Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

One-way trust, Kerberos & IIS

16 views
Skip to first unread message

Jim

unread,
Apr 10, 2006, 4:49:02 AM4/10/06
to
Hi,

I have the following configuration

Two Active Directory Domains in two separate forests.

Domain A Windows 2000

Domain B Windows 2003

I have a one-way trust between them such that B trusts A

I have a web application running on a Windows Server 2003 installation using
IIS in Domain B that require Kerberos Authentication using IWA.

Currently when I attempt to log on with a client authenticated with a DC in
Domain A authentication appears to be using the fall back of NTLM. Do I need
to create an SPN in Domain A to allow Domain A’s KDC to provide the client
running in Domain A with a referral ticket for Domain B?

Many thanks

Jim

Roger Abell [MVP]

unread,
Apr 10, 2006, 7:34:28 PM4/10/06
to
The forest of Domain A is at best Windows 2000 native.
External trusts to other forests is always NTLM based in
that scenario. If you want a trust that supports Kerberos
you need W2k3 mode forests and a forest-level trust.

--
Roger Abell
Microsoft MVP (Windows Server : Security)


"Jim" <J...@discussions.microsoft.com> wrote in message
news:D2005B36-F90D-4D64...@microsoft.com...

Jim

unread,
Apr 11, 2006, 4:04:01 AM4/11/06
to
Thanks Roger,

I have been looking at this for the past couple of days. My understanding is
that it is possible to configure a Kerberos realm trust between any
non-Windows-based operating system Kerberos version 5 realm and a Windows
2000 Server

This trust relationship should allow cross-platform interoperability with
security services based on Kerberos version 5

I found the following article on Technet:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx

I guess what I'm asking is, would it be possible to configure a one-way
trust based on a non-windows trust to the between the two Windows domains.
Ultimately all I require is SSO on the IIS server located in Domain B from
clients in Domain A.

Many thanks,

Jim

Roger Abell [MVP]

unread,
Apr 17, 2006, 12:18:01 PM4/17/06
to

"Jim" <J...@discussions.microsoft.com> wrote in message
news:4E2BAF87-EC62-4AD1...@microsoft.com...

> Thanks Roger,
>
> I have been looking at this for the past couple of days. My understanding
> is
> that it is possible to configure a Kerberos realm trust between any
> non-Windows-based operating system Kerberos version 5 realm and a Windows
> 2000 Server
>
> This trust relationship should allow cross-platform interoperability with
> security services based on Kerberos version 5
>
> I found the following article on Technet:
>
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx
>
> I guess what I'm asking is, would it be possible to configure a one-way
> trust based on a non-windows trust to the between the two Windows domains.
> Ultimately all I require is SSO on the IIS server located in Domain B from
> clients in Domain A.
>
> Many thanks,
>
> Jim
>

I doubt that route would bear fruit, and the MIT Kerberos realm trust
model is less simple than it can seem.

0 new messages