Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Cross Forest Group Memberships

Reply
Thread Tools

Cross Forest Group Memberships

 
 
tyler.lloyd@gmail.com
Guest
Posts: n/a
 
      02-04-2006
Hi,

I have a web application that requires the lookup of group memberships.
I'm currently using the WindowsPrincipal.isinrole, which has been
working great, however I now have to extend the application to support
multiple (3) forests. It seems from initial testing that the
WindowsIdentity token does not contain \ validate cross-forest
memberships as all the checks are coming back negative. I'm a little
worried as the only other option I can think of is directly binding to
those remote groups and searching their members list (Plus the nested
groups?). This could be quite time consuming, as there are easily 20
groups per Forest. Is there another way I can go about this? Any help
would be most appreciated.

Thanks
Tyler

 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      02-04-2006
Hi,

do you have cross forest trusts between the forests?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi,
>
> I have a web application that requires the lookup of group
> memberships. I'm currently using the WindowsPrincipal.isinrole, which
> has been working great, however I now have to extend the application
> to support multiple (3) forests. It seems from initial testing that
> the WindowsIdentity token does not contain \ validate cross-forest
> memberships as all the checks are coming back negative. I'm a little
> worried as the only other option I can think of is directly binding to
> those remote groups and searching their members list (Plus the nested
> groups?). This could be quite time consuming, as there are easily 20
> groups per Forest. Is there another way I can go about this? Any help
> would be most appreciated.
>
> Thanks
> Tyler



 
Reply With Quote
 
 
 
 
tyler.lloyd@gmail.com
Guest
Posts: n/a
 
      02-04-2006
Thanks for the quick reply; Yes I Do.

Thanks
Tyler

 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      02-04-2006
Hi,

try the following command:

whoami /groups

while logged on with the account in questions - do you see the groups from
the other forests?

(whoami is included in w2k3 or the windows resource kit)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Thanks for the quick reply; Yes I Do.
>
> Thanks
> Tyler



 
Reply With Quote
 
tyler.lloyd@gmail.com
Guest
Posts: n/a
 
      02-04-2006
Hi Dominick,

I tried the whoami command and it listed everything but the cross
forest members. I tried nesting my account in another Domain local
group in the remote forests which also didn't show up. The trust in
place is a two way external. The functional level is 2003.

Thanks
Tyler

 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      02-04-2006
Hi,

when whoami does not show the groups - there is a system/domain config issue
- i remember vaguely that there is a "account firewall" in cross forest trusts
- maybe somehting is still locked down...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi Dominick,
>
> I tried the whoami command and it listed everything but the cross
> forest members. I tried nesting my account in another Domain local
> group in the remote forests which also didn't show up. The trust in
> place is a two way external. The functional level is 2003.
>
> Thanks
> Tyler



 
Reply With Quote
 
tyler.lloyd@gmail.com
Guest
Posts: n/a
 
      02-04-2006
Thanks so much for you help, I will look into that and see if I can
find out why \ how its being blocked.

Thank again
Tyler

 
Reply With Quote
 
Henning Krause [MVP]
Guest
Posts: n/a
 
      02-04-2006
Hello,

do you mean Selective Authentication?

http://www.microsoft.com/technet/com...in/pw0303.mspx

Greetings,
Henning

"Dominick Baier [DevelopMentor]" <(E-Mail Removed)>
wrote in message news:(E-Mail Removed). com...
> Hi,
> when whoami does not show the groups - there is a system/domain config
> issue - i remember vaguely that there is a "account firewall" in cross
> forest trusts - maybe somehting is still locked down...
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Hi Dominick,
>>
>> I tried the whoami command and it listed everything but the cross
>> forest members. I tried nesting my account in another Domain local
>> group in the remote forests which also didn't show up. The trust in
>> place is a two way external. The functional level is 2003.
>>
>> Thanks
>> Tyler

>
>



 
Reply With Quote
 
tyler.lloyd@gmail.com
Guest
Posts: n/a
 
      02-05-2006
Thank you both for the help so far; I checked the Trust authentication
type and everything is set to Forest-Wide Authentication. Just to
further help idenitfy the issue, currently my account resides in Forest
A. This account is nested into a Domain Local group located in forest
B. I have rebooted my machine after the group membership change.
Whoami should show Domain Local groups correct?

Thanks
Tyler

 
Reply With Quote
 
tyler.lloyd@gmail.com
Guest
Posts: n/a
 
      02-08-2006
Follow-up:

I just finished talking with MS Dev support. My summery of the
discussion is as follows.
When a user logs into a domain account the token will contain the
following group memberships:
1) All the Global and Universal groups the user account is a member of
within the forest the account resides.
2) All the Domain Local groups the user is a member of in the
"resource" domain or "machine" domain (Domain the computer is
part of)

So the only way to see the Domain Local groups in your token is to
login to a computer that is a member of the domain that holds those
groups.

Furthermore I was told the only way to provide this functionality
(without logging into a computer in the remote forest) is to make a
LDAP call to that forest and array through each groups members. Yuk.

More Reading
http://www.microsoft.com/resources/d...asp?frame=true
http://www.microsoft.com/resources/d...asp?frame=true
Hope this helps anyone that may come across this issue in the future.

Thanks
Tyler

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with ASP.NET Memberships Jonathan Wood ASP .Net 13 10-18-2007 01:01 AM
AD Group Memberships (MyADMembershipProvider) Question Andy Melick ASP .Net Security 1 10-16-2006 07:25 PM
Roles and Memberships Ron ASP .Net Security 1 05-17-2006 11:37 PM
Some charter memberships still available. PoppinFresh MCDST 1 09-15-2004 04:56 PM
Creating site memberships Mike HTML 5 04-29-2004 04:47 PM



Advertisments