The
account *should* be doing some sort of initial authentication of the user,
but the KDC has no way of actually enforcing this. The point of protocol
transition is to get you from non-Kerberos to Kerberos. NTLM is often used
as the primary example, but it is not the only use case. Transition from
various web single sign on systems to Kerberos is another common usage.
If there is a forest trust from Forest B to Forest A (assuming your Domains
are single-domain forests here), both constrained delegation and protocol
transition for Forest A users should be possible (I haven't tested the
protocol transition use case though - someone correct me if I'm wrong here).
Even with just constrained delegation, you can easily get users to hit the
service that can delegate. Just embed a picture in an email or host a
content on a highly used intranet website. As long as the web server is in a
zone that IE does integrated authentication for, the service gets a ticket
from the user that it can then use to request additional tickets for the
services it can delegate to. The protocol transition aspect just makes
things easier - you don't have to "lure" users to the service and you can
quickly iterate over a list of accounts (or pick the exact ones you need).
The difference between these constrained examples and the unconstrained
example is that in the former, the risk is contained within the trusting
forest that has the delegated account, and in the latter, the delegated
account can "reflect" the service ticket requests back into the trusted
forest. Since the type of admin that can set this up could presumably get to
the data in his/her own forest another way, the risk is lower for the
constrained or protocol transition cases that stay in a domain in his/her
forest. The risk is usually more of the non-repudiation sort.
Not to say that either is anything to ignore. The risks will depend on what
systems and services you have deployed in each forest and how each is
administered.
Again, if there is any significant delta in the security practices of the
two sides of a forest trust, some basic monitoring for these delegations
should be put in place. DirSync can be your friend here.
Adam
On Mon, Mar 8, 2010 at 8:38 PM, Ken Schaefer <Ken@adopenstatic.com> wrote:
> I’m wondering about:
>
>
>
> User-DomainA connects to Server1-DomainB using NTLM, and Protocol
> Transition is setup on Server1-DomainB, and allows an application to connect
> Server2-DomainB as User-DomainA
>
>
>
> Is that a risk? The delegation is happening entirely within DomainB
>
> Cheers
>
> Ken
>
>
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Adam Greene
> *Sent:* Tuesday, 9 March 2010 11:10 AM
>
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Trusts between Forests
>
>
>
> I haven't tested that, but protocol transition (S4U2Self) is a constrained
> delegation, so it should be limited to a single domain. I have validated
> that you cannot combine unconstrained delegation with protocol transition.
>
>
>
> There are some bugs in Active Directory Users and Computers in this space
> as well...you have to be careful if you manually set any
> msDS-AllowedToDelegateTo values (as required for some SPNs). If
> userAccountControl is set to unconstrained delegation and there is a value
> in msDS-AllowedToDelegateTo, the GUI will show constrained delegation but
> the KDC will allow unconstrained.
>
>
>
> Adam
>
>
>
> On Mon, Mar 8, 2010 at 5:24 PM, Ken Schaefer <Ken@adopenstatic.com> wrote:
>
> Hmm – is this still an issue with NTLM, if the trusting forest sets up
> protocol transition on a server somewhere?
>
>
>
> Cheers
>
> Ken
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Adam Greene
> *Sent:* Saturday, 6 March 2010 12:58 PM
>
>
> *To:* activedir@mail.activedir.org
>
> *Subject:* Re: [ActiveDir] Trusts between Forests
>
>
>
> The security of the two forests is an important consideration in your
> choice of trust type. Forest trusts introduce a security vulnerability, and
> not for the forest you would normally think.
>
>
>
> The fact that "incoming forest trust builders" is available implies that
> the "trusted" domain has less to worry about, and the creation of these
> inbound trusts can (should?) be delegated away from administrators. This is
> false in the case of forest trusts. Why? Unconstrained Kerberos delegations.
>
>
>
> Unconstrained Kerberos delegations present a security risk, as they allow a
> computer or user to impersonate a user and request service tickets for *
> any* service as that user. Pretty powerful stuff, and laughably easy to
> setup and abuse. The issues with unconstrained delegation led to the
> Kerberos extension added with Windows Server 2003 (S4U2Proxy) that allows
> you to configure *constrained* delegation and limit the systems the
> delegated account can access as the impersonated user. But even these should
> be limited.
>
>
>
> So as a good admin, you don't set up any unconstrained delegations in your
> forest. You carefully control the usage of constrained delegations. All is
> well.
>
>
>
> But now you (or one of these delegated sub-admins) add an inbound forest
> trust. Kerberos is now allowed across that trust boundary. Any unconstrained
> delegations in the *trusting* forest are now a risk to the *trusted*forest. A user in the trusted forest that accesses a resource in the
> trusting forest can get their account used on any Kerberized service in the
> trusted forest without their knowledge. There's often a lot of good
> information sitting behind websites using integrated Windows authentication
> and dutifully created serviceprincipalnames that enable Kerberos.
>
>
>
> Tinfoil hat time? I don't think so. If you have multiple forests it is most
> likely because there is some separation of administrators, security levels,
> perhaps even legal ownership. The administrators of the other forest may not
> pay as much attention to security as you do. They may delegate
> administration heavily. Whatever the case, unless you are entirely
> comfortable with the set of people running that other forest and how they
> run it, you should not set up a forest trust. Even then you should watch for
> these delegations.
>
>
>
> *TL;DR* Forest trusts can be a security risk for the trusting forest.
> Don't use them unless you really need to and you trust the people who
> administer the other forest. Watch them anyway. Don't delegate the creation
> of trusts.
>
>
>
>
>
> Adam
>
>
>
> On Wed, Mar 3, 2010 at 2:13 PM, Brian Arkills <barkills@washington.edu>
> wrote:
>
> Right, both sides of a one way trust can be created at the same time. And
> if you are using a forest trust, then you don't need to specify admin creds
> on both sides either. You can leverage the built-in group called "incoming
> forest trust builders" to give a non-admin permissions to create that side
> of the forest trust.
>
>
>
> We regularly leverage this functionality, putting the cost of setting up a
> trust with our central accounts forest back on the requestor. This saves us
> a lot of work in either getting admin creds or communicating the shared
> secret to the other side of the trust can successfully get created.
>
>
>
> There are other implications to the choice between external vs forest
> trust. They include NTLM vs Kerberos auth (respectively), whether the
> trusted domain's netbios name is populated in the trusting forest/domain
> domain drop-down list (for Windows clients older than vista), and a few
> other bits and pieces.
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Brian Desmond
> *Sent:* Wednesday, March 03, 2010 1:14 PM
>
>
> *To:* activedir@mail.activedir.org
>
> *Subject:* RE: [ActiveDir] Trusts between Forests
>
>
>
> No it can do on way ones too
>
> Brian Desmond from my phone
> ------------------------------
>
> *From: *John Christie <johnchristie11@googlemail.com>
> *Sent: *Wednesday, March 03, 2010 1:01 PM
> *To: *activedir@mail.activedir.org <activedir@mail.activedir.org>
> *Subject: *Re: [ActiveDir] Trusts between Forests
>
> Cheers Brian
>
>
>
> I've found the wizard will only do both sides with supplied credentials if
> it's a two way trust, one way trusts require you to do one on each side...is
> that what you meant?
>
> On Wed, Mar 3, 2010 at 8:49 PM, Brian Desmond <brian@briandesmond.com>
> wrote:
>
> *The trust needs to be represented on both sides. The wizard can do the
> remote configuration for you given the correct credentials. Otherwise you
> need to do half on each side. *
>
> * *
>
> *Your assessment is otherwise correct*
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *brian@briandesmond.com*
>
> * *
>
> *c – 312.731.3132*
>
> * *
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *John Christie
> *Sent:* Wednesday, March 03, 2010 2:45 PM
> *To:* activedir
> *Subject:* [ActiveDir] Trusts between Forests
>
>
>
>
>
> Forest A = Windows 2003 single forest, single domain
>
> Forest B = Windows 2008 single forest, single domain
>
>
>
> I want to create a one way trust that will only allow users from Forest B
> access to resources in Forest A. Users in the Forest A must not be able to
> access Forest B
>
>
>
> Would I create a one way trust in Forest B or Forest A or do I have to
> configure it in both?
>
>
>
> Also, I'm deliberating whether I need to create a cross forest trust or an
> external trust.
>
>
>
> Am I correct in saying that if I used an external trust between the Forest
> A and Forest B, any additional domain created in Forest A would not be
> trusted by the Forest B because Forest B only trusts the root domain in
> Forest A. To trust all domains I'd need a cross forest trust for that
> (transitive)
>
>
>
> thanks
>
> JC
>
>
>
>
>
>
>
>
>
| | | |
| barkills
Posts:214
| | 03/09/2010 4:23 PM |
| I don't think the below statement is correct, but it's been awhile since I looked at this myself. It's certainly true that the ADUC interface doesn't allow you to configure constrained delegation across forests. But ADUC is broken in many ways, so that doesn't really mean anything except that Microsoft didn't find that use case easy to address (or didn't think of it). You can, of course, directly edit the underlying attributes, supplying the correct information to configure constrained delegation to a computer/service/port combo that resides in another forest. And I thought we had that working correctly, but maybe my memory is faulty. I'll dig around today (or tomorrow) to see if I can't find the working example I thought we had.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Adam Greene
Sent: Monday, March 08, 2010 7:10 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Trusts between Forests
I haven't tested that, but protocol transition (S4U2Self) is a constrained delegation, so it should be limited to a single domain. I have validated that you cannot combine unconstrained delegation with protocol transition.
There are some bugs in Active Directory Users and Computers in this space as well...you have to be careful if you manually set any msDS-AllowedToDelegateTo values (as required for some SPNs). If userAccountControl is set to unconstrained delegation and there is a value in msDS-AllowedToDelegateTo, the GUI will show constrained delegation but the KDC will allow unconstrained.
Adam
On Mon, Mar 8, 2010 at 5:24 PM, Ken Schaefer <Ken@adopenstatic.com<mailto:Ken@adopenstatic.com>> wrote:
Hmm - is this still an issue with NTLM, if the trusting forest sets up protocol transition on a server somewhere?
Cheers
Ken
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Adam Greene
Sent: Saturday, 6 March 2010 12:58 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] Trusts between Forests
The security of the two forests is an important consideration in your choice of trust type. Forest trusts introduce a security vulnerability, and not for the forest you would normally think.
The fact that "incoming forest trust builders" is available implies that the "trusted" domain has less to worry about, and the creation of these inbound trusts can (should?) be delegated away from administrators. This is false in the case of forest trusts. Why? Unconstrained Kerberos delegations.
Unconstrained Kerberos delegations present a security risk, as they allow a computer or user to impersonate a user and request service tickets for any service as that user. Pretty powerful stuff, and laughably easy to setup and abuse. The issues with unconstrained delegation led to the Kerberos extension added with Windows Server 2003 (S4U2Proxy) that allows you to configure constrained delegation and limit the systems the delegated account can access as the impersonated user. But even these should be limited.
So as a good admin, you don't set up any unconstrained delegations in your forest. You carefully control the usage of constrained delegations. All is well.
But now you (or one of these delegated sub-admins) add an inbound forest trust. Kerberos is now allowed across that trust boundary. Any unconstrained delegations in the trusting forest are now a risk to the trusted forest. A user in the trusted forest that accesses a resource in the trusting forest can get their account used on any Kerberized service in the trusted forest without their knowledge. There's often a lot of good information sitting behind websites using integrated Windows authentication and dutifully created serviceprincipalnames that enable Kerberos.
Tinfoil hat time? I don't think so. If you have multiple forests it is most likely because there is some separation of administrators, security levels, perhaps even legal ownership. The administrators of the other forest may not pay as much attention to security as you do. They may delegate administration heavily. Whatever the case, unless you are entirely comfortable with the set of people running that other forest and how they run it, you should not set up a forest trust. Even then you should watch for these delegations.
TL;DR Forest trusts can be a security risk for the trusting forest. Don't use them unless you really need to and you trust the people who administer the other forest. Watch them anyway. Don't delegate the creation of trusts.
Adam
On Wed, Mar 3, 2010 at 2:13 PM, Brian Arkills <barkills@washington.edu<mailto:barkills@washington.edu>> wrote:
Right, both sides of a one way trust can be created at the same time. And if you are using a forest trust, then you don't need to specify admin creds on both sides either. You can leverage the built-in group called "incoming forest trust builders" to give a non-admin permissions to create that side of the forest trust.
We regularly leverage this functionality, putting the cost of setting up a trust with our central accounts forest back on the requestor. This saves us a lot of work in either getting admin creds or communicating the shared secret to the other side of the trust can successfully get created.
There are other implications to the choice between external vs forest trust. They include NTLM vs Kerberos auth (respectively), whether the trusted domain's netbios name is populated in the trusting forest/domain domain drop-down list (for Windows clients older than vista), and a few other bits and pieces.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Brian Desmond
Sent: Wednesday, March 03, 2010 1:14 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Trusts between Forests
No it can do on way ones too
Brian Desmond from my phone
________________________________
From: John Christie <johnchristie11@googlemail.com<mailto:johnchristie11@googlemail.com>>
Sent: Wednesday, March 03, 2010 1:01 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org> <activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>>
Subject: Re: [ActiveDir] Trusts between Forests
Cheers Brian
I've found the wizard will only do both sides with supplied credentials if it's a two way trust, one way trusts require you to do one on each side...is that what you meant?
On Wed, Mar 3, 2010 at 8:49 PM, Brian Desmond <brian@briandesmond.com<mailto:brian@briandesmond.com>> wrote:
The trust needs to be represented on both sides. The wizard can do the remote configuration for you given the correct credentials. Otherwise you need to do half on each side.
Your assessment is otherwise correct
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c - 312.731.3132
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of John Christie
Sent: Wednesday, March 03, 2010 2:45 PM
To: activedir
Subject: [ActiveDir] Trusts between Forests
Forest A = Windows 2003 single forest, single domain
Forest B = Windows 2008 single forest, single domain
I want to create a one way trust that will only allow users from Forest B access to resources in Forest A. Users in the Forest A must not be able to access Forest B
Would I create a one way trust in Forest B or Forest A or do I have to configure it in both?
Also, I'm deliberating whether I need to create a cross forest trust or an external trust.
Am I correct in saying that if I used an external trust between the Forest A and Forest B, any additional domain created in Forest A would not be trusted by the Forest B because Forest B only trusts the root domain in Forest A. To trust all domains I'd need a cross forest trust for that (transitive)
thanks
JC
| | | |
| Tspring
Posts:12
| | 03/09/2010 4:31 PM |
| How we govern constrained delegation and protocol transition needs some better documentation. Here's a brief explanation I wrote for some training recently. This test describes snapshots of DSA.MSC and LDP side by side:
Constrained delegation and Services for User introduced a new and important folder tab to the user account properties in Active Directory Users and Computers (DSA.MSC): the Delegation tab. There's a complex relationship between what is entered into this user interface and what is resident in Active Directory. In this slide we'll go over the three general settings and show the LDP output from that account side by side.
First is the normal setting of "do not trust this computer for delegation". This reflects the default setting a computer or service account (principal) that is potentially trustable for delegation will have. The Useraccountcontrol property reflects the Workstation_Trust_Account flag.
The "trust this computer for delegation to any service (Kerberos only)" adds the Trusted_For_Delegation flag to the Useraccountcontrol attribute.
Finally, the selection of "Trust this computer for delegation to specified services only" is the choice for constrained delegation or services for user protocol transition. There are two different stages to this setting. The first is "Kerberos Only", which sets the Useaccountcontrol flag back to Workstation_Trust_Account only and populates the MsDS-AllowedToDelegateTo with any selected services you will allow delegation to. The next option is the less secure "use any auithentication protocol" radio button and allows for services for user protocol transition. In addition to the MsDS-AllowedToDelegateTo entries this changes the Useraccountcontrol attribute to contain the flag for Trusted_To_Authenticate_For_Delegation. Without this flag being present you should expect protocol transition to fail.
HTH-
Tim
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Arkills
Sent: Tuesday, March 09, 2010 10:20 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts between Forests
I don't think the below statement is correct, but it's been awhile since I looked at this myself. It's certainly true that the ADUC interface doesn't allow you to configure constrained delegation across forests. But ADUC is broken in many ways, so that doesn't really mean anything except that Microsoft didn't find that use case easy to address (or didn't think of it). You can, of course, directly edit the underlying attributes, supplying the correct information to configure constrained delegation to a computer/service/port combo that resides in another forest. And I thought we had that working correctly, but maybe my memory is faulty. I'll dig around today (or tomorrow) to see if I can't find the working example I thought we had.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Adam Greene
Sent: Monday, March 08, 2010 7:10 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Trusts between Forests
I haven't tested that, but protocol transition (S4U2Self) is a constrained delegation, so it should be limited to a single domain. I have validated that you cannot combine unconstrained delegation with protocol transition.
There are some bugs in Active Directory Users and Computers in this space as well...you have to be careful if you manually set any msDS-AllowedToDelegateTo values (as required for some SPNs). If userAccountControl is set to unconstrained delegation and there is a value in msDS-AllowedToDelegateTo, the GUI will show constrained delegation but the KDC will allow unconstrained.
Adam
On Mon, Mar 8, 2010 at 5:24 PM, Ken Schaefer <Ken@adopenstatic.com<mailto:Ken@adopenstatic.com>> wrote:
Hmm - is this still an issue with NTLM, if the trusting forest sets up protocol transition on a server somewhere?
Cheers
Ken
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Adam Greene
Sent: Saturday, 6 March 2010 12:58 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] Trusts between Forests
The security of the two forests is an important consideration in your choice of trust type. Forest trusts introduce a security vulnerability, and not for the forest you would normally think.
The fact that "incoming forest trust builders" is available implies that the "trusted" domain has less to worry about, and the creation of these inbound trusts can (should?) be delegated away from administrators. This is false in the case of forest trusts. Why? Unconstrained Kerberos delegations.
Unconstrained Kerberos delegations present a security risk, as they allow a computer or user to impersonate a user and request service tickets for any service as that user. Pretty powerful stuff, and laughably easy to setup and abuse. The issues with unconstrained delegation led to the Kerberos extension added with Windows Server 2003 (S4U2Proxy) that allows you to configure constrained delegation and limit the systems the delegated account can access as the impersonated user. But even these should be limited.
So as a good admin, you don't set up any unconstrained delegations in your forest. You carefully control the usage of constrained delegations. All is well.
But now you (or one of these delegated sub-admins) add an inbound forest trust. Kerberos is now allowed across that trust boundary. Any unconstrained delegations in the trusting forest are now a risk to the trusted forest. A user in the trusted forest that accesses a resource in the trusting forest can get their account used on any Kerberized service in the trusted forest without their knowledge. There's often a lot of good information sitting behind websites using integrated Windows authentication and dutifully created serviceprincipalnames that enable Kerberos.
Tinfoil hat time? I don't think so. If you have multiple forests it is most likely because there is some separation of administrators, security levels, perhaps even legal ownership. The administrators of the other forest may not pay as much attention to security as you do. They may delegate administration heavily. Whatever the case, unless you are entirely comfortable with the set of people running that other forest and how they run it, you should not set up a forest trust. Even then you should watch for these delegations.
TL;DR Forest trusts can be a security risk for the trusting forest. Don't use them unless you really need to and you trust the people who administer the other forest. Watch them anyway. Don't delegate the creation of trusts.
Adam
On Wed, Mar 3, 2010 at 2:13 PM, Brian Arkills <barkills@washington.edu<mailto:barkills@washington.edu>> wrote:
Right, both sides of a one way trust can be created at the same time. And if you are using a forest trust, then you don't need to specify admin creds on both sides either. You can leverage the built-in group called "incoming forest trust builders" to give a non-admin permissions to create that side of the forest trust.
We regularly leverage this functionality, putting the cost of setting up a trust with our central accounts forest back on the requestor. This saves us a lot of work in either getting admin creds or communicating the shared secret to the other side of the trust can successfully get created.
There are other implications to the choice between external vs forest trust. They include NTLM vs Kerberos auth (respectively), whether the trusted domain's netbios name is populated in the trusting forest/domain domain drop-down list (for Windows clients older than vista), and a few other bits and pieces.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Brian Desmond
Sent: Wednesday, March 03, 2010 1:14 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Trusts between Forests
No it can do on way ones too
Brian Desmond from my phone
________________________________
From: John Christie <johnchristie11@googlemail.com<mailto:johnchristie11@googlemail.com>>
Sent: Wednesday, March 03, 2010 1:01 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org> <activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>>
Subject: Re: [ActiveDir] Trusts between Forests
Cheers Brian
I've found the wizard will only do both sides with supplied credentials if it's a two way trust, one way trusts require you to do one on each side...is that what you meant?
On Wed, Mar 3, 2010 at 8:49 PM, Brian Desmond <brian@briandesmond.com<mailto:brian@briandesmond.com>> wrote:
The trust needs to be represented on both sides. The wizard can do the remote configuration for you given the correct credentials. Otherwise you need to do half on each side.
Your assessment is otherwise correct
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c - 312.731.3132
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of John Christie
Sent: Wednesday, March 03, 2010 2:45 PM
To: activedir
Subject: [ActiveDir] Trusts between Forests
Forest A = Windows 2003 single forest, single domain
Forest B = Windows 2008 single forest, single domain
I want to create a one way trust that will only allow users from Forest B access to resources in Forest A. Users in the Forest A must not be able to access Forest B
Would I create a one way trust in Forest B or Forest A or do I have to configure it in both?
Also, I'm deliberating whether I need to create a cross forest trust or an external trust.
Am I correct in saying that if I used an external trust between the Forest A and Forest B, any additional domain created in Forest A would not be trusted by the Forest B because Forest B only trusts the root domain in Forest A. To trust all domains I'd need a cross forest trust for that (transitive)
thanks
JC
| | | |
| adamsgreene
Posts:6
| | 03/10/2010 6:22 AM |
| Constrained delegations are limited to a single domain. Doesn't work even
for domains in the same forest. Setting raw attributes doesn't help.
Adam
On Tue, Mar 9, 2010 at 8:19 AM, Brian Arkills <barkills@washington.edu>wrote:
> I don't think the below statement is correct, but it's been awhile since
> I looked at this myself. It's certainly true that the ADUC interface doesn't
> allow you to configure constrained delegation across forests. But ADUC is
> broken in many ways, so that doesn't really mean anything except that
> Microsoft didn't find that use case easy to address (or didn't think of it).
> You can, of course, directly edit the underlying attributes, supplying the
> correct information to configure constrained delegation to a
> computer/service/port combo that resides in another forest. And I thought we
> had that working correctly, but maybe my memory is faulty. I'll dig around
> today (or tomorrow) to see if I can't find the working example I thought we
> had.
>
>
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Adam Greene
> *Sent:* Monday, March 08, 2010 7:10 PM
>
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Trusts between Forests
>
>
>
> I haven't tested that, but protocol transition (S4U2Self) is a constrained
> delegation, so it should be limited to a single domain. I have validated
> that you cannot combine unconstrained delegation with protocol transition.
>
>
>
> There are some bugs in Active Directory Users and Computers in this space
> as well...you have to be careful if you manually set any
> msDS-AllowedToDelegateTo values (as required for some SPNs). If
> userAccountControl is set to unconstrained delegation and there is a value
> in msDS-AllowedToDelegateTo, the GUI will show constrained delegation but
> the KDC will allow unconstrained.
>
>
>
> Adam
>
>
>
> On Mon, Mar 8, 2010 at 5:24 PM, Ken Schaefer <Ken@adopenstatic.com> wrote:
>
> Hmm – is this still an issue with NTLM, if the trusting forest sets up
> protocol transition on a server somewhere?
>
>
>
> Cheers
>
> Ken
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Adam Greene
> *Sent:* Saturday, 6 March 2010 12:58 PM
>
>
> *To:* activedir@mail.activedir.org
>
> *Subject:* Re: [ActiveDir] Trusts between Forests
>
>
>
> The security of the two forests is an important consideration in your
> choice of trust type. Forest trusts introduce a security vulnerability, and
> not for the forest you would normally think.
>
>
>
> The fact that "incoming forest trust builders" is available implies that
> the "trusted" domain has less to worry about, and the creation of these
> inbound trusts can (should?) be delegated away from administrators. This is
> false in the case of forest trusts. Why? Unconstrained Kerberos delegations.
>
>
>
> Unconstrained Kerberos delegations present a security risk, as they allow a
> computer or user to impersonate a user and request service tickets for *
> any* service as that user. Pretty powerful stuff, and laughably easy to
> setup and abuse. The issues with unconstrained delegation led to the
> Kerberos extension added with Windows Server 2003 (S4U2Proxy) that allows
> you to configure *constrained* delegation and limit the systems the
> delegated account can access as the impersonated user. But even these should
> be limited.
>
>
>
> So as a good admin, you don't set up any unconstrained delegations in your
> forest. You carefully control the usage of constrained delegations. All is
> well.
>
>
>
> But now you (or one of these delegated sub-admins) add an inbound forest
> trust. Kerberos is now allowed across that trust boundary. Any unconstrained
> delegations in the *trusting* forest are now a risk to the *trusted*forest. A user in the trusted forest that accesses a resource in the
> trusting forest can get their account used on any Kerberized service in the
> trusted forest without their knowledge. There's often a lot of good
> information sitting behind websites using integrated Windows authentication
> and dutifully created serviceprincipalnames that enable Kerberos.
>
>
>
> Tinfoil hat time? I don't think so. If you have multiple forests it is most
> likely because there is some separation of administrators, security levels,
> perhaps even legal ownership. The administrators of the other forest may not
> pay as much attention to security as you do. They may delegate
> administration heavily. Whatever the case, unless you are entirely
> comfortable with the set of people running that other forest and how they
> run it, you should not set up a forest trust. Even then you should watch for
> these delegations.
>
>
>
> *TL;DR* Forest trusts can be a security risk for the trusting forest.
> Don't use them unless you really need to and you trust the people who
> administer the other forest. Watch them anyway. Don't delegate the creation
> of trusts.
>
>
>
>
>
> Adam
>
>
>
> On Wed, Mar 3, 2010 at 2:13 PM, Brian Arkills <barkills@washington.edu>
> wrote:
>
> Right, both sides of a one way trust can be created at the same time. And
> if you are using a forest trust, then you don't need to specify admin creds
> on both sides either. You can leverage the built-in group called "incoming
> forest trust builders" to give a non-admin permissions to create that side
> of the forest trust.
>
>
>
> We regularly leverage this functionality, putting the cost of setting up a
> trust with our central accounts forest back on the requestor. This saves us
> a lot of work in either getting admin creds or communicating the shared
> secret to the other side of the trust can successfully get created.
>
>
>
> There are other implications to the choice between external vs forest
> trust. They include NTLM vs Kerberos auth (respectively), whether the
> trusted domain's netbios name is populated in the trusting forest/domain
> domain drop-down list (for Windows clients older than vista), and a few
> other bits and pieces.
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Brian Desmond
> *Sent:* Wednesday, March 03, 2010 1:14 PM
>
>
> *To:* activedir@mail.activedir.org
>
> *Subject:* RE: [ActiveDir] Trusts between Forests
>
>
>
> No it can do on way ones too
>
> Brian Desmond from my phone
> ------------------------------
>
> *From: *John Christie <johnchristie11@googlemail.com>
> *Sent: *Wednesday, March 03, 2010 1:01 PM
> *To: *activedir@mail.activedir.org <activedir@mail.activedir.org>
> *Subject: *Re: [ActiveDir] Trusts between Forests
>
> Cheers Brian
>
>
>
> I've found the wizard will only do both sides with supplied credentials if
> it's a two way trust, one way trusts require you to do one on each side...is
> that what you meant?
>
> On Wed, Mar 3, 2010 at 8:49 PM, Brian Desmond <brian@briandesmond.com>
> wrote:
>
> *The trust needs to be represented on both sides. The wizard can do the
> remote configuration for you given the correct credentials. Otherwise you
> need to do half on each side. *
>
> * *
>
> *Your assessment is otherwise correct*
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *brian@briandesmond.com*
>
> * *
>
> *c – 312.731.3132*
>
> * *
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *John Christie
> *Sent:* Wednesday, March 03, 2010 2:45 PM
> *To:* activedir
> *Subject:* [ActiveDir] Trusts between Forests
>
>
>
>
>
> Forest A = Windows 2003 single forest, single domain
>
> Forest B = Windows 2008 single forest, single domain
>
>
>
> I want to create a one way trust that will only allow users from Forest B
> access to resources in Forest A. Users in the Forest A must not be able to
> access Forest B
>
>
>
> Would I create a one way trust in Forest B or Forest A or do I have to
> configure it in both?
>
>
>
> Also, I'm deliberating whether I need to create a cross forest trust or an
> external trust.
>
>
>
> Am I correct in saying that if I used an external trust between the Forest
> A and Forest B, any additional domain created in Forest A would not be
> trusted by the Forest B because Forest B only trusts the root domain in
> Forest A. To trust all domains I'd need a cross forest trust for that
> (transitive)
>
>
>
> thanks
>
> JC
>
>
>
>
>
>
>
>
>
| | | |
| ken
Posts:174
| | 03/10/2010 7:26 AM |
| Agree with Adam here - constrained delegation doesn't work across domains. It isn't a ADUC limitation.
Cheers
Ken
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Adam Greene
Sent: Wednesday, 10 March 2010 2:22 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Trusts between Forests
Constrained delegations are limited to a single domain. Doesn't work even for domains in the same forest. Setting raw attributes doesn't help.
Adam
On Tue, Mar 9, 2010 at 8:19 AM, Brian Arkills <barkills@washington.edu<mailto:barkills@washington.edu>> wrote:
I don't think the below statement is correct, but it's been awhile since I looked at this myself. It's certainly true that the ADUC interface doesn't allow you to configure constrained delegation across forests. But ADUC is broken in many ways, so that doesn't really mean anything except that Microsoft didn't find that use case easy to address (or didn't think of it). You can, of course, directly edit the underlying attributes, supplying the correct information to configure constrained delegation to a computer/service/port combo that resides in another forest. And I thought we had that working correctly, but maybe my memory is faulty. I'll dig around today (or tomorrow) to see if I can't find the working example I thought we had.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Adam Greene
Sent: Monday, March 08, 2010 7:10 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] Trusts between Forests
I haven't tested that, but protocol transition (S4U2Self) is a constrained delegation, so it should be limited to a single domain. I have validated that you cannot combine unconstrained delegation with protocol transition.
There are some bugs in Active Directory Users and Computers in this space as well...you have to be careful if you manually set any msDS-AllowedToDelegateTo values (as required for some SPNs). If userAccountControl is set to unconstrained delegation and there is a value in msDS-AllowedToDelegateTo, the GUI will show constrained delegation but the KDC will allow unconstrained.
Adam
On Mon, Mar 8, 2010 at 5:24 PM, Ken Schaefer <Ken@adopenstatic.com<mailto:Ken@adopenstatic.com>> wrote:
Hmm - is this still an issue with NTLM, if the trusting forest sets up protocol transition on a server somewhere?
Cheers
Ken
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Adam Greene
Sent: Saturday, 6 March 2010 12:58 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] Trusts between Forests
The security of the two forests is an important consideration in your choice of trust type. Forest trusts introduce a security vulnerability, and not for the forest you would normally think.
The fact that "incoming forest trust builders" is available implies that the "trusted" domain has less to worry about, and the creation of these inbound trusts can (should?) be delegated away from administrators. This is false in the case of forest trusts. Why? Unconstrained Kerberos delegations.
Unconstrained Kerberos delegations present a security risk, as they allow a computer or user to impersonate a user and request service tickets for any service as that user. Pretty powerful stuff, and laughably easy to setup and abuse. The issues with unconstrained delegation led to the Kerberos extension added with Windows Server 2003 (S4U2Proxy) that allows you to configure constrained delegation and limit the systems the delegated account can access as the impersonated user. But even these should be limited.
So as a good admin, you don't set up any unconstrained delegations in your forest. You carefully control the usage of constrained delegations. All is well.
But now you (or one of these delegated sub-admins) add an inbound forest trust. Kerberos is now allowed across that trust boundary. Any unconstrained delegations in the trusting forest are now a risk to the trusted forest. A user in the trusted forest that accesses a resource in the trusting forest can get their account used on any Kerberized service in the trusted forest without their knowledge. There's often a lot of good information sitting behind websites using integrated Windows authentication and dutifully created serviceprincipalnames that enable Kerberos.
Tinfoil hat time? I don't think so. If you have multiple forests it is most likely because there is some separation of administrators, security levels, perhaps even legal ownership. The administrators of the other forest may not pay as much attention to security as you do. They may delegate administration heavily. Whatever the case, unless you are entirely comfortable with the set of people running that other forest and how they run it, you should not set up a forest trust. Even then you should watch for these delegations.
TL;DR Forest trusts can be a security risk for the trusting forest. Don't use them unless you really need to and you trust the people who administer the other forest. Watch them anyway. Don't delegate the creation of trusts.
Adam
On Wed, Mar 3, 2010 at 2:13 PM, Brian Arkills <barkills@washington.edu<mailto:barkills@washington.edu>> wrote:
Right, both sides of a one way trust can be created at the same time. And if you are using a forest trust, then you don't need to specify admin creds on both sides either. You can leverage the built-in group called "incoming forest trust builders" to give a non-admin permissions to create that side of the forest trust.
We regularly leverage this functionality, putting the cost of setting up a trust with our central accounts forest back on the requestor. This saves us a lot of work in either getting admin creds or communicating the shared secret to the other side of the trust can successfully get created.
There are other implications to the choice between external vs forest trust. They include NTLM vs Kerberos auth (respectively), whether the trusted domain's netbios name is populated in the trusting forest/domain domain drop-down list (for Windows clients older than vista), and a few other bits and pieces.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Brian Desmond
Sent: Wednesday, March 03, 2010 1:14 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Trusts between Forests
No it can do on way ones too
Brian Desmond from my phone
________________________________
From: John Christie <johnchristie11@googlemail.com<mailto:johnchristie11@googlemail.com>>
Sent: Wednesday, March 03, 2010 1:01 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org> <activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>>
Subject: Re: [ActiveDir] Trusts between Forests
Cheers Brian
I've found the wizard will only do both sides with supplied credentials if it's a two way trust, one way trusts require you to do one on each side...is that what you meant?
On Wed, Mar 3, 2010 at 8:49 PM, Brian Desmond <brian@briandesmond.com<mailto:brian@briandesmond.com>> wrote:
The trust needs to be represented on both sides. The wizard can do the remote configuration for you given the correct credentials. Otherwise you need to do half on each side.
Your assessment is otherwise correct
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c - 312.731.3132
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of John Christie
Sent: Wednesday, March 03, 2010 2:45 PM
To: activedir
Subject: [ActiveDir] Trusts between Forests
Forest A = Windows 2003 single forest, single domain
Forest B = Windows 2008 single forest, single domain
I want to create a one way trust that will only allow users from Forest B access to resources in Forest A. Users in the Forest A must not be able to access Forest B
Would I create a one way trust in Forest B or Forest A or do I have to configure it in both?
Also, I'm deliberating whether I need to create a cross forest trust or an external trust.
Am I correct in saying that if I used an external trust between the Forest A and Forest B, any additional domain created in Forest A would not be trusted by the Forest B because Forest B only trusts the root domain in Forest A. To trust all domains I'd need a cross forest trust for that (transitive)
thanks
JC
| | | |
|
|