Authentication across untrusted domains

TheMSsForum.com: The Microsoft Software Forum

Hello all,
Heres my senario. I have two untrusted domains(in 2 diffrent untrusted
forests), domain1 and domain2.
Machine1 is a machine in domain1.
Machine2 is a machine in domain2 which runs SQL Server 2000.

I am trying to connect to the sql server on machine2(in domain2)
from machine1 using the credentials 'domain2\administrator'.

I use 'LogonUser' with the LOGON32_LOGON_NEW_CREDENTIALS flag and do a
ImpersonateLoggedOnUser later.

accoding to MSDN documentation for using the LOGON32_LOGON_NEW_CREDENTIALS
flag

" This logon type allows the caller to clone its current token and specify
new credentials for outbound connections. The new logon session has the same
local identifier but uses different credentials for other network
connections. This logon type is supported only by the
LOGON32_PROVIDER_WINNT50 logon provider. Windows NT: This value is not
supported. ".

Both LogonUser and ImpersonateLoggedOnUser succeed. This is expected

Later when i do a 'Open' call on a ADODB::Connection object (to connect to
the SQL Server on machine2.domain2 ) i can connect to it successfully

I am curious to know how this work?
Does it work using Kerberos or NTLM ?

i expected it to be NTML.

I used ethereal to trap the communication. I noticed that machine1 tries to
authenticate with the domain controlller of domain2.

i would like to know how a machine (here machine1 in domain1) can
authenticate with a domain controller in an untrusted forest.

Its kinda of a longish question. Thanks for the patience.

Regards
Swapnil D.
Top

Re: Authentication across untrusted domains by S

S
Wed Mar 29 04:25:56 CST 2006

The short answer is - because it can. An analogy is that any client, using
IE or Mozilla Firefox, can browse to the resources that use integrated
authentication. Computer membership in the forest is only required to
integrate access to resources on that computer - that does include
interactive logon.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Swapnil D" <none> wrote in message
news:%23CfpQhvUGHA.5172@TK2MSFTNGP12.phx.gbl...
> Hello all,
> Heres my senario. I have two untrusted domains(in 2 diffrent untrusted
> forests), domain1 and domain2.
> Machine1 is a machine in domain1.
> Machine2 is a machine in domain2 which runs SQL Server 2000.
>
> I am trying to connect to the sql server on machine2(in domain2)
> from machine1 using the credentials 'domain2\administrator'.
>
> I use 'LogonUser' with the LOGON32_LOGON_NEW_CREDENTIALS flag and do a
> ImpersonateLoggedOnUser later.
>
> accoding to MSDN documentation for using the LOGON32_LOGON_NEW_CREDENTIALS
> flag
>
> " This logon type allows the caller to clone its current token and specify
> new credentials for outbound connections. The new logon session has the
> same local identifier but uses different credentials for other network
> connections. This logon type is supported only by the
> LOGON32_PROVIDER_WINNT50 logon provider. Windows NT: This value is not
> supported. ".
>
> Both LogonUser and ImpersonateLoggedOnUser succeed. This is expected
>
> Later when i do a 'Open' call on a ADODB::Connection object (to connect
> to the SQL Server on machine2.domain2 ) i can connect to it successfully
>
> I am curious to know how this work?
> Does it work using Kerberos or NTLM ?
>
> i expected it to be NTML.
>
> I used ethereal to trap the communication. I noticed that machine1 tries
> to authenticate with the domain controlller of domain2.
>
> i would like to know how a machine (here machine1 in domain1) can
> authenticate with a domain controller in an untrusted forest.
>
> Its kinda of a longish question. Thanks for the patience.
>
> Regards
> Swapnil D.
>
>


Top