| Author | Messages | |
miallen
Posts:19
 | | 04/08/2009 3:41 PM |
| Hello,
If someone authenticates with a service using NTLM vs Kerberos, will
the list of groups on the server used to perform access checks be the
same?
Imagine two domains A and B with Domain Local groups DLA and DLB, a
user A\user in group DLA and a service in domain B.
If the user in domain A authenticates with the service in domain B
using Kerberos, my understanding is that Domain Local groups will be
accumulated as the user transits the trust and therefore the list of
groups supplied to the service will include DLA.
However, if the user authenticates using NTLM, my understanding is
that the NETLOGON service will validate the user's credentials against
a domain controller in domain B and therefore the list of groups
returned in the NETLOGON response will not contain group DLA.
Is this understanding correct?
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| miallen
Posts:19
| | 04/13/2009 10:29 AM |
| No one wants to take a shot at this?
On Wed, Apr 8, 2009 at 3:34 PM, Michael B Allen <ioplex@gmail.com> wrote:
> Hello,
>
> If someone authenticates with a service using NTLM vs Kerberos, will
> the list of groups on the server used to perform access checks be the
> same?
>
> Imagine two domains A and B with Domain Local groups DLA and DLB, a
> user A\user in group DLA and a service in domain B.
>
> If the user in domain A authenticates with the service in domain B
> using Kerberos, my understanding is that Domain Local groups will be
> accumulated as the user transits the trust and therefore the list of
> groups supplied to the service will include DLA.
>
> However, if the user authenticates using NTLM, my understanding is
> that the NETLOGON service will validate the user's credentials against
> a domain controller in domain B and therefore the list of groups
> returned in the NETLOGON response will not contain group DLA.
>
> Is this understanding correct?
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| miallen
Posts:19
| | 04/13/2009 1:24 PM |
| On Mon, Apr 13, 2009 at 11:54 AM, joe <listmail@joeware.net> wrote:
> I didn't take a shot at it because I don't have to test it to give an
> authoritative answer. However I wouldn't expect a service running on a
> machine in Domain B to have access to the DLGs in Domain A regardless of
> what Domain the user is from. The proper result should only be DLGs in the
> domain that the machine running the service exists in. However
> implementation doesn't always exactly concur with what should happen. My
> recommendation is that if you really need to know, sit down and test it.
That's ok. I've heard enough. The important thing to me is that there
should be no expectations by my customers that my software honor DLGs
in a domain other than the one offering the service. And I think you
have confirmed that.
This is not easy to test because the ACL editor will not even see DLGs
in another domain and Kerberos service tickets are encrypted so I
cannot see the SIDs in the PAC. But the service ticket size does not
change. So that one data point seems to suggest that my original
theory that Kerberos would somehow copy DLGs from a TGT from one
domain into another as it transited the trust was incorrect
(thankfully so).
Thanks,
Mike
> No one wants to take a shot at this?
>
> On Wed, Apr 8, 2009 at 3:34 PM, Michael B Allen <ioplex@gmail.com> wrote:
>> Hello,
>>
>> If someone authenticates with a service using NTLM vs Kerberos, will
>> the list of groups on the server used to perform access checks be the
>> same?
>>
>> Imagine two domains A and B with Domain Local groups DLA and DLB, a
>> user A\user in group DLA and a service in domain B.
>>
>> If the user in domain A authenticates with the service in domain B
>> using Kerberos, my understanding is that Domain Local groups will be
>> accumulated as the user transits the trust and therefore the list of
>> groups supplied to the service will include DLA.
>>
>> However, if the user authenticates using NTLM, my understanding is
>> that the NETLOGON service will validate the user's credentials against
>> a domain controller in domain B and therefore the list of groups
>> returned in the NETLOGON response will not contain group DLA.
>>
>> Is this understanding correct?
>
> --
> Michael B Allen
> Java Active Directory Integration
> http://www.ioplex.com/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|