• State Verified Answer
  • Replies 5 replies
  • Subscribers 20 subscribers
  • Views 2625 views
  • Users 0 members are here
Options
Related

Questions regarding Sid, Sidhistory, trust and resource sharing

wagner ryan my
over 3 years ago

Dear Support,

Hope you guys are doing good.

Please excuse me for little understanding. I have few questions that needs to be answered and explained.

Q1: In case of forest trust and external trust, Sid and Sihistory of which groups (Domain Local, Global and Universal) will cross trust while accessing resources in different forest?

Q2: What is the difference between forest trust and external trust in terms of Sid, Sidhistory and group scope (Domain Local, Global and Universal) while accessing resources ?

Q3: After authenticated by home domain of user, if user wants to access files/folders in resource domain(different forest), does resource domain also have to authenticate user before granting access? OR Does resource domain only play role in authorization process? Could you please explain the workflow in brief for this scenario?

Thank you!

Parents Reply Children
  • 0 over 3 years ago in reply to Jeff Shahan

    Thank you

    There are 3 follow up related questions.

    As per thread: https://www.quest.com/community/migration-manager-for-ad/f/forum/31586/access-token-related-query

    Q1: You mentioned  - In an inter-forest logon with an external trust, only the universal groups from within the trusted domain are included. But in above reply there is no such difference between forest trust or external trust in terms of group scope. Kindly clear this out and explain statement "only the universal groups from within the trusted domain are included".

    Q2: You mentioned - 

    When you try to access a resource on a remote server, that server will authenticate your request, following the same path as above.

    • Domain User
    • Server's Local Groups
    • Server's Domain Local Groups
    • Authenticating Domain Global Groups and Forest Global Groups

    So just want to confirm that  "Authenticating Domain Global Groups and Forest Global Groups" means user's logged on domain not resource(remote server) domain. Correct? 

    Q3: So does it mean that authentication via resource domain occur because of server's Domain Local groups and server's Local groups only?

    Please clarify above mentioned related queries. 

  • 0 over 3 years ago in reply to wagner ryan my

    Q1. All forest universal groups are in the GC, and the GC plays a role in authentication. So all Universal. 

    Q2: Yes, that is what authenticating Domain meant. 

    Q3: Not really a valid question. 
    So does it mean that authentication via resource domain occur because of server's domain membership to the resource domain. 

  • 0 over 3 years ago in reply to Jeff Shahan

    Incase of external trust, if user login to trusted domain then his access token will have trusted domain's Global Groups as well as trusted domain's Universal Groups. Correct? Please confirm.

    Global Catalog play an authentication role in multi domains forest for Universal Groups membership information.

  • 0 over 3 years ago in reply to wagner ryan my

    Source\users will only ever have source\%global groups%, regardless of the membership of the host they login to. Additionally Source\users will only have Source (Forest)\%Universal Groups%. 

    I really am done talking about this.