Scenario (see attached image): we have 4 AD Domains (A.company.com, B.company.com, C.company.com, D.company.com) that are part of the forest COMPANY.COM. The four domains A, B, C and D are configured with a a two-way trust with another domain, called EXTRA.COM located on a different data-center. Finally the EXTRA.COM is configured with a two-way trust with the main forest domain COMPANY.COM.
Requirement: have Windows Authentication using NTLM for all the users of A, B, C and D domains.
Idea: configure IIS Web Server + Web Agent that manages the Windows Authentication scheme against the only one COMPANY.COM forest domain
Question: with this configuration NTLM Windows Authentication works for all the users of all the child domains A, B, C and D?
Thanks and regards,
As far as the NTLM authentication works on the AD side, it should work when authenticating through CA SSO. I do not see any reason why NTLM authentication could not work in your main domain, as all the domains have a transitive 2-way trust between them. When the authentication request comes to company.com, the DC will talk with the extra.com DC, and this one will do the same with the subdomain DC (like b.company.com), following the current trust relationship design you deployed.
You can check the following documents for more details regarding 2-way transitive trusts for NTLM:https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx https://blogs.technet.microsoft.com/mir/2011/06/12/accessing-resources-across-forest-and-achieve-single-sign-on-part1/https://blogs.technet.microsoft.com/isrpfeplat/2010/11/05/optimizing-ntlm-authentication-flow-in-multi-domain-environments/
As suggested in the last one, you could check with your MS admins if adding trust shortcuts could be possible, so when you do the authentication request in company.com, it could use the shortcut to the subdomain directly without having to go first to the extra.com DC.
I hope it helps!