servebolt
IADDSWSE

5.5 Assign permissions to trusted identities for Selective Authentication Trust Relationship

Hello, with part 2 of Administering a Trust Relationship, we just created a one-way trust between SnoOpy.org/.net domains.

Now before we start to authenticate users from SnoOpy.net to .org, take a look at how to assign permissions to trusted identities (users of SnoOpy.net).

[00:10] In the meantime, I recommend you review how Trust Relationship models and resources accessing work:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787646(v=ws.10)

This is a step to implement "Selective Authentication" of the Trust, rather than "Domain-wide" as default. With selective trusts, administrators can make flexible access control decisions between external domains.

We are assigning permissions about users in SnoOpy.org forest to itself objects.

Then let do the same for users in SnoOpy.net to ensure that SnoOpy.org can authenticate users/objects from SnoOpy.net via one-way trust relationship just created as it does with its users (this is the spirit of Trust).

[00:55] Create a local user account then assign permissions about directories, computer accounts.

5 5 Assign permissions to trusted identities for Selective Authentication Trust Relationship | IADDSWSE

Computer Account requires the Advanced Mode of ADUC console.

Now switch the Trust Authentication mode from Domain-wide to Selective to allow authentications in remote users instead of all users like Domain-wide.

Then assign permissions about that foreign users from SnoOpy.net to objects of SnoOpy.org

[03:30] Create a user account in SnoOpy.net (Y) to perform permission assignments in SnoOpy.org forest side (X).

5 5 Assign permissions to trusted identities for Selective Authentication Trust Relationship | IADDSWSE

[04:08] Switch to DC machine of SnoOpy.org then add that remote user DuongMinhThang in the Security section of Contract folder as we had done with the local user DMT, firstly.

5 5 Assign permissions to trusted identities for Selective Authentication Trust Relationship | IADDSWSE

[04:58] By defining Selective Authentication, we need to allow objects (users) to be authenticated with the DC of SnoOpy.org (gatekeeper) implicitly, also.

5 5 Assign permissions to trusted identities for Selective Authentication Trust Relationship | IADDSWSE

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755844(v=ws.10)

[05:26] You need to prefix that remote user with its domain to let Check Names function work.

5 5 Assign permissions to trusted identities for Selective Authentication Trust Relationship | IADDSWSE

[05:34] Enter the administrative credential about SnoOpy.net forest to verify this user.

5 5 Assign permissions to trusted identities for Selective Authentication Trust Relationship | IADDSWSE

[05:50] Remote user's rights have been assigned successfully!

5 5 Assign permissions to trusted identities for Selective Authentication Trust Relationship | IADDSWSE

[05:56] In fact, we have an extra step to do is log on to a machine of SnoOpy.net forest with that foreign user account, then access the shared folder "Contract" of SnoOpy.org to verify that the Trust makes two domains are seamless; permissions take effect as defined.

5 5 Assign permissions to trusted identities for Selective Authentication Trust Relationship | IADDSWSE

However, I guarantee that it gonna works, though, we set them up as guidelines.

https://www.itprotoday.com/security/selective-authentication

[06:03] More info about the trust relationship:

5 5 Assign permissions to trusted identities for Selective Authentication Trust Relationship | IADDSWSE

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc977993(v=technet.10)


https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755321(v=ws.10)

I'm sure that you will get more excitements with AD RMS and AD FS as better candidates against Trust, keep track on my YouTube channel :3

[SHAZAM]


http://shazam.marvel-it.icu/s=59cf85e2&f=v3GsVx2S

[YOUTUBE]
5.5 Assign permissions to trusted identities for Selective Authentication Trust Relationship

[ Æsir Tales ]
Back to top button