Active Directory Authentication Through a Trust and Querying For Users From Trusted Domain

Question

Domain A (Forest Tree Root) (Primary Domain)

Domain B (Direct Outbound) (Direct Inbound)

There is a two way trust between the two Forests Domain A/B. This scenario is used to connect two companies together.

Now, lets say we have an application that uses active directory to authenticate on Domain A.

A user from Domain B is added to a group that exists in Domain A that allows them access to that application. This applications uses ADSI to connect to the Domain A domain controller for user authentication.

First Question: By using ADSI from the domain controller on Domain A, will it know to traverse the trust and validate the user in Domain B? Or does the application need to specifically point to the domain controller on Domain B as well.

Second Question: To get a listing of all users in Domain B from Domain A will I be able to query this for example in powershell using ADSI/LDAP from a domain controller in Domain A or will I specifically need to hit a domain controller in Domain B?

Thanks!

Answer 1

1) The application won't be using ADSI to authenticate a user. ADSI is a COM interface, not a network authentication protocol. It will be using Kerberos or LDAP. It's very useful to know what protocol it's actually using, since AD trusts only apply to Kerberos auth.

1a) If the application is using Kerberos, it will send its service ticket request to the local DC. That will check for the relevant SPN and then return a referral to a DC in the target domain. The workstation will then request a service ticket from the target domain DC and then access the application. That process is described towards the end of this article.

1b) If your application is using LDAP, then it needs to be configured to point to one or more DCs in the target domain. You can use the domain name itself as the target, although I'd check latency differences between using a hard-coded DC name and just the domain name. If you use a hard-coded DC name, you should have some way of defining one or more secondary target DCs if the first one is down.

2) If you're doing LDAP queries (via ADSI or otherwise), you need to specify the actual target domain, and an account that has permissions to do LDAP searches there (such as any account in the target domain). You may need to specify an actual DC name (I haven't tested it). Your local domain has referrals to the trusting domain - it doesn't store any of the actual objects in it.