Solved

Setup a domain trust,selective auth, two domains in different forests.  When browsing I get:"Logon failure: the machine you are logging onto is protected by an authentication firewall"

Posted on 2010-08-15
13
3,845 Views
Last Modified: 2016-09-21
Setup a domain trust with selective auth, two domains in different forests.  When browsing a UNC path I get:"Logon failure: the machine you are logging onto is protected by an authentication firewall".  All DCs are 2003 standard.  The trust is two-way, and so is the error.  The functional level was raised before attempting.  Domain A has 2 Sites connected by a VPN and the VPN was down preventing the raise functional level process from completing for a while- just a side note.  It wanted to see the other DC before it would work.  The open authentication works, but it gives EVERY user in Domain B the same rights as the Domain Users group in Domain A, where I am trying to share out extra storage.  That is too much access to domain A.
I have setup the local server security GP object on the data storage box in Domain A to allow rights assignment on Domain B, but I don't know if I edited the correct key at all.  Very frustrating for it to work fine in a manner that I cannot use, but not work at all in a manner that I need to use.  Windows firewall services are off on all DCs.
I am also unsure of the DNS changes i made to reference these two domains.  I simply put in a DNS forwarder on DomainB to point requests for DomainA back to the AD integrated DNS server on DomainA and vice versa.

Thanks!
0
Comment
Question by:Liptak-Dental
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 27

Accepted Solution

by:
Steve earned 300 total points
ID: 33441220
Sounds like your running domain authentication.

To resolve this open up AD Users and Computers > Advanced Features > select the computer object > Properties > Security > Add group (eg trustedDomain\Domain users) > allow "Allowed to Authenticate"

see if this works. im guessing you've chosen a selective authentication which means users need to be given permission to authenticate with the DC in the other domain.
0
 

Author Comment

by:Liptak-Dental
ID: 33441287
That made a dent! I actually found this info last night as well and tried it. Once again though, it give the entire DomainB the sane rights as Domain Users on Donain A, but now at least it is just that server. That's progress. I need to share just one or two folders to each user on DomainB using storage on DomainA. Like user folders, they need to be protected from each other and to stay out of the rest of the shares on that server.
0
 
LVL 27

Expert Comment

by:Steve
ID: 33441324
the idea of the selective auth trust is one of security. before accepting the users details and checking if it can do what it wants, the system checks if the user is allowed to try in the first place. its another way of providing functionality without compromising security.

if this isn't ideal, you may need to consider a different type of trust.
0
 

Author Comment

by:Liptak-Dental
ID: 33443242
Not sure what you're getting at there. My issue is that the trusting domain automatically gives every user in the trusted domain the same access as the local Domain Users group. I can't give away that much access. I need to specify individual users and groups to each folder and keep the trusted users out of the other shares on the trusting server. I could remove the Domain Users group from the inherited permissions on the trusting server I guess, but that is a lot if work and bound to cause access issues and data unavailability.
0
 
LVL 27

Expert Comment

by:Steve
ID: 33446922
dont allow the domain users group to authenticate then.
How about you create a group on domainA and allow that group access to authenticate on domainB instead of the domain users group advised in my example above.
you can easily add and remove users from the group in domainA then?

Once the trusted users are allowed to authenticate as above you should be able to set up groups or users as normal on the trusting server and allow them access to shares as necessary.

Note: any share or security permission using 'everyone' will include ANY user allowed to authenticate across the trust.
0
 

Author Comment

by:Liptak-Dental
ID: 33482654
Tonto-

     My issue with the now open authentication is that I have many and various security principles customized on the trusting domain for its users.  Yanking all of them out of their natural Domain Users default group is a crazy amount of work just to accommodate the Trusted Domain's users.  I am looking for a way to limit the trusted user accounts to just individual users and groups I specify on certain folders.  Something I picked up on in your message might be helpful though- are you saying that my trusting domain assocuates its own Domain Users with the Trusted Domain's Domain Users group?  It might be easier to take them out of their own Domain Users group if that will stop the pass through association onto the Trusting Domain.

I'm confusing myself at this point.  Overall here is my goal again:
The server that is now trusting the outside Domain is granting every dang outsider account the same permissions as its own local Domain Users- meaning that these outsiders can roam all over my other, unrelated, and sensitive shares!!  I expected to have to specifically allow the foreign users access to select shares on a per-account basis, not a wide open barn door.  Advice?
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33483729
I am going to take a wild stab without readin all the comments based on a current set up I am working with

If you need users from domain b to access shares on server1 on domain A then try going into the security properties of server1 on domain A and add the user(or group) from domain b to the ACL and grant them the "Allow to Authenticate permission"

If that is done you can just manage the permission as per normal.

Hope this helps

0
 

Author Comment

by:Liptak-Dental
ID: 33489989
OK guys- the issue is not that I can't access the foreign server.  The process described by Mojo and Tonto has worked well and I can get the foreign users onto my server.  My issue is that it lets every foreign domain user wander all over my server as if they were in the 'Domain Users' group on the hosting domain.  I need to assign individual permissions to certain folders only.  I have many existing shares on this server that the foreign users cannot access for security reasons.  By default with the domain trust, they got access to everything as if they were Domain Users.
0
 
LVL 24

Assisted Solution

by:Mike Thomas
Mike Thomas earned 200 total points
ID: 33490845
Check to see if you have left he the "MACAHINENAME\Users" group on the shares

Is so you will have to remove the MACAHINENAME\Users group form the NTFS permisions for the shares to stop this happening as that effectivly assigns "Autehnticated "Users" so any Authenticated users in any domain will have rights.

0
 
LVL 27

Expert Comment

by:Steve
ID: 33491817
@Liptak-Dental

I didn't mean removing domain users from the source domain. just the receiving domain. If you tell it to trust domain users from the other domain then all users will be trusted.

As advised above, create a group in domaina and add users to it as required.
on domainb, set the group with 'allowed to authenticate' and NOT domain users.

Also, Mojotech is right. I mentioned any shares with 'everyone' listed but forgot about any with 'authenticated users' as both of these apply to EVERYONE with a valid account.
0
 

Author Closing Comment

by:Liptak-Dental
ID: 33514251
Thanks guys- that last part totally fixed the assumed permissions problem I was having.  I'm out of practice on NTFS I think!  The first problem of adjusting AD to allow the selective permissions to apply to this server was key as well.
0
 

Author Comment

by:Liptak-Dental
ID: 33666456
I have a follow up question to my issue here.  I can add domain users from one domain to files and folders on the other domain.  The issue I have still is that it will allow users to be added and then access the folder, but if I add a group from the foreign domain, it will not let a user in that group access the folder.  This domain trusts thing is mostly-kinda working, but not quite enough to justify its use on a larger scale.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41809644
I know this has been closed a while but it got me today
Error – The Computer You Are Signing Into Is Protected By An Authentication FirewallPete
0

Join & Write a Comment

Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now