Trust and access token related query

G-ONE 166 Reputation points
2021-04-28T06:22:06.367+00:00

Hello,

Scenario 1: A trust relationship is a link that is established between domains to enable users in one domain to be authenticated by a domain controller in the other domain. Trust relationships are authentication pipelines that must be present so that users in one domain can be authorized for access to resources in another domain.

Suppose there are 2 domains Domain A and Domain B. Domain A is trusting domain and Domain B is trusted domain. It means users in Domain B can access resources in Domain A. Before accessing resources, users in Domain B must be authenticated by Domain A. According to above definition, Domain B users must be authenticated by Domain Controller in Domain A.

Question 1: How does authentication of Domain B users takes place by Domain Controller in Domain A as user account of Domain B users does not reside in Domain Controller of Domain A. How exactly that authentication happens with respect to trust? How exactly trusted domain user able to access resources in trusting domain? Is it because of group membership in trusting domain OR is this because of adding trusted domain security principals to ACLs in trusting domain?

Scenario 2: Suppose if user is added to Global group and that Global group is nested inside Domain Local group. Domain Local group is applied in resource ACL. Server containing resource and user account both resides in same domain. If user login to same domain joined workstation as server's domain and try to access resource, then initial access token will include Sid of Domain Local group of server's domain as server's domain and workstation domain both are same.

Question 2: While trying to access resource on server(same domain as workstation and user), is new access token generated by server as well & access is possible because of new access token having Sid of Domain Local group of server's domain? OR access is possible because of initial token (after logging to workstation) having Sid of Domain Local group of server's domain (since workstation and server both in same domain) ?

Please provide answers specific to questions and explain.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,822 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
420 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,717 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
509 questions
Windows Server Migration
Windows Server Migration
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Migration: The process of making existing applications and data work on a different computer or operating system.
407 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vadims Podāns 8,866 Reputation points MVP
    2021-04-28T08:00:54.31+00:00

    Answer to Q1:

    1. User1@domainB contacts its own domain controller (say, dc1.domainB) and asks for access to a resource in DomainA.
    2. KDC (dc1.domainB) don't find SPN of resource in Active Directory, because resource belongs to another domain/forest.
    3. dc1@domainB looks for SPN in global catalog, which in turn will check all trusts).
    4. If corresponding SPN and trust is found, GC returns a referral record back to dc1.domainB.
    5. dc1.domainB issues a referral TGT to access domainA KDC to user1@domainB.
    6. User1@domainB contacts domainA and present referral TGT.
    7. KDC in domainA checks if there is such SPN as specified in incoming TGT.
    8. KDC in domainA issues a service ticket to access particular resource in its domain to User1@domainB which includes SIDs the user belongs in domainA.
    9. User1@domainB presents service ticket to remote resource. Remote resource has a list of SIDs the user belongs to and determine access level.

    Answer to Q2:
    It is simpler form of scenario on Q1:

    1. User1 logs in to a workstation in domain
    2. KDC issues a TGT to User1 that contains user membership. This will include all domain local, global and universal groups.
    3. User1 contacts KDC to access server resource and presents a TGT obtained in previous step.
    4. KDC generates a service ticket to access requested resource and returns to User1
    5. User1 connects to server resource and present service ticket. Server resource will validate this ticket with KDC and then make decision on access level.

    read this document for more and detailed information: https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview

    0 comments
  2. Fan Fan 15,291 Reputation points Microsoft Vendor
    2021-04-29T06:05:23.117+00:00

    Hi,

    To understand the Kerberos authentication, you can refer to the following link firstly.
    This article introduces the entire process in detail both for the authentication within domain and across the trust.
    How the Kerberos Version 5 Authentication Protocol Works
    Feel free to let us know if you have questions about it.

    0 comments