Cross Forest Group Memberships

Discussion in 'ASP .Net Security' started by tyler.lloyd@gmail.com, Feb 4, 2006.

  1. Guest

    Hi,

    I have a web application that requires the lookup of group memberships.
    I'm currently using the WindowsPrincipal.isinrole, which has been
    working great, however I now have to extend the application to support
    multiple (3) forests. It seems from initial testing that the
    WindowsIdentity token does not contain \ validate cross-forest
    memberships as all the checks are coming back negative. I'm a little
    worried as the only other option I can think of is directly binding to
    those remote groups and searching their members list (Plus the nested
    groups?). This could be quite time consuming, as there are easily 20
    groups per Forest. Is there another way I can go about this? Any help
    would be most appreciated.

    Thanks
    Tyler
     
    , Feb 4, 2006
    #1
    1. Advertising

  2. Hi,

    do you have cross forest trusts between the forests?

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi,
    >
    > I have a web application that requires the lookup of group
    > memberships. I'm currently using the WindowsPrincipal.isinrole, which
    > has been working great, however I now have to extend the application
    > to support multiple (3) forests. It seems from initial testing that
    > the WindowsIdentity token does not contain \ validate cross-forest
    > memberships as all the checks are coming back negative. I'm a little
    > worried as the only other option I can think of is directly binding to
    > those remote groups and searching their members list (Plus the nested
    > groups?). This could be quite time consuming, as there are easily 20
    > groups per Forest. Is there another way I can go about this? Any help
    > would be most appreciated.
    >
    > Thanks
    > Tyler
     
    Dominick Baier [DevelopMentor], Feb 4, 2006
    #2
    1. Advertising

  3. Guest

    Thanks for the quick reply; Yes I Do.

    Thanks
    Tyler
     
    , Feb 4, 2006
    #3
  4. Hi,

    try the following command:

    whoami /groups

    while logged on with the account in questions - do you see the groups from
    the other forests?

    (whoami is included in w2k3 or the windows resource kit)

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Thanks for the quick reply; Yes I Do.
    >
    > Thanks
    > Tyler
     
    Dominick Baier [DevelopMentor], Feb 4, 2006
    #4
  5. Guest

    Hi Dominick,

    I tried the whoami command and it listed everything but the cross
    forest members. I tried nesting my account in another Domain local
    group in the remote forests which also didn't show up. The trust in
    place is a two way external. The functional level is 2003.

    Thanks
    Tyler
     
    , Feb 4, 2006
    #5
  6. Hi,

    when whoami does not show the groups - there is a system/domain config issue
    - i remember vaguely that there is a "account firewall" in cross forest trusts
    - maybe somehting is still locked down...

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi Dominick,
    >
    > I tried the whoami command and it listed everything but the cross
    > forest members. I tried nesting my account in another Domain local
    > group in the remote forests which also didn't show up. The trust in
    > place is a two way external. The functional level is 2003.
    >
    > Thanks
    > Tyler
     
    Dominick Baier [DevelopMentor], Feb 4, 2006
    #6
  7. Guest

    Thanks so much for you help, I will look into that and see if I can
    find out why \ how its being blocked.

    Thank again
    Tyler
     
    , Feb 4, 2006
    #7
  8. Hello,

    do you mean Selective Authentication?

    http://www.microsoft.com/technet/community/columns/profwin/pw0303.mspx

    Greetings,
    Henning

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hi,
    > when whoami does not show the groups - there is a system/domain config
    > issue - i remember vaguely that there is a "account firewall" in cross
    > forest trusts - maybe somehting is still locked down...
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Hi Dominick,
    >>
    >> I tried the whoami command and it listed everything but the cross
    >> forest members. I tried nesting my account in another Domain local
    >> group in the remote forests which also didn't show up. The trust in
    >> place is a two way external. The functional level is 2003.
    >>
    >> Thanks
    >> Tyler

    >
    >
     
    Henning Krause [MVP], Feb 4, 2006
    #8
  9. Guest

    Thank you both for the help so far; I checked the Trust authentication
    type and everything is set to Forest-Wide Authentication. Just to
    further help idenitfy the issue, currently my account resides in Forest
    A. This account is nested into a Domain Local group located in forest
    B. I have rebooted my machine after the group membership change.
    Whoami should show Domain Local groups correct?

    Thanks
    Tyler
     
    , Feb 5, 2006
    #9
  10. Guest

    Follow-up:

    I just finished talking with MS Dev support. My summery of the
    discussion is as follows.
    When a user logs into a domain account the token will contain the
    following group memberships:
    1) All the Global and Universal groups the user account is a member of
    within the forest the account resides.
    2) All the Domain Local groups the user is a member of in the
    "resource" domain or "machine" domain (Domain the computer is
    part of)

    So the only way to see the Domain Local groups in your token is to
    login to a computer that is a member of the domain that holds those
    groups.

    Furthermore I was told the only way to provide this functionality
    (without logging into a computer in the remote forest) is to make a
    LDAP call to that forest and array through each groups members. Yuk.

    More Reading
    http://www.microsoft.com/resources/...s/en-us/sag_AdunderstandGroups.asp?frame=true
    http://www.microsoft.com/resources/...s/en-us/security_accesscontrol.asp?frame=true
    Hope this helps anyone that may come across this issue in the future.

    Thanks
    Tyler
     
    , Feb 8, 2006
    #10
  11. Hi,

    yes - but domain local groups is not the right group type anyway - as the
    names says...


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Follow-up:
    >
    > I just finished talking with MS Dev support. My summery of the
    > discussion is as follows.
    > When a user logs into a domain account the token will contain the
    > following group memberships:
    > 1) All the Global and Universal groups the user account is a member of
    > within the forest the account resides.
    > 2) All the Domain Local groups the user is a member of in the
    > "resource" domain or "machine" domain (Domain the computer is
    > part of)
    > So the only way to see the Domain Local groups in your token is to
    > login to a computer that is a member of the domain that holds those
    > groups.
    >
    > Furthermore I was told the only way to provide this functionality
    > (without logging into a computer in the remote forest) is to make a
    > LDAP call to that forest and array through each groups members. Yuk.
    >
    > More Reading
    >
    > http://www.microsoft.com/resources/documentation/WindowsServ/2003/ente
    > rprise/proddocs/en-us/sag_AdunderstandGroups.asp?frame=true
    >
    > http://www.microsoft.com/resources/documentation/WindowsServ/2003/ente
    > rprise/proddocs/en-us/security_accesscontrol.asp?frame=true
    >
    > Hope this helps anyone that may come across this issue in the future.
    >
    > Thanks
    > Tyler
     
    Dominick Baier [DevelopMentor], Feb 8, 2006
    #11
  12. Guest

    But are not Domain Local's the only group type that will allow cross
    forest nesting?

    Thanks
    Tyler
     
    , Feb 8, 2006
    #12
  13. good question :)

    i am not sure.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > But are not Domain Local's the only group type that will allow cross
    > forest nesting?
    >
    > Thanks
    > Tyler
     
    Dominick Baier [DevelopMentor], Feb 8, 2006
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mike

    Creating site memberships

    Mike, Apr 29, 2004, in forum: HTML
    Replies:
    5
    Views:
    401
    Long - CM web hosting
    Apr 29, 2004
  2. Henning Truslew Gulliksen

    Cocoon/Forest pipeline for XML Schema documentation

    Henning Truslew Gulliksen, Sep 9, 2003, in forum: XML
    Replies:
    0
    Views:
    431
    Henning Truslew Gulliksen
    Sep 9, 2003
  3. Jonathan Wood

    Help with ASP.NET Memberships

    Jonathan Wood, Oct 15, 2007, in forum: ASP .Net
    Replies:
    13
    Views:
    581
    Scott M.
    Oct 18, 2007
  4. Ron

    Roles and Memberships

    Ron, May 16, 2006, in forum: ASP .Net Security
    Replies:
    1
    Views:
    132
    PeterKellner
    May 18, 2006
  5. Andy Melick

    AD Group Memberships (MyADMembershipProvider) Question

    Andy Melick, Oct 16, 2006, in forum: ASP .Net Security
    Replies:
    1
    Views:
    363
    Joe Kaplan
    Oct 16, 2006
Loading...

Share This Page