How to create trust in windows sever 2008R2
Business scenario
- We have two domains (PUB and CORP) in two forests with a one way trust between them.
- PUB trusts CORP but CORP doesn’t trust PUB
- Both PUB and CORP contain user accounts that need to be authenticated and federated via ADFS
- The ADFS server is joined to the PUB domain
- Anonymous bind is established on both the domains
When a
claims based application protected by ADFS is accessed via the credentials of a
user on the CORP domain, we get an error which reads something like
"Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException:
POLICY0018: Query......"
This problem
occurs due to having a one-way domain trust configured. The ADFS service account
needs to have rights to read attributes for users in the trusted domain.
Without it, ADFS has no way of issuing claims.
To resolve
this problem
- Have a two way trust between PUB and CORP domains if they are controlled by same organization.
This tutorial will show you how to make a forest trust in Windows Server. A trust allows users in one domain to access resources in another domain. Trusts can be one-way or two-way. In a one-way trust, one domain’s users may access another domain’s resources, but not the other way around. In a two-way trust, users in both domains may access the other domain’s resources. Trusts can also be transitive or non-transitive. If two domains establish a transitive trust, it means that the domains trust each other as well as any other already trusted domains of the other domain.
Before
a trust can be established, DNS must be setup between the two domains;
this can be accomplished in a few different ways by either using stub
zones, conditional forwarders, or active directory federation services. Also,
the two domains must have the same or close to the same forest
functional level. You can check the forest functional level by going to Administrative Tools -> Active Directory Domains and Trusts. Then, right-click on the forest root and select Raise Forest Functional Level.
Conditional forwarders settings in pub.com
Go to start menu open run and enter dnsmgmt.msc
This will open
DNS manager
Go to conditional forwarders on the left side of the DNS Manager
Right click on Conditional Forwarders and select new Conditional Forwarders, add DNS Domain and IP Address
After adding DNS Domain and IP Address it appears as below window
Conditional forwarders settings in corp.com
Go to start menu open run and enter dnsmgmt.msc
Go to conditional
forwarders on the left side of the DNS Manager, right click on Conditional
Forwarders and select new Conditional Forwarders, add DNS Domain and IP
Address.
After adding DNS
Domain and IP Address it appears as below window
Expand the
Conditional Forwarders
Two-way trust
Below
steps are executed in pub.com domain
Go to start menu
--> administrative tools --> Active Directory Domains and trusts
Select the domain
and right click --> properties it appears the window below
Go to the Trusts
tab
Click on New
Trust it appears the below window
Click next
Give the name as corp.com click next….
Select external
trust -> next
Select the two
way direction for the trust --> next
Select -> Both
this domain and the specified domain --> Next
Give corp.com
administrative privileges --> next
Select
->Domain-Wide authentication --> next
Click next
Click -> next
Select ->No do
not confirm the outgoing trust
Select No do
not confirm the incoming trust
Click finish
Open pub.com
properties
No comments:
Post a Comment