Selective authentication

When creating a forest trust, each domain within the trusted forest becomes trusted. While this is sometimes not desired it is possible to limit the scope by implementing selective-authentication. It is possible to only allow authentication between those domains you want by granting the allowed to authenticate right to only those domains objects.

The allowed to authenticate right controls who can authenticate to a particular machine or service (or an entire domain). The attribute is available on computer, user and InetOrgPerson objects. The right is also applicable on the domain object if access is allowed for the entire domain. It can also be applied to OU’s to set inheritable ACE’s on OU’s containing a set of user or computer objects. The attribute can be set by members of the Account Operators, Administrators, Domain Administrators, Enterprise Administrators and the SYSTEM groups by default. This behaviour can be changed in the schema of a forest.

To allow authentication between the two domains that reflects an external domain trust authentication model, the allowed to authenticate right must be delegated from the domain object. To do this, right click the domain in Active Directory Users & Computers and select delegate. Add the domain users group from the trusted domain to the user/group list and select to delegate a custom task. Select only specified objects and select users, inetOrgPerson and Computers. Next select the allowed to authenticate attribute and finish the wizard.

PS: rumor has it, that I will be presenting about Trusts, (including selective authentication) in the near future.. keep following this blog for more information.