| Author | Messages | |
decrosby
Posts:101
 | | 11/12/2009 8:56 AM |
| Hi,
Does anyone have a definitive reference for the authentication types used over different types of trust? NTLM over xforest or Kerberos everywhere?
Thanks.
Damian.
--------------------------------------------------------------------------
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
| | | |
| RickSheikh
Posts:373
| | 11/12/2009 4:13 PM |
| Some relevant info perhaps
http://blogs.dirteam.com/blogs/jorge/archive/2006/12/28/NTLM-and-Kerberos-authentication-explained-the-easy-way.aspx
On Thu, Nov 12, 2009 at 2:55 AM, Crosby, Damian <
Damian.Crosby@morganstanley.com> wrote:
> Hi,
>
> Does anyone have a definitive reference for the authentication types used
> over different types of trust? NTLM over xforest or Kerberos everywhere?
>
> Thanks.
>
> Damian.
> ------------------------------
>
> NOTICE: If received in error, please destroy, and notify sender. Sender
> does not intend to waive confidentiality or privilege. Use of this email is
> prohibited when received in error. We may monitor and store emails to the
> extent permitted by applicable law.
>
| | | |
| barkills
Posts:201
| | 11/12/2009 5:10 PM |
| This topic came up recently on this list. See the thread in July of 2009 with a subject line of:
RE: [ActiveDir] Authentication methods used and supported by different trust types
In that thead, I asserted that MS documentation is poor at being very clear on this point, and referenced a bunch of links. A followup from someone else added a couple KB article references to the list.
See:
http://blogs.technet.com/tkarch/archive/2007/03/19/kerberos-demystified.aspx
http://technet.microsoft.com/en-us/library/cc773178(WS.10).aspx
http://support.microsoft.com/kb/830576
http://support.microsoft.com/kb/905687
For the best bets on MS documentation that we found at that time which makes it clear.
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Crosby, Damian [Damian.Crosby@morganstanley.com]
Sent: Thursday, November 12, 2009 12:55 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Trust Authentication Methods
Hi,
Does anyone have a definitive reference for the authentication types used over different types of trust? NTLM over xforest or Kerberos everywhere?
Thanks.
Damian.
________________________________
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
| | | |
| SaucyWrong
Posts:54
| | 11/12/2009 9:13 PM |
| One thing I was never able to wrap my brain around from that discussion was
the fact that External trusts always use NTLM for authentication, even
though both trusts partners might support Kerberos. Every other trust type
appears to negotiate its authentication package, but not external.
I'm probably missing something obvious, but there doesn't appear to be a way
to create a trust between two domains in separate forests (and only those
two domains) that can use Kerberos for authentication.
The only options appear to be:
Create a forest trust (which trusts the whole forest, unless you want to
start going crazy with selective auth).
Create an external trust (which can only use NTLM for authentication).
Matt
On Thu, Nov 12, 2009 at 12:05 PM, Brian Arkills <barkills@washington.edu>wrote:
> This topic came up recently on this list. See the thread in July of 2009
> with a subject line of:
>
> RE: [ActiveDir] Authentication methods used and supported by different
> trust types
> In that thead, I asserted that MS documentation is poor at being very
> clear on this point, and referenced a bunch of links. A followup from
> someone else added a couple KB article references to the list.
>
> See:
>
> http://blogs.technet.com/tkarch/archive/2007/03/19/kerberos-demystified.aspx
> http://technet.microsoft.com/en-us/library/cc773178(WS.10).aspx
> http://support.microsoft.com/kb/830576<http://support.microsoft..com/kb/830576>
> http://support.microsoft.com/kb/905687
>
> For the best bets on MS documentation that we found at that time which
> makes it clear.
>
> ------------------------------
> *From:* activedir-owner@mail.activedir.org [
> activedir-owner@mail.activedir.org] On Behalf Of Crosby, Damian [
> Damian.Crosby@morganstanley.com]
> *Sent:* Thursday, November 12, 2009 12:55 AM
> *To:* activedir@mail.activedir.org
> *Subject:* [ActiveDir] Trust Authentication Methods
>
> Hi,
>
> Does anyone have a definitive reference for the authentication types used
> over different types of trust? NTLM over xforest or Kerberos everywhere?
>
> Thanks.
>
> Damian.
> ------------------------------
>
> NOTICE: If received in error, please destroy, and notify sender. Sender
> does not intend to waive confidentiality or privilege. Use of this email is
> prohibited when received in error. We may monitor and store emails to the
> extent permitted by applicable law.
>
| | | |
| RickSheikh
Posts:373
| | 11/12/2009 9:31 PM |
| AFAIK, that is correct. You can't have a trust between two domains in two
different forests that is based on Kerberos. Speaking of selective
authentication, there is an article in this month's WinITPro in which author
talks about implementing selective authentication as an added protection
(above delegations) for your admins to protect the resources from accidental
deletion/modification by having an admin forest etc. That to me seems too
far fetched an approach to accomplish the desired protection otherwise
doable by easier means.
http://windowsitpro.com/Windows/Articles/ArticleID/102765/pg/1/1.html
For those who are not subscribed, you may see attached.
On Thu, Nov 12, 2009 at 3:11 PM, Matt Quinn <saucy.wrong@gmail.com> wrote:
> One thing I was never able to wrap my brain around from that discussion was
> the fact that External trusts always use NTLM for authentication, even
> though both trusts partners might support Kerberos. Every other trust type
> appears to negotiate its authentication package, but not external.
>
> I'm probably missing something obvious, but there doesn't appear to be a
> way to create a trust between two domains in separate forests (and only
> those two domains) that can use Kerberos for authentication.
>
> The only options appear to be:
> Create a forest trust (which trusts the whole forest, unless you want to
> start going crazy with selective auth).
> Create an external trust (which can only use NTLM for authentication).
>
> Matt
>
>
> On Thu, Nov 12, 2009 at 12:05 PM, Brian Arkills <barkills@washington.edu>wrote:
>
>> This topic came up recently on this list. See the thread in July of 2009
>> with a subject line of:
>>
>> RE: [ActiveDir] Authentication methods used and supported by different
>> trust types
>> In that thead, I asserted that MS documentation is poor at being very
>> clear on this point, and referenced a bunch of links. A followup from
>> someone else added a couple KB article references to the list.
>>
>> See:
>>
>> http://blogs.technet.com/tkarch/archive/2007/03/19/kerberos-demystified.aspx
>> http://technet.microsoft.com/en-us/library/cc773178(WS.10).aspx<http://technet..microsoft.com/en-us/library/cc773178%28WS.10%29.aspx>
>> http://support.microsoft.com/kb/830576<http://support.microsoft...com/kb/830576>
>> http://support.microsoft.com/kb/905687
>>
>> For the best bets on MS documentation that we found at that time which
>> makes it clear.
>>
>> ------------------------------
>> *From:* activedir-owner@mail.activedir.org [
>> activedir-owner@mail.activedir.org] On Behalf Of Crosby, Damian [
>> Damian.Crosby@morganstanley.com]
>> *Sent:* Thursday, November 12, 2009 12:55 AM
>> *To:* activedir@mail.activedir.org
>> *Subject:* [ActiveDir] Trust Authentication Methods
>>
>> Hi,
>>
>> Does anyone have a definitive reference for the authentication types used
>> over different types of trust? NTLM over xforest or Kerberos everywhere?
>>
>> Thanks.
>>
>> Damian.
>> ------------------------------
>>
>> NOTICE: If received in error, please destroy, and notify sender. Sender
>> does not intend to waive confidentiality or privilege. Use of this email is
>> prohibited when received in error. We may monitor and store emails to the
>> extent permitted by applicable law.
>>
>
>
| | | |
| barkills
Posts:201
| | 11/12/2009 10:32 PM |
| For awhile, the MS documentation about "external trusts" referred to them as "NT4 style trusts" (some might still do that). I still conceptually think of "external trusts" as NT4, and along with that conceptual thought I get that Kerberos isn't supported. Might help ...
I also don't like the fact that you can't enable Kerberos trust with *just* a single domain, and I have multiple use cases where I'd like this feature. In desperation, I've even tried a couple times over the years (with each major OS release) to use the Kerberos realm trust option between two Windows domains. It doesn't work.
I had a PSS case several years about forest trusts, and in the process I asked a lot of questions. One of my key takeaways was that forest trusts bring with them a bunch of namespace issues, and this is one of the reasons why only the forest root domain is listed in the domain drop down (which is dead from Vista on for reasons which include this) when you use a forest trust.
But one of the downsides of the way forest trusts work and the domain drop down going away is that users have no clues about which domains are trusted. In some ways, federated authentication is more feature rich than native Windows trusts, with it's concept of a WAYF. Anyhow, this is another of the features I wish Microsoft would address in the Windows domain/forest trust feature space.
Of course, this lack of transparency can be used as a "feature" ala security via obscurity in the use cases where you want a Kerberos trust with just a single domain, but are forced to use a forest trust because there is no other option. It's not a great feature, 'cuz security via obscurity isn't security at all, but it does make me feel slightly better. 
And as Rick mentioned, there's always selective auth. But that is a pain to manage, without creating some kind of bulk management tool of your own. It would be nice to see Microsoft make selective auth management easier for people to use in practice.
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Matt Quinn [saucy.wrong@gmail.com]
Sent: Thursday, November 12, 2009 1:11 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Trust Authentication Methods
One thing I was never able to wrap my brain around from that discussion was the fact that External trusts always use NTLM for authentication, even though both trusts partners might support Kerberos. Every other trust type appears to negotiate its authentication package, but not external.
I'm probably missing something obvious, but there doesn't appear to be a way to create a trust between two domains in separate forests (and only those two domains) that can use Kerberos for authentication.
The only options appear to be:
Create a forest trust (which trusts the whole forest, unless you want to start going crazy with selective auth).
Create an external trust (which can only use NTLM for authentication).
Matt
On Thu, Nov 12, 2009 at 12:05 PM, Brian Arkills <barkills@washington.edu<mailto:barkills@washington.edu>> wrote:
This topic came up recently on this list. See the thread in July of 2009 with a subject line of:
RE: [ActiveDir] Authentication methods used and supported by different trust types
In that thead, I asserted that MS documentation is poor at being very clear on this point, and referenced a bunch of links. A followup from someone else added a couple KB article references to the list.
See:
http://blogs.technet.com/tkarch/archive/2007/03/19/kerberos-demystified.aspx
http://technet.microsoft.com/en-us/library/cc773178(WS.10).aspx<UrlBlockedError.aspx>
http://support.microsoft.com/kb/830576<UrlBlockedError.aspx>
http://support.microsoft.com/kb/905687
For the best bets on MS documentation that we found at that time which makes it clear.
________________________________
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Crosby, Damian [Damian.Crosby@morganstanley.com<mailto amian.Crosby@morganstanley.com>]
Sent: Thursday, November 12, 2009 12:55 AM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: [ActiveDir] Trust Authentication Methods
Hi,
Does anyone have a definitive reference for the authentication types used over different types of trust? NTLM over xforest or Kerberos everywhere?
Thanks.
Damian.
________________________________
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
| | | |
| GuidoG
Posts:113
| | 11/13/2009 2:18 AM |
| Besides Selective Auth, which certainly does have great value when used correctly (and shouldn't cause too much pain to manage either), you further have the "Top Level Name (TLN) Restriction" feature for Forest-Trusts. This does give you control over which domains in a forest you actually trust, i.e. if Kerberos requests should or should not be referred to a specific domain.
/Guido
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Arkills
Sent: Donnerstag, 12. November 2009 14:31
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Trust Authentication Methods
For awhile, the MS documentation about "external trusts" referred to them as "NT4 style trusts" (some might still do that). I still conceptually think of "external trusts" as NT4, and along with that conceptual thought I get that Kerberos isn't supported. Might help ...
I also don't like the fact that you can't enable Kerberos trust with *just* a single domain, and I have multiple use cases where I'd like this feature. In desperation, I've even tried a couple times over the years (with each major OS release) to use the Kerberos realm trust option between two Windows domains. It doesn't work.
I had a PSS case several years about forest trusts, and in the process I asked a lot of questions. One of my key takeaways was that forest trusts bring with them a bunch of namespace issues, and this is one of the reasons why only the forest root domain is listed in the domain drop down (which is dead from Vista on for reasons which include this) when you use a forest trust.
But one of the downsides of the way forest trusts work and the domain drop down going away is that users have no clues about which domains are trusted. In some ways, federated authentication is more feature rich than native Windows trusts, with it's concept of a WAYF. Anyhow, this is another of the features I wish Microsoft would address in the Windows domain/forest trust feature space.
Of course, this lack of transparency can be used as a "feature" ala security via obscurity in the use cases where you want a Kerberos trust with just a single domain, but are forced to use a forest trust because there is no other option. It's not a great feature, 'cuz security via obscurity isn't security at all, but it does make me feel slightly better.
And as Rick mentioned, there's always selective auth. But that is a pain to manage, without creating some kind of bulk management tool of your own. It would be nice to see Microsoft make selective auth management easier for people to use in practice.
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Matt Quinn [saucy.wrong@gmail.com]
Sent: Thursday, November 12, 2009 1:11 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Trust Authentication Methods
One thing I was never able to wrap my brain around from that discussion was the fact that External trusts always use NTLM for authentication, even though both trusts partners might support Kerberos. Every other trust type appears to negotiate its authentication package, but not external.
I'm probably missing something obvious, but there doesn't appear to be a way to create a trust between two domains in separate forests (and only those two domains) that can use Kerberos for authentication.
The only options appear to be:
Create a forest trust (which trusts the whole forest, unless you want to start going crazy with selective auth).
Create an external trust (which can only use NTLM for authentication).
Matt
On Thu, Nov 12, 2009 at 12:05 PM, Brian Arkills <barkills@washington.edu<mailto:barkills@washington.edu>> wrote:
This topic came up recently on this list. See the thread in July of 2009 with a subject line of:
RE: [ActiveDir] Authentication methods used and supported by different trust types
In that thead, I asserted that MS documentation is poor at being very clear on this point, and referenced a bunch of links. A followup from someone else added a couple KB article references to the list.
See:
http://blogs.technet.com/tkarch/archive/2007/03/19/kerberos-demystified.aspx
http://technet.microsoft.com/en-us/library/cc773178(WS.10).aspx<UrlBlockedError.aspx>
http://support.microsoft.com/kb/830576<UrlBlockedError.aspx>
http://support.microsoft.com/kb/905687
For the best bets on MS documentation that we found at that time which makes it clear.
________________________________
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Crosby, Damian [Damian.Crosby@morganstanley.com<mailtoamian.Crosby@morganstanley.com>]
Sent: Thursday, November 12, 2009 12:55 AM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: [ActiveDir] Trust Authentication Methods
Hi,
Does anyone have a definitive reference for the authentication types used over different types of trust? NTLM over xforest or Kerberos everywhere?
Thanks.
Damian.
________________________________
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
| | | |
|
|