One-way trust, Kerberos & IIS

Hi,

I have the following configuration

Two Active Directory Domains in two separate forests.

Domain A Windows 2000

Domain B Windows 2003

I have a one-way trust between them such that B trusts A

I have a web application running on a Windows Server 2003 installation using
IIS in Domain B that require Kerberos Authentication using IWA.

Currently when I attempt to log on with a client authenticated with a DC in
Domain A authentication appears to be using the fall back of NTLM. Do I need
to create an SPN in Domain A to allow Domain A’s KDC to provide the client
running in Domain A with a referral ticket for Domain B?

Many thanks

Jim

Re: One-way trust, Kerberos & IIS

The forest of Domain A is at best Windows 2000 native.
External trusts to other forests is always NTLM based in
that scenario. If you want a trust that supports Kerberos
you need W2k3 mode forests and a forest-level trust.

--
Roger Abell
Microsoft MVP (Windows Server : Security)


"Jim" wrote in message
news:D2005B36-F90D-4D64-AC10-789CBD785163@microsoft.com...
> Hi,
>
> I have the following configuration
>
> Two Active Directory Domains in two separate forests.
>
> Domain A Windows 2000
>
> Domain B Windows 2003
>
> I have a one-way trust between them such that B trusts A
>
> I have a web application running on a Windows Server 2003 installation
> using
> IIS in Domain B that require Kerberos Authentication using IWA.
>
> Currently when I attempt to log on with a client authenticated with a DC
> in
> Domain A authentication appears to be using the fall back of NTLM. Do I
> need
> to create an SPN in Domain A to allow Domain A's KDC to provide the client
> running in Domain A with a referral ticket for Domain B?
>
> Many thanks
>
> Jim
>

Re: One-way trust, Kerberos & IIS

Thanks Roger,

I have been looking at this for the past couple of days. My understanding is
that it is possible to configure a Kerberos realm trust between any
non-Windows-based operating system Kerberos version 5 realm and a Windows
2000 Server

This trust relationship should allow cross-platform interoperability with
security services based on Kerberos version 5

I found the following article on Technet:

http://www.microsoft.com/technet/prodtechnol/windows2000serv /howto/kerbstep.mspx

I guess what I'm asking is, would it be possible to configure a one-way
trust based on a non-windows trust to the between the two Windows domains.
Ultimately all I require is SSO on the IIS server located in Domain B from
clients in Domain A.

Many thanks,

Jim


"Roger Abell [MVP]" wrote:

> The forest of Domain A is at best Windows 2000 native.
> External trusts to other forests is always NTLM based in
> that scenario. If you want a trust that supports Kerberos
> you need W2k3 mode forests and a forest-level trust.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
>
>
> "Jim" wrote in message
> news:D2005B36-F90D-4D64-AC10-789CBD785163@microsoft.com...
> > Hi,
> >
> > I have the following configuration
> >
> > Two Active Directory Domains in two separate forests.
> >
> > Domain A Windows 2000
> >
> > Domain B Windows 2003
> >
> > I have a one-way trust between them such that B trusts A
> >
> > I have a web application running on a Windows Server 2003 installation
> > using
> > IIS in Domain B that require Kerberos Authentication using IWA.
> >
> > Currently when I attempt to log on with a client authenticated with a DC
> > in
> > Domain A authentication appears to be using the fall back of NTLM. Do I
> > need
> > to create an SPN in Domain A to allow Domain A's KDC to provide the client
> > running in Domain A with a referral ticket for Domain B?
> >
> > Many thanks
> >
> > Jim
> >
>
>
>

Re: One-way trust, Kerberos & IIS

"Jim" wrote in message
news:4E2BAF87-EC62-4AD1-9A87-88740A278298@microsoft.com...
> Thanks Roger,
>
> I have been looking at this for the past couple of days. My understanding
> is
> that it is possible to configure a Kerberos realm trust between any
> non-Windows-based operating system Kerberos version 5 realm and a Windows
> 2000 Server
>
> This trust relationship should allow cross-platform interoperability with
> security services based on Kerberos version 5
>
> I found the following article on Technet:
>
> http://www.microsoft.com/technet/prodtechnol/windows2000serv /howto/kerbstep.mspx
>
> I guess what I'm asking is, would it be possible to configure a one-way
> trust based on a non-windows trust to the between the two Windows domains.
> Ultimately all I require is SSO on the IIS server located in Domain B from
> clients in Domain A.
>
> Many thanks,
>
> Jim
>

I doubt that route would bear fruit, and the MIT Kerberos realm trust
model is less simple than it can seem.

>
> "Roger Abell [MVP]" wrote:
>
>> The forest of Domain A is at best Windows 2000 native.
>> External trusts to other forests is always NTLM based in
>> that scenario. If you want a trust that supports Kerberos
>> you need W2k3 mode forests and a forest-level trust.
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server : Security)
>>
>>
>> "Jim" wrote in message
>> news:D2005B36-F90D-4D64-AC10-789CBD785163@microsoft.com...
>> > Hi,
>> >
>> > I have the following configuration
>> >
>> > Two Active Directory Domains in two separate forests.
>> >
>> > Domain A Windows 2000
>> >
>> > Domain B Windows 2003
>> >
>> > I have a one-way trust between them such that B trusts A
>> >
>> > I have a web application running on a Windows Server 2003 installation
>> > using
>> > IIS in Domain B that require Kerberos Authentication using IWA.
>> >
>> > Currently when I attempt to log on with a client authenticated with a
>> > DC
>> > in
>> > Domain A authentication appears to be using the fall back of NTLM. Do I
>> > need
>> > to create an SPN in Domain A to allow Domain A's KDC to provide the
>> > client
>> > running in Domain A with a referral ticket for Domain B?
>> >
>> > Many thanks
>> >
>> > Jim
>> >
>>
>>
>>