Share via

Two-way forest trust - different authentication type for each direction

Bojan Zivkovic 606 Reputation points
2021-05-11T14:36:59.04+00:00

Hi, I want to create two-way forest trust with different authentication type for each direction. In managed -->management forest direction I want selective authentication whereas in other direction I want forest-wide authentication. Is this doable and if not what are other options on the table and limitations compared to two-way forest trust?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vicky Wang 2,736 Reputation points
    2021-05-12T07:29:02.213+00:00

    Hi,
    Thank you for posting in our forum.

    In general, all domain trusts in a Windows Server 2003 forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain.

    In a two-way trust (Transitive), both domains that are involved in a trust relationship trust each other.This means that authentication requests can be passed between the two domains in both directions.Some two-way relationships can be non-transitive or transitive depending on the type of trust being created.

    As a solution to configure the different authentication types for different trust ways, we could change the authentication type to Selective Authentication on both of the domain trust way. And then we could try to grant the different Allowed to Authenticate permission for different trust ways to achieve your target.

    For detailed information about authentication types, I suggest we could refer to the following article.

    Configuring Selective Authentication Settings

    http://technet.microsoft.com/en-us/library/cc755844(v=ws.10)

    Additionally, please refer to the article below to secure trust.

    Security Considerations for Trusts

    http://technet.microsoft.com/en-us/library/1f33e9a1-c3c5-431c-a5cc-c3c2bd579ff1

    Regards,
    Vicky

    0 comments
  2. Bojan Zivkovic 606 Reputation points
    2021-05-12T12:12:24.73+00:00

    I can not allow selective authentication in both directions - business request is to have forest-wide authentication in direction management forest --> production forests while opposite direction must have only bare minimum (selective authentication) required for various solutions to work properly (PKI for instance). Simply InfoSec team won't allow systems in production forests to authenticate at all in management forest unless that is absolutely necessary for given solution hence selective authentication is obvious choice for that direction of trust - opposite direction is perfectly fine to have forest-wide authentication since whole idea is to manage production forests from management forest.

    0 comments
  3. Vicky Wang 2,736 Reputation points
    2021-05-14T01:12:16.477+00:00

    Thanks for your patience.
    I may need some time to study this issue.
    But with progress, I will update here as soon as possible.
    Thank you for your understanding and support
    Best wishes
    Vicky

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.