Layer7 Access Management

Expand all | Collapse all

Windows Authentication (IWA/NTLM) on multi-domain using two-way AD trust

Jump to Best Answer
  • 1.  Windows Authentication (IWA/NTLM) on multi-domain using two-way AD trust

    Posted 11-20-2017 11:16 AM

    Scenario (see attached image): we have 4 AD Domains (A.company.com, B.company.com, C.company.com, D.company.com) that are part of the forest COMPANY.COM. The four domains A, B, C and D are configured with a a two-way trust with another domain, called EXTRA.COM located on a different data-center. Finally the EXTRA.COM is configured with a two-way trust with the main forest domain COMPANY.COM.

     

     

    Requirement: have Windows Authentication using NTLM for all the users of A, B, C and D domains.

     

    Idea: configure IIS Web Server + Web Agent that manages the Windows Authentication scheme against the only one COMPANY.COM forest domain

     

    Question: with this configuration NTLM Windows Authentication works for all the users of all the child domains A, B, C and D?

     

     

    Thanks and regards,

    Gabriele.



  • 2.  Re: Windows Authentication (IWA/NTLM) on multi-domain using two-way AD trust
    Best Answer

    Posted 11-21-2017 09:02 AM

    Hi Gabriele,

     

    As far as the NTLM authentication works on the AD side, it should work when authenticating through CA SSO. I do not see any reason why NTLM authentication could not work in your main domain, as all the domains have a transitive 2-way trust between them. When the authentication request comes to company.com, the DC will talk with the extra.com DC, and this one will do the same with the subdomain DC (like b.company.com), following the current trust relationship design you deployed.

     

    You can check the following documents for more details regarding 2-way transitive trusts for NTLM:
    https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx
    https://blogs.technet.microsoft.com/mir/2011/06/12/accessing-resources-across-forest-and-achieve-single-sign-on-part1/
    https://blogs.technet.microsoft.com/isrpfeplat/2010/11/05/optimizing-ntlm-authentication-flow-in-multi-domain-environments/

     

    As suggested in the last one, you could check with your MS admins if adding trust shortcuts could be possible, so when you do the authentication request in company.com, it could use the shortcut to the subdomain directly without having to go first to the extra.com DC.

     

    I hope it helps!

     

    Albert.