My two-way trust with selective auth seems to behave opposite to a one-way trust

4

I'm not sure why I'm the only one running into this, I think it's a larger problem with Server 2012 and RDS protocols... With 2008 machines, you can use utilize a one way trust to authenticate across domains with the TSGateway service, but with 2012 it breaks when running across a one way trust. I'm trying to implement a two way trust that acts like a one way trust for everything but kerberos auth for things like TSGateway and RDS services...


A little backstory, I've currently got two domains (A and B) with a one way, external trust. (Outgoing trust on A, users in B can access devices in A)

At the moment, I can log into a computer in domain A, and add a user from domain B with the GUI. (I can also do it from the CLI, but that's not relevant here)

When I build my test domain, I can recreate this behavior. If I create the test domain with a two-way trust, domain-wide authentication in both directions this behavior doesn't change, though it does allow me to auth in the reverse direction (duh) which I don't want.

When I change Domain B to 'selective authentication' for some reason the Users and Computers GUI stops working as expected.

  • For Domain B computers, I can still browse the GUI like normal, and even add Domain A users, though they're not allowed to log in, due to the selective Auth setup.
  • For Domain A computers, browsing the GUI doesn't allow the selection of users or groups, and the advanced search turns up an error that says: "The following error prevented the display of any items: Unspecified error"
  • For Domain A computers, if I know the username from Domain B, I can add the account using the 'net localgroup' commands and everything works just fine, but the GUI is broken, and this won't likely be a usable solution for the majority of our users...

My question (Sorry to take so long to get to it) is why does selective auth change the behavior of the trust so that it behaves differently than a one-way trust, and is there some simple thing I'm missing?

When I get the 'unspecified' error from the GUI, I get an error on the DC for Domain B:

A Kerberos service ticket was requested.

Account Information: Account Name: bob@DOMAINA Account Domain: DOMAINA Logon GUID: {00000000-0000-0000-0000-000000000000}

Service Information: Service Name: ldap/DC.DOMAINB/DOMAINB Service ID: NULL SID

Network Information: Client Address: ::ffff:192.168.18.70 Client Port: 62103

Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0xFFFFFFFF Failure Code: 0xC Transited Services: -

This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

I don't understand why it tries to authenticate against DomainB using 'bob' from DomainA, when I provided DomainB credentials...

Thanks for any help you can provide, I've been banging on this for 3 days straight and haven't found anything useful yet.

authentication
windows-server-2012-r2
active-directory
asked on Server Fault Jul 15, 2014 by Ryan Wallace

1 Answer

0

You have to allow authentication on the computer objects you want to allow logins from the external domain. You can do it computer by computer, or you can set the permission in the OU that contains the computer objects.

What I would suggest is the following. In domain A create a local group, in domain B create a global group.

Make the global group in domain B a member of the local group in domain A.

Right-click on the ou containing the systems you want to allow and select properties. In the security tab, click advanced.

Add the domain local group and select Allowed to authenticate checkbox.

This will allow any users from domain b who are members of the global group, rights to sign into the systems you've designated.

answered on Server Fault May 31, 2017 by Jessie

User contributions licensed under CC BY-SA 3.0