Cross Forest Group Memberships

[tyler.lloyd]

Hi,

I have a web application that requires the lookup of group memberships.
I'm currently using the WindowsPrincipal.isinrole, which has been
working great, however I now have to extend the application to support
multiple (3) forests. It seems from initial testing that the
WindowsIdentity token does not contain \ validate cross-forest
memberships as all the checks are coming back negative. I'm a little
worried as the only other option I can think of is directly binding to
those remote groups and searching their members list (Plus the nested
groups?). This could be quite time consuming, as there are easily 20
groups per Forest. Is there another way I can go about this? Any help
would be most appreciated.

Thanks
Tyler

 

[Dominick Baier [DevelopMentor]]

Hi,

do you have cross forest trusts between the forests?

 

[tyler.lloyd]

Thanks for the quick reply; Yes I Do.

Thanks
Tyler

 

[Dominick Baier [DevelopMentor]]

Hi,

try the following command:

whoami /groups

while logged on with the account in questions - do you see the groups from
the other forests?

(whoami is included in w2k3 or the windows resource kit)

 

[tyler.lloyd]

Hi Dominick,

I tried the whoami command and it listed everything but the cross
forest members. I tried nesting my account in another Domain local
group in the remote forests which also didn't show up. The trust in
place is a two way external. The functional level is 2003.

Thanks
Tyler

 

[Dominick Baier [DevelopMentor]]

Hi,

when whoami does not show the groups - there is a system/domain config issue
- i remember vaguely that there is a "account firewall" in cross forest trusts
- maybe somehting is still locked down...

 

[tyler.lloyd]

Thanks so much for you help, I will look into that and see if I can
find out why \ how its being blocked.

Thank again
Tyler

 

[Henning Krause [MVP]]

Hello,

do you mean Selective Authentication?

http://www.microsoft.com/technet/community/columns/profwin/pw0303.mspx

Greetings,
Henning

 

[tyler.lloyd]

Thank you both for the help so far; I checked the Trust authentication
type and everything is set to Forest-Wide Authentication. Just to
further help idenitfy the issue, currently my account resides in Forest
A. This account is nested into a Domain Local group located in forest
B. I have rebooted my machine after the group membership change.
Whoami should show Domain Local groups correct?

Thanks
Tyler

 

[tyler.lloyd]

Follow-up:

I just finished talking with MS Dev support. My summery of the
discussion is as follows.
When a user logs into a domain account the token will contain the
following group memberships:
1) All the Global and Universal groups the user account is a member of
within the forest the account resides.
2) All the Domain Local groups the user is a member of in the
"resource" domain or "machine" domain (Domain the computer is
part of)

So the only way to see the Domain Local groups in your token is to
login to a computer that is a member of the domain that holds those
groups.

Furthermore I was told the only way to provide this functionality
(without logging into a computer in the remote forest) is to make a
LDAP call to that forest and array through each groups members. Yuk.

More Reading
http://www.microsoft.com/resources/...s/en-us/sag_AdunderstandGroups.asp?frame=true
http://www.microsoft.com/resources/...s/en-us/security_accesscontrol.asp?frame=true
Hope this helps anyone that may come across this issue in the future.

Thanks
Tyler

 

[Dominick Baier [DevelopMentor]]

Hi,

yes - but domain local groups is not the right group type anyway - as the
names says...

 

[tyler.lloyd]

But are not Domain Local's the only group type that will allow cross
forest nesting?

Thanks
Tyler

 

[Dominick Baier [DevelopMentor]]

good question

i am not sure.