AD Cross-forest authentication – groups missing from PAC

active-directoryauthenticationwindows-server-2008-r2

I have an Active Directory setup consisting of 2 forests:

  • 1 multi-domain forest with 1 forest root domain, and 2 direct child domains
  • 1 single-domain forest for DMZ publishing purposes

I have created 3 outgoing trusts in the DMZ domain, 1 transitive forest trust against the forest root domain, and 2 External Non-transitive trusts (aka. Shortcut Trusts).

All DC's in all four domains are Global Catalog servers.

I've tried to visualize it below:
DMZ/Internal Trust relations

Now, here is the problem. When I grant access on a resource in dmzRoot.tld to a security group in the childA domain, it works for users in childA who are member of the Security group, but not for users in the childB domain, even though they are members of the security group in childA.

Let's say I want to give local administrator access to a member server in the dmzRoot.tld for example. I add childA.ForestRoot.tld\dmzAdministrators to the local builtin Administrators group on the member server.

childA.ForestRoot.tld\dmzAdministrators has the following members:

  • childA\dmzAdmin
  • childB\superUser

Now, if I authenticate as childA\dmzAdmin, I can log on to the member server as a local Administrator, and if I take a look at the output from whoami /groups, the childA.ForestRoot.tld\dmzAdministrators group is clearly listed.

If I authenticate as childB\superUser however, I get a message that the account is not authorized for remote logon. If I check whoami /groups for the childB\superUser account, the childA.ForestRoot.tld\dmzAdministrators group is NOT listed.

It almost seems like the childA group SID's never get included in the PAC when authenticating childB users, even though all DC's are GC's.

I disabled PAC validation on the machine in dmzRoot.tld that I tested it on, but this did not help.

Any suggestions as to how I troubleshoot this effectively? How do I follow the trail of authentication to determine where it fails?

Best Answer

Turns out that the Shortcut trusts was causing the problem.

When AD Kerberos authentication travels across domains, the target realm (ie. dmzRoot.tld) identifies a trust relationship through which the users originating realm (eg. childA.ForestRoot.tld) is a trusted domain.

Since both the transitive forest trust towards ForestRoot.tld and the external trust (shortcut trust) towards childA matches that condition, the target realm has to choose one, and the the shortcut trust takes precedence (because it is explicit) over the implicit trust relationship in the forest trust.

Since SID filter quarantining is enabled on outgoing trusts by default, only SID's from the trusted realm (in this case, the childA domain) will be honoured upon authentication, foreign SID's will be filtered out.

In conclusion there are two solutions to this:

  • Remove the External Trusts, and rely on the Forest trust. Since the forest trust is transitive, all SID's from within the entire forest will remain in your token.
  • Disable SID Filter Quarantining on the outgoing trust from the dmzRoot.tld domain

Hope that made sense

Related Topic