Share via

AD Forest Selective Authorization and Kerberos

julianstabentheiner 6 Reputation points
2023-08-23T12:01:03.0966667+00:00

Hi there,

i'm facing an issue with the authorization over a forest trust. We have this szenario:

Forest A has bidirectional trust with Forest B. The Trust is configured as "Selective Authorization". The usecase is, that Users from Forest B has to use an printserver in Forest A. I have configured a group with all the relevant Users on the printserver to have "Allow to authenticate" set in the security Settings of the computer object. When you connect from a computer in Forest B, with a Useraccount in Forest B to the printserver, you get authentication Prompt. If you login with a user of Forest B, you get access to the printserver.

But now there is our problem. If i change the trust to forest-wide authentication, the user does not get a prompt and gets direct access to the printserver.

Is it a special behaviour when selective authorization is enabled? Or do i have to configure more to get automatic (kerberos) auth?

Thanks for any advice!

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,931 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 32,416 Reputation points Microsoft External Staff
    2023-08-24T02:24:44.0633333+00:00

    Hello julianstabentheiner

    Thank you for posting in our Q&A forum.

    I can see the differences between Forest Wide Authentication and
    Selective Authentication below, it may be helpful to you.

    Forest Wide Authentication

    When is Forest Level Authentication is enabled, the Domain Controllers of Trusting Forest will authenticate all access requests, made by users from the Trusted Forest. Once authentication is successful, access to the resource is granted or rejected based on the resource Access Control List (ACL).

    There is a risk in this approach. Once the foreign user (from trusted Forest) has been successfully authenticated by Domain Controllers of Trusted Forest, it becomes a member of the "Authenticated User" group. This group does not have any permanent member, membership is computed dynamically based on authentication. Once an account is a member of the "Authenticated User" group, it can access all resources where the group "Authenticated user" has access.

    Selective Authentication

    To combat the above mentioned security loophole and have some control on the authentication, we can opt for the Selective Authentication level. In this level, not all users are authenticated by Domain Controllers by default. Instead, when a Domain Controller of Trusting Forest detects that an authentication request is coming from a trusted forest, it first validates whether the user account has been granted exclusive permission on the resource that is holding the object.

    For example, a file share has been configured on a file server. If a user from a trusted forests wants to access that file share, that user account has to be explicitly granted "Allowed to Authenticate" right on the file server. Only then the Domain Controller will authenticate the user, otherwise Domain Controller will reject the authentication request, and the user will not be part of "Authenticated User" group.

    Reference:
    https://social.technet.microsoft.com/wiki/contents/articles/50969.active-directory-forest-trust-attention-points.aspx

    Hope the information above is helpful. If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ==========================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.