Hello there,
I operate a hosted application in our data centre that uses NLTM (no Kerberos support in this scenario for various reasons I won't go into). To enable SSO, we are looking to allow certain customers to extend their Active Directories into our environment and
will configure a one-way forest trust whereby the customer trusts our resource forest, and we can permission the application accordingly to enable SSO.
In our lab environment this configuration works from a SSO perspective, but only does so when all domain controllers in the resource forest can talk to all domain controllers in the user forest. I would like to be able to nominate which domain controllers in
the user forest are used for validating authentication requests, as this will simplify firewall configuration and potentially allow the use of a nominated Read Only Domain Controller moving forward.
I have wireshark running on all DCs and clients in the lab, and would expect to see the DC in the resource forest perform some sort of DNS enumeration of available DCs in the user forest before passing the NTLM request onward.... but I just can't see this happening
(no DNS lookups of the user forest)... it just seems to talk to the same DC in the user forest every time. I cannot work out how the DC in the resource forest determines which DC in the user forest to forward the NTLM request onto.
Questions:
- Does anyone know how Domain Controllers in inter-forest scenarios enumerate their partners when passing on NTLM authentication requests? (DNS, SCP... some mechanism I'm not across?)
- Does anyone know whether it's technically possible to restrict or force which DCs can communicate with each other in inter-forest scenarios?
Thanks for your help.
Regards, James
James Frost