Kerberos and External Trusts

Let’s say that for whatever reason, you have your Hyper-V compute in one Active Directory domain, say VMLEVEL.COM, and your Tintri VM-Aware Storage appliances in a different Active Directory domain, say TINTRI.COM. We know that users and computers in one domain can only be authenticated to access resources in another domain if there’s a trust relationship with them.

In the case of Active Directory forest trusts, the magic that is the global catalogue allows the domain controllers in one domain to resolve Service Principal Names (SPNs) for other domains within that forest.

However, external trusts by default don’t share the same types of information between domains that you find with forest trusts. External trusts are also at times preferred over forest trusts. One example being multitenancy for hosted private clouds.

Let’s see what happens here, so that we can see what the impact is and what we can do about it.

A Kerberos client wanting access to a particular service will construct a ticket request containing a Service Principal Name identifying the service, and will do so by taking a service name (cifs for SMB 3.0), appending the fully-qualified DNS name of the host (vmstore01-data.vmlevel.com for example) and that’s kind-of it: cifs/vmstore01-data.vmlevel.com.

In the forest trust case, the the domain controllers are able to search the whole forest for an account with that SPN. In the case of external trusts, this doesn’t happen by default and the client will fail to get a ticket.

It is possible, however, to configure a set of domains to search by both Kerberos clients and Kerberos KDCs. To do so, start gpedit.msc (the Group Policy Editor), then navigate down through:

  • Local Computer Policy
    • Administrative Templates
      • System

And then under both Kerberos and KDC, locate the Use forest search order parameter. By setting it to enabled and entering the externally trusted domain, you should find that Kerberos tickets can be requested across the external trust from this domain to the remote domain. In many cases, you may also want to set the same in the opposite direction and it is important to have this setting propagated to all domain controllers in the domain for consistent results.

forest-search-order.png

So whilst Kerberos won’t work across external trusts by default, it is possible to use the forest search order tunable to enable it for select domains.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s