Solved

Authenticating on internal domain from DMZ

Posted on 2004-09-02
3
231 Views
Last Modified: 2013-12-04
Hey folks,

I need to authenticate users connecting through VPN to our DMZ on our internal AD-Domains. Would it be enough to allow authentication with 1 DC in the top domain?

Shouldnt the TopDomain be able top authenticate for the sub-domains or atleast request and pass on authentication?

Please let me know if anyone of you know :)

/Rene
0
Comment
Question by:LamerSmurf
  • 2
3 Comments
 
LVL 16

Accepted Solution

by:
JamesDS earned 250 total points
ID: 11963385
LamerSmurf
If you allow access from the DMZ to only a domain controller in the root domain, then users will not be able to logon fully - without using cached credentials. The reason for this is that things like domain local group memberships are not replicated to all Global Catalogs and therefore are unavailable to Domain Controllers ouside of the users home domain. Without this information the user cannot be logged on, unless cached credentials are available.

The likely message a user will receive is "The user cannot log in because the domain DOMAIN is not available."

you need to allow the DMZ access to at least one domain controller in each domain.

Cheers

JamesDS
0
 
LVL 3

Expert Comment

by:Gargantubrain
ID: 11968976
Well actually Active Directory domains are two-way transitive trusts. So the whole forest trusts itself. The handshake can take longer without additional short-cut trusts created but it will work.
0
 
LVL 3

Expert Comment

by:Gargantubrain
ID: 11969012
Now that I think about it, the client on the outside of the VPN may not be able to make all of the kerberos handshakes if it can't contact each domain. I was initially speaking from the standpoint of a client that is in the network.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Move Event Log in windows 2012 3 97
Thin secure Windows 10 5 97
Trusted Platform Module with Windows 10 - Upgrading TPM 1.2 to TPM 2.0 13 77
is this a virus? 3 42
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question