Cross Forest/Domain File Sharing

Posted on 2007-08-08
Medium Priority
Last Modified: 2013-11-05

We have our own single domain forest and we have a partner company that has their own forest. We would like to be able to share files with them without setting up a trust. Does anyone have any suggestions to achieve this?
Question by:stealy
  • 3
  • 2

Expert Comment

ID: 19654118
I guess it depends how you want to share files, are you looking to do so through regular old Windows shares?  May I also ask your reasoning for not wanting the trust relationship?

Author Comment

ID: 19654144
We're concerned about the security implications of the trust. We only want the sister company to access one server and one share on that server. Regular Windws share would be the preference but any viable solution would be looked at.

Accepted Solution

MSE-dwells earned 750 total points
ID: 19654363
Your concerns are obviously viable.  However, as a result of hearing such concerns over and over again, Microsoft introduced a technology in Windows Server 2003's Active Directory that allows you to achieve your goal with a trust but without opening the entire domain/forest.  It is often referred to as the 'authentication firewall', a poor attempt at descriptive naming in my opinion left over from the beta-days of W2K3 but nonetheless a great feature.  In the past, and as you already seem to know through your inferred concerns, once a trust was in place, the Kerberos KDCs on the trusting side of the fence would happily issue tickets to anyone whose request originated in the trusted domain relying solely on the rigidity of the OS in general and authorization to deal with the resulting attempts to access something across the trust.  

This is no longer the case when using 'selective authentication' (this is a better name and the user-interface's choice of wording when enabling this feature).  Selective auth. permits you to instruct the KDCs in your domain (or entire forest depending upon the trust type) to first determine if the requesting user is permitted to even get the initial ticket that is required to communicate with the target server in your domain.  This exchange occurs between the trusted-domain's workstations and your KDCs, the target server is not involved.  If the KDC in your domain decides not to issue the ticket, the communication attempt fails even if the ACLs on the target server in your domain would have permitted the foreign domain's client to gain access to the resource.

This feature requires Windows Server 2003 domain functional level 2 on the trusting side (i.e. it requires that your domain be hosted by Windows Server 2003 Domain Controllers [or later] only).

Does this sound like something you'd be interested in?

Author Comment

ID: 19655351
It sounds good to me but there's serious resistance to Trusts here so I'm not sure I could get it adopted. Have you any other suggestions?  

Expert Comment

ID: 19656994
You can do it through ftp which can be made to look like a regular ol' Windows folder.  

You could create a user with the same name and password on either side that has very limited access to specific shares on each side of the fence and have your users use that name.  

You could sync. the security principals between the two domains.

I don't believe there's an off-the-shelf federated solution for you at this point but it's been a while since I looked at the likes of ADFS.

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

594 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question