Cross Forest/Domain File Sharing

Posted on 2007-08-08
Last Modified: 2013-11-05

We have our own single domain forest and we have a partner company that has their own forest. We would like to be able to share files with them without setting up a trust. Does anyone have any suggestions to achieve this?
Question by:stealy
    LVL 9

    Expert Comment

    I guess it depends how you want to share files, are you looking to do so through regular old Windows shares?  May I also ask your reasoning for not wanting the trust relationship?

    Author Comment

    We're concerned about the security implications of the trust. We only want the sister company to access one server and one share on that server. Regular Windws share would be the preference but any viable solution would be looked at.
    LVL 9

    Accepted Solution

    Your concerns are obviously viable.  However, as a result of hearing such concerns over and over again, Microsoft introduced a technology in Windows Server 2003's Active Directory that allows you to achieve your goal with a trust but without opening the entire domain/forest.  It is often referred to as the 'authentication firewall', a poor attempt at descriptive naming in my opinion left over from the beta-days of W2K3 but nonetheless a great feature.  In the past, and as you already seem to know through your inferred concerns, once a trust was in place, the Kerberos KDCs on the trusting side of the fence would happily issue tickets to anyone whose request originated in the trusted domain relying solely on the rigidity of the OS in general and authorization to deal with the resulting attempts to access something across the trust.  

    This is no longer the case when using 'selective authentication' (this is a better name and the user-interface's choice of wording when enabling this feature).  Selective auth. permits you to instruct the KDCs in your domain (or entire forest depending upon the trust type) to first determine if the requesting user is permitted to even get the initial ticket that is required to communicate with the target server in your domain.  This exchange occurs between the trusted-domain's workstations and your KDCs, the target server is not involved.  If the KDC in your domain decides not to issue the ticket, the communication attempt fails even if the ACLs on the target server in your domain would have permitted the foreign domain's client to gain access to the resource.

    This feature requires Windows Server 2003 domain functional level 2 on the trusting side (i.e. it requires that your domain be hosted by Windows Server 2003 Domain Controllers [or later] only).

    Does this sound like something you'd be interested in?

    Author Comment

    It sounds good to me but there's serious resistance to Trusts here so I'm not sure I could get it adopted. Have you any other suggestions?  
    LVL 9

    Expert Comment

    You can do it through ftp which can be made to look like a regular ol' Windows folder.  

    You could create a user with the same name and password on either side that has very limited access to specific shares on each side of the fence and have your users use that name.  

    You could sync. the security principals between the two domains.

    I don't believe there's an off-the-shelf federated solution for you at this point but it's been a while since I looked at the likes of ADFS.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now