We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Authentication problem with trusting domain.

philblackburn
on
Medium Priority
376 Views
Last Modified: 2013-01-24
I need to share some files on a remote trusting domain, a trust is in place and it can be verified and Port Query runs with no errors. When attaching to the files with unc path and ipaddress I get a logon failure, share is not accessible error.  Remote domain says that there are no firewalls on their domain and they have lots of trusts in place.  

To try and move the problem on I tested from a machine that is not part of our domain and it gets through to the share and gets presented with a logon box. The same test with a pc in our domain fails.

Thought I had the problem licked when I did some port monitoring, this indicated that connecting from the domain  the only authentication was NTLM whereas connecting from a non domain pc I could see additional authentication. Using the net use V: \\server.domain.com\ from a non domain pc gets me in.

Connecting to the remote domain through Lan manager will suit my needs, but I think that some domain policy is blocking this.  I tried to tweak the Lan manger authentication level on our domain to   Send Lm and NTLM responses but no luck.
Comment
Watch Question

Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
I can resolve a ping address, I can resolve FQDN and nslookup.  
I have not set it up fowarders up, as I have a stub zone for the remote zone and I can resolve all address that I need to.
 I don't mind trying that if you think it will help.  I have a two trust and can validate it.

Commented:
ok, it's fine with the stub zone (http://technet.microsoft.com/en-us/library/ee307976%28WS.10%29.aspx)
but is less used than conditional forwarder or secundary zones.
so, if you get a logon prompt with an no-domain joined computer, therefore Basic authentication is used and finally you can mount the share.
if you get nothing from a domain-joined computer, you are pretty sure the integrated authentication (either kerberos or ntlm) fails, that's why you get the error.
so now, we need to understand why the authentication process fails.
take a look here:
- http://blogs.technet.com/b/activedirectoryua/archive/2010/08/04/conditions-for-kerberos-to-be-used-over-an-external-trust.aspx

In this article, you can see that Vista and above system don't fall back to NTLM if Kerberos fails, so which client OS do you use to make your test?
- http://technet.microsoft.com/en-us/library/dd560679%28WS.10%29.aspx

Verify if all prerequisites for Kerberos over External trust are fine.

Author

Commented:
I would say that all the conditions for kerberos are met.  The two pc (non domain) members are vista and windows 7 starter. I will try a test with xp

Author

Commented:
I have run the test and the xp machine not part of the domain will not authenticate.  Can you suggest any other tests?

Commented:
but when not part of your domain, disn't you said you get an authentication prompt?
because we need to authenticate when domain joined, no?

Author

Commented:
Thats correct I get an error when connecting from the domain but from a pc not part of the domain I get challenged for credentials

Commented:
ok, so when trying from an XP workstation part of your domain, do you able to connect or not?
If yes then you fall bacl to NTLM and it works, else nothing works :)

Author

Commented:
When trying from an xp workstation I fail to connect and nothing works

Commented:
ok, and if you use the following command on your XP part of the domain:
- net use V: \\server_IP\share /user:domain\account  (authentication with an account on the remote domain)
- net use V: \\server_IP\share /user:yourdomain\account (authentication with an account on your domain)
maybe we will get

you can post results for nltest /domain_trusts in order to veview details about your trusts.

Author

Commented:
Here are the portquery tests
al-test.txt
mark.txt

Author

Commented:
trying both net use command from a domain pc fails trying from a non domain succeeds.

Author

Commented:
I also tried a vista client when joined to the domain same problem error.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.