• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 366
  • Last Modified:

Authentication problem with trusting domain.

I need to share some files on a remote trusting domain, a trust is in place and it can be verified and Port Query runs with no errors. When attaching to the files with unc path and ipaddress I get a logon failure, share is not accessible error.  Remote domain says that there are no firewalls on their domain and they have lots of trusts in place.  

To try and move the problem on I tested from a machine that is not part of our domain and it gets through to the share and gets presented with a logon box. The same test with a pc in our domain fails.

Thought I had the problem licked when I did some port monitoring, this indicated that connecting from the domain  the only authentication was NTLM whereas connecting from a non domain pc I could see additional authentication. Using the net use V: \\server.domain.com\ from a non domain pc gets me in.

Connecting to the remote domain through Lan manager will suit my needs, but I think that some domain policy is blocking this.  I tried to tweak the Lan manger authentication level on our domain to   Send Lm and NTLM responses but no luck.
0
philblackburn
Asked:
philblackburn
  • 8
  • 5
1 Solution
 
TasmantCommented:
If you use IP, authentication fall back to NTLM.
For External trust, Kerberos is not fully supported, therefore you can fall back to NTLM when authenticating. But it's not really an issue and if all works fine, this should work.

- Are you able to ping the remote host with IP? ping 192.168.10.1
- Are you able to resolve the FQDN remote host? nslookup remote.otherdomain.com

On your DNS server, have you added a conditionnal forwarder to forward DNS request for the remote domains to DNS remote domain servers?
Are your sure you setup the trust in the right way? you should see an incoming trust with your domain.
0
 
philblackburnAuthor Commented:
I can resolve a ping address, I can resolve FQDN and nslookup.  
I have not set it up fowarders up, as I have a stub zone for the remote zone and I can resolve all address that I need to.
 I don't mind trying that if you think it will help.  I have a two trust and can validate it.
0
 
TasmantCommented:
ok, it's fine with the stub zone (http://technet.microsoft.com/en-us/library/ee307976%28WS.10%29.aspx)
but is less used than conditional forwarder or secundary zones.
so, if you get a logon prompt with an no-domain joined computer, therefore Basic authentication is used and finally you can mount the share.
if you get nothing from a domain-joined computer, you are pretty sure the integrated authentication (either kerberos or ntlm) fails, that's why you get the error.
so now, we need to understand why the authentication process fails.
take a look here:
- http://blogs.technet.com/b/activedirectoryua/archive/2010/08/04/conditions-for-kerberos-to-be-used-over-an-external-trust.aspx

In this article, you can see that Vista and above system don't fall back to NTLM if Kerberos fails, so which client OS do you use to make your test?
- http://technet.microsoft.com/en-us/library/dd560679%28WS.10%29.aspx

Verify if all prerequisites for Kerberos over External trust are fine.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
philblackburnAuthor Commented:
I would say that all the conditions for kerberos are met.  The two pc (non domain) members are vista and windows 7 starter. I will try a test with xp
0
 
philblackburnAuthor Commented:
I have run the test and the xp machine not part of the domain will not authenticate.  Can you suggest any other tests?
0
 
TasmantCommented:
but when not part of your domain, disn't you said you get an authentication prompt?
because we need to authenticate when domain joined, no?
0
 
philblackburnAuthor Commented:
Thats correct I get an error when connecting from the domain but from a pc not part of the domain I get challenged for credentials
0
 
TasmantCommented:
ok, so when trying from an XP workstation part of your domain, do you able to connect or not?
If yes then you fall bacl to NTLM and it works, else nothing works :)
0
 
philblackburnAuthor Commented:
When trying from an xp workstation I fail to connect and nothing works
0
 
TasmantCommented:
ok, and if you use the following command on your XP part of the domain:
- net use V: \\server_IP\share /user:domain\account  (authentication with an account on the remote domain)
- net use V: \\server_IP\share /user:yourdomain\account (authentication with an account on your domain)
maybe we will get

you can post results for nltest /domain_trusts in order to veview details about your trusts.
0
 
philblackburnAuthor Commented:
Here are the portquery tests
al-test.txt
mark.txt
0
 
philblackburnAuthor Commented:
trying both net use command from a domain pc fails trying from a non domain succeeds.
0
 
philblackburnAuthor Commented:
I also tried a vista client when joined to the domain same problem error.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now