Wednesday, June 11, 2008

Cross-forest authentication and GP processing

This post describes the use of UDP versus TCP Kerberos in cross-forest access, Kerberos logging, network requirements, cross-forest user-based group policy processing and authentication protocols. I have used this information to provide firewall rules between forests, diagnose Kerberos issues and just generally have a better understanding of what's happening with cross-forest access in an enterprise environment.

Cross-forest management

Depending on whether a standard authentication request has been made, or whether an administrative function is performed can have an effect on whether Kerberos over TCP or Kerberos over UDP is used.

Using the standard GUI object picker, setting up trust relationships, or management scripting using ADSI/LDAP makes use of Kerberos UDP Port 88, whereas an actual authentication request - an interactive user logon - will use Kerberos TCP Port 88.

This is an important distinction when setting up firewall rules, although Kerberos can be modified to use only TCP if required.

Kerberos Logging and utilities

Turn on detailed Kerberos logging (see the 'Troubleshooting Kerberos Errors' reference for more information).

Useful utilities:
- Kerbtray, klist - show/purge tickets and TGT information
- tokensz - Show the token size, useful for determining if the Privilege Attribute Certificate (PAC) data in the TGT will be over-sized, causing UDP transmission to fail.

Network Ports for Kerberos

Port requirements for Kerberos:




DNS serviceThe internal DNS server needs to be accessible to all clients for the location of KDC computers. The Active Directory domain controllers need to be able to access external DNS servers for resolving external domain name requests.



Kerberos ticket-granting serviceAll clients need to be able to connect to this port on the KDC servers.



Time serviceAll clients need to be able to connect to this port for time synchronization, either to an internal time server or to an external time source. The internal time server will need to connect to an external time source to synchronize.
464/TCPMicrosoft Windows 2000 Kerberos change password protocolThis port is also used by the kpasswd protocol. This port should only be open if clients use the kpasswd protocol.

Cross-domain Group Policy processing

When logging on to a computer in another domain with an account in a trusted domain, group policy is not applied by default. To change this behaviour, the 'Allow Cross-Forest User Policy and Roaming Profiles' policy setting must be set to enabled. If enabled, user policy will be applied from the user's forest, and roaming profiles will be available if configured and accessible.

Once cross-forest policy processing has been enabled, accessing that cross-forest Group Policy has the following requirements:

  • SMB/NetBIOS over TCP/IP access to a Domain Controller in the users's domain from the machine being logged on to. This is not necessarily a DC in the computer domain, and could be a member server or workstation.
  • LDAP over TCP from the local trusting Domain Controller (the computer account domain) to a trusted Domain Controller in the user forest

Cross-domain authentication

Many different scenarios exist for authenticating across domains and forests, depending on the request type, the domain trusts, the trust types, the OS types, name resolution and Active Directory domain levels.

In a default Windows 2000 or Windows Server 2003 domain, Kerberos is usually the protocol of choice. When Kerberos is unavailable, for example due to Network access or time synchronisation issues, NTLM/NTLMv2 will be used. Each protocol has different requirements.

Excerpt from the references below:

In an Active Directory environment the Kerberos-based authentication process is most commonly used. To access a shared resource in another domain by using Kerberos authentication, a computer where the user logs on first requests a ticket from a domain controller in its account domain to the server in the trusting domain that hosts the requested resource. This ticket is then issued by an intermediary trusted by both the requesting computer and the server. The computer then presents this trusted ticket to the server in the trusting domain for authentication. This process, however, becomes more complex when a workstation in one forest attempts to access data on a resource computer in another forest.

In this case, the Kerberos authentication process contacts the domain controller for a service ticket to the SPN of the resource computer. Once the domain controller queries the global catalog and determines that the SPN is not in the same forest as the domain controller, the domain controller sends a referral for its parent domain back to the workstation. At that point, the workstation queries the parent domain for the service ticket and continues to follow the referral chain until it reaches the domain where the resource is located. For more detailed information about how authentication requests are processed across domains and forests, see 'How Domain and Forest Trusts Work.'


Documentation on domains and forests, including Kerberos and NTLM

How to configure Windows 2003 SP1 firewall for a Domain Controller;en-us;555381&sd=rss&spid=3198

Domain and Forest Trust Tools and Settings

How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000;en-us;244474

Active Directory Replication over Firewalls

Troubleshooting Kerberos Errors

Download token size

Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.


Anonymous said...


I have a question about Cross Forest Authentication and AD Sites/Subnets. Given that sites from Forest A are not respected on computers in Forest B, how can I isolate the traffic to a specific list of DCs in Forest A? I have a firewall between the two networks and do not want to permit all clients in Forest B to talk to all DCs in Forest A.

Wayne Martin said...

Hi Greg, sounds like you need cross-forest site synchronisation - enabling clients in one forest to understand the topology of another forest when using the DC locator.

Essentially this would mean that Forest B would contain sites from Forest A and a site link between the forest B client site and Forest A's site (in Forest B). When Client B or DC B wants to talk to Forest A, it would then be able to determine the closest site and query DNS for a DC in that site (assuming Forest B has access to Forest A's msdcs).

Have a read of this post and the references in the post:

All Posts

printQueue AD objects for 2003 ClusterVirtualCenter Physical to VirtualVirtual 2003 MSCS Cluster in ESX VI3
Finding duplicate DNS recordsCommand-line automation – Echo and macrosCommand-line automation – set
Command-line automation - errorlevels and ifCommand-line automation - find and findstrBuilding blocks of command-line automation - FOR
Useful PowerShell command-line operationsMSCS 2003 Cluster Virtual Server ComponentsServer-side process for simple file access
OpsMgr 2007 performance script - VMware datastores...Enumerating URLs in Internet ExplorerNTLM Trusts between 2003 and NT4
2003 Servers with Hibernation enabledReading Shortcuts with PowerShell and VBSModifying DLL Resources
Automatically mapping printersSimple string encryption with PowerShellUseful NTFS and security command-line operations
Useful Windows Printer command-line operationsUseful Windows MSCS Cluster command-line operation...Useful VMware ESX and VC command-line operations
Useful general command-line operationsUseful DNS, DHCP and WINS command-line operationsUseful Active Directory command-line operations
Useful command-linesCreating secedit templates with PowerShellFixing Permissions with NTFS intra-volume moves
Converting filetime with vbs and PowerShellDifference between bat and cmdReplica Domain for Authentication
Troubleshooting Windows PrintingRenaming a user account in ADOpsMgr 2007 Reports - Sorting, Filtering, Charting...
WMIC XSL CSV output formattingEnumerating File Server ResourcesWMIC Custom Alias and Format
AD site discoveryPassing Parameters between OpsMgr and SSRSAnalyzing Windows Kernel Dumps
Process list with command-line argumentsOpsMgr 2007 Customized Reporting - SQL QueriesPreventing accidental NTFS data moves
FSRM and NTFS Quotas in 2003 R2PowerShell Deleting NTFS Alternate Data StreamsNTFS links - reparse, symbolic, hard, junction
IE Warnings when files are executedPowerShell Low-level keyboard hookCross-forest authentication and GP processing
Deleting Invalid SMS 2003 Distribution PointsCross-forest authentication and site synchronizati...Determining AD attribute replication
AD Security vs Distribution GroupsTroubleshooting cross-forest trust secure channels...RIS cross-domain access
Large SMS Web Reports return Error 500Troubleshooting SMS 2003 MP and SLPRemotely determine physical memory
VMware SDK with PowershellSpinning Excel Pie ChartPoke-Info PowerShell script
Reading web content with PowerShellAutomated Cluster File Security and PurgingManaging printers at the command-line
File System Filters and minifiltersOpsMgr 2007 SSRS Reports using SQL 2005 XMLAccess Based Enumeration in 2003 and MSCS
Find VM snapshots in ESX/VCComparing MSCS/VMware/DFS File & PrintModifying Exchange mailbox permissions
Nested 'for /f' catch-allPowerShell FindFirstFileW bypassing MAX_PATHRunning PowerSell Scripts from ASP.Net
Binary <-> Hex String files with PowershellOpsMgr 2007 Current Performance InstancesImpersonating a user without passwords
Running a process in the secure winlogon desktopShadow an XP Terminal Services sessionFind where a user is logged on from
Active Directory _msdcs DNS zonesUnlocking XP/2003 without passwords2003 Cluster-enabled scheduled tasks
Purging aged files from the filesystemFinding customised ADM templates in ADDomain local security groups for cross-forest secu...
Account Management eventlog auditingVMware cluster/Virtual Center StatisticsRunning scheduled tasks as a non-administrator
Audit Windows 2003 print server usageActive Directory DiagnosticsViewing NTFS information with nfi and diskedit
Performance Tuning for 2003 File ServersChecking ESX/VC VMs for snapshotsShowing non-persistent devices in device manager
Implementing an MSCS 2003 server clusterFinding users on a subnetWMI filter for subnet filtered Group Policy
Testing DNS records for scavengingRefreshing Computer Account AD Group MembershipTesting Network Ports from Windows
Using Recovery Console with RISPAE Boot.ini Switch for DEP or 4GB+ memoryUsing 32-bit COM objects on x64 platforms
Active Directory Organizational Unit (OU) DesignTroubleshooting computer accounts in an Active Dir...260+ character MAX_PATH limitations in filenames
Create or modify a security template for NTFS perm...Find where a user is connecting from through WMISDDL syntax in secedit security templates

About Me

I’ve worked in IT for over 20 years, and I know just about enough to realise that I don’t know very much.