Can MIM PAM be implemented in an existing environment with 1 USER forest and multiple RESOURCE forests with trusts?

Paul Adams 41 Reputation points
2023-03-15T05:19:33.9233333+00:00

I have an existing AD forest setup with a user forest containing only user accounts and security groups, plus several resource forests with a trust towards the user forest (but not each other).

The user accounts are both standard and priviliged so there is a central location for defining permissions and account status, the resource forests have only local accounts for Enterprise Admins and Domain Admins (due to the group scope).

All forests have a functional level of 2016.

I have been looking into MIM PAM for increasing security, but I am unable to find any examples where a setup such as mine is already in place, everything describes a simple single-forest "CORP" with both users and resources.

Is it possible to set up just one PAM trust from the user forest towards a new bastion forest and leverage the existing forest trusts from each resource forest towards the user forest?

Obviously if I want to leverage MIM PAM for Enterprise Admins and Domain Admins in each resource forest I would need a PAM trust towards the bastion forest, but for regular (non-infrastructure) privileged accounts would it suffice to have my delegations per resource forest done using the mirrored domain global groups in the user forest?

My understanding of he KDC role says ir should be possible, but I have yet to see MIM PAM in action in a more complex/realistic scenario, does the resource forest need to be "PAM-aware" or does cross-forest Kerberos authentication take care of the for me and only the KDC in the user forest needs to care?

Thanks in advance for any help!

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
607 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,822 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 43,926 Reputation points
    2023-03-15T16:12:10.12+00:00

    Hello there,

    Yes it is possible to set up just one PAM trust from the user forest towards a new bastion forest but it has limited scope.

    The forest can house additional management functions and applications, but each increase in scope will increase the attack surface of the forest and its resources. The objective is to limit the functions of the forest to keep the attack surface minimal.

    The PAM approach with a bastion environment provided by MIM is intended to be used in a custom architecture for isolated environments where Internet access is not available, where this configuration is required by regulation, or in high impact isolated environments like offline research laboratories and disconnected operational technology or supervisory control and data acquisition environments.

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments