Web Security Services

 View Only

  • 1.  Auth Connector Two Way Trust

    Posted May 13, 2019 10:26 AM

    Hi Dear Members,

    My client domain (let's say mydomain.com) have two way trust with domains from other countries (for example, sgdomain.com and iddomain.com). If BCAC installed on mydomain.com and integrated with WSS, will WSS able to poll the user and group information from other domains? What if iddomain.com user login and authenticate to WSS, will he/she gets authenticated?

    Thanks so much for the guidance :)



  • 2.  RE: Auth Connector Two Way Trust

    Posted May 14, 2019 10:17 AM
    Dear Rolando, Is both the domain is on one AD then it will trust and authenticate the users.


  • 3.  RE: Auth Connector Two Way Trust

    Posted May 30, 2019 07:40 AM

    Hi Roland, 

    I highly doubt this will work in your scenario based on my recent experience with WSS.

    If I understand you correctly, in your scenario, you have two identical forest and having a two-way domain trust relationship. Recently, I have come across a very similar situation where Auth Connector is installed on domain ABC.local and it has a two-way trust with XYZ.local. Unfortunately, Auth connector didn't recognize any of the user that are authenticating from XYZ.local, WSS reported all the users that coming from XYZ.local as "Unauthenticated User". 

    While installing Auth Connector, we have two options, the first option indicates that it is going to query all domain controllers. In our case Auth managed to syncronized users from both domains. But it won't recognize user credentials who is coming from XYZ.local. We have not tested the ACLogon option (the second).

    See Symantec documentation here:

    https://portal.threatpulse.com/docs/sol/AccessMethods/auth/authconn_config_ta.htm

    To summarize: I hightly doubt users that are authenticating from the other domain will be recognized. However, I would appreciate if a Symantec Engineer can confirm the outcome if they have had tested such scenario.  If you test this and if this works please let us know. 

    How about installing Auth Connector in both domain?

    Regards,

     



  • 4.  RE: Auth Connector Two Way Trust

    Posted Sep 20, 2019 05:51 AM

    If I Understand this Correctly 

    Let us say, mydomain.com is your ROOT Domain and sgdomain.com / iddomain.com are your parent domains and they have a two way trust .

    We Install Auth Connector on the one of the Root Domain Member Server i.e. mydomain.com, VERY IMP - The Service Account Crendentials should have the ability to Read the Whole Domain Tree both Root and Parent Domains, While Installing Auth Connector Check Mark - Identify users by querying domain controllers

     

    Force a SYNC with AD on WSS and check if you see all the Users from all the Domain. This should get things working 

     

    In one of the customer deployment I had faced an Issue where the Root Domain takes alot of time quering the Parent Domains resulting in Unauthenticated users. The Only option here was to Install ACLogon.exe on all the End User Systems