PCNS: Password Synchronization using a one way external/forest trust with Selective Authentication

  • Article

 

Note

While you might be able to get the solution outlined in this article to work, it is important to note that it is based on a setup that is not officially supported by Microsoft.

To be supported in production, a two-way trust is required for a solution that includes PCNS.

The article describes using an external trust with Kerberos Forest Search Order (KFSO). This is not working reliably when you have a trusting forest with multiple domains, and may introduce additional problems as side-effects. We strongly recommend you are using a forest trust for this solution.

Introduction

A lot clients who want to use PCNS to synchronize passwords between two forests using selective authentication.

The good news is ... it is possible, reasonably simple and below we will show you how it's done.

First let me explain what the difference is between domain-wide and selective authentication:

  • With Domain-wide authentication users from the trusted domains will automatically have access to the resources in the trusting domain.
  • With Selective authentication users from the trusted domain need to be granted the specific rights to access resources in the trusting domain. This means that Selective Authentication is much more secure than domain-wide authentication, but also needs permissions to be explicitly granted to the relevant resources that access is required for.

What you need

  1. A one way external/forest trust with the forest/domain running PCNS needs to be trusted by the forest/domain running, My setup it looks as follows:

    http://1.bp.blogspot.com/-TG33iIGMKWc/Uj2y8uXFhKI/AAAAAAAAAEo/977f_Kx7BLc/s320/Setup.png

  2. PCNS Installed and configured on the domain controllers running in the trusted domain. 

  3. Relevant firewall rules in place to allow PCNS traffic between the trusted and trusting domains. Please refer to this article section "Active Directory Domain Services" for information on the port needed: KB832017

  4. On Windows 2012 you will need to initially setup the trust as domain-wide in order to setup the permissions. Once they are configured you can change the trust back to selective authentication. On Windows 2008 it will prompt you to authenticate in order to assign the permissions.

  5. Name resolution working between the two forests. This can either be via conditional forwarders or by creating a secondary zone for each forest on the opposing forest.

  6. Domain Admin access to the trusting domain in order to assign the permissions and change the required group policies.

  7. Domain Admin access to the trusted domain to lookup user and computer object in the trusted domain and change the required group policies.

  8. You will notice that I use the domain controllers group in place of the machine accounts of the domain controllers for obvious reasons.

How it is done

1. Trust

Setup the trust as specified.

http://1.bp.blogspot.com/-CuD_yGV1LZo/Uj2y9DryNLI/AAAAAAAAAE8/PWSh1_btKt8/s320/Trust1.png

http://1.bp.blogspot.com/-HGl4NOjGNwc/Uj2y9oE-o_I/AAAAAAAAAFM/8pmkQg0-U_w/s320/Trust3.png

http://4.bp.blogspot.com/-tV_UkdgPTco/Uj2y-PHGXEI/AAAAAAAAAFE/SHGk15adFF0/s320/Trust4.png

2.Trusting Domain

Active Directory Users and computers tasks

a. Setup Allowed to Authenticate Permission on the domain controllers

(This will need to be completed on all domain controllers that are resolvable for the domain in DNS. This can also be scripted for larger environments. You can also limit the dns records resolvable to reduce the servers the permission needs to be applied to )

Open ADUC by running DSA.msc

Navigate to the Domain Controllers OU . (Note: Please ensure that the "Advanced Features" option is enabled under view, in order to access the security tab)

Setup the permission in the Advanced Permissions dialog as below to inherit to descendent computer objects

(This is required for the trusted domain controllers to authenticate to the trusting domain controllers to query SPN's and permission).

Navigate to the FIM Synchronization Server and repeat the same permission

http://1.bp.blogspot.com/-l2OhD--cC2g/Uj2y-l_pBAI/AAAAAAAAAFU/qYPW0SSkwj0/s320/permission2.png

(This is required for the trusted domain controllers to authenticate to the FIM Synchronization Server).

?  Navigate to the FIM Synchronization Server service account and repeat the same permission.

http://4.bp.blogspot.com/-qzQANl4o8RA/Uj2y-9Gx_TI/AAAAAAAAAFw/a8NmkNHuy0U/s320/permission3.png

(This is required for PCNS on the trusted domain DC's complete to request a context change once the initial RPC bind is established which took me a while and a whole lot on netmon packets to figure out)

Group Policy Management Tasks

Open GPMC.msc on the domain controller

  1.  Open GPMC.MSC

  2. Navigate to the "Default Domain Controllers Policy " and right click and select edit.

  3. Navigate to Computer Configuration,

  4. Navigate to Windows Settings

  5. Navigate to Security Settings

  6.  Navigate to User Rights Assignment

  7.  Navigate to the "Access this computer from the Network" Policy"

    http://1.bp.blogspot.com/-hGah-nwfh-k/Uj2y6vD7wfI/AAAAAAAAAEQ/xz_Mf-xh54w/s320/Policy1.png

  8.  Add the Trusted domain Domain Controllers group to the list of accounts

    http://3.bp.blogspot.com/-v-g3PbgO0RE/Uj2y66pjgyI/AAAAAAAAAEI/RUdG-ufPE-o/s320/Policy2.png

Local Policy Tasks

  1. Log into the FIM Synchronization Server as an Administrator

  2. Open local computer group policy by running "gpedit.msc"

  3.  Navigate to Computer Configuration,

  4.  Navigate to Windows Settings

  5.  Navigate to Security Settings

  6.  Navigate to User Rights Assignment

  7.  Navigate to the "Access this computer from the Network" Policy"

    http://4.bp.blogspot.com/-OjPMjhFbFa8/Uj2y7SyuQfI/AAAAAAAAAEM/R4rIZNTyxcU/s320/Policy3.png

  8. Add the Trusted domain Domain Controllers group to the list of accounts

    http://2.bp.blogspot.com/-RGG6c0m2YD0/Uj2y8PANIVI/AAAAAAAAAEk/zw2MMY_3bAQ/s320/Policy4.png

3.  Trusted Domain

Group Policy Management Tasks

You can skip these steps when you are using a forest trust. It is recommended to configure PCNS with the FQDN name of the FIM server it reports to. In this case, the standard SPN suffix routing will make sure the Kerberos Ticket requests are routed correctly.

Open GPMC.msc on the domain controller

  1. Open GPMC.MSC

  2. Navigate to the "Default Domain Controllers Policy " and right click and select edit.

  3. Navigate to Computer Configuration,

  4. Navigate to Administrative Templates

  5. Navigate to System

  6. Navigate to Kerberos

  7.  Navigate to the "Use forest search order" Policy"

    http://1.bp.blogspot.com/-v56705Eo_pg/Uj2y8UyH0xI/AAAAAAAAAEg/rqjAhOx4Fog/s320/Policy5.png

  8. Add the Trusting Domain to the list of Forests to Search for SPN's. 

    (This is needed for the trusted domain to be able to resolve SPN's in the Trusting domain where the SPN for the FIM synchronization server service account is located- thanks Jorge for this one .. http://jorgequestforknowledge.wordpress.com/2011/09/14/kerberos-authentication-over-an-external-trust-is-it-possible-part-6).

And there we are ..ready to test. 

Ready to test

Check the Service Configuration

http://2.bp.blogspot.com/-XyToTcMl_II/Uj23iVaBjkI/AAAAAAAAAF4/3o1uvLvz2N4/s400/pcnscfg.png

Reset the user password

http://2.bp.blogspot.com/-wJ3sBy5zRBU/Uj2y_GTLSEI/AAAAAAAAAFg/oq-op1TARXA/s1600/test1.png

 

Verify that the password was successfully delivered

http://4.bp.blogspot.com/-QlRhfxj-ld4/Uj2y_5t3EkI/AAAAAAAAAFs/eSwE-hnF86g/s640/test2.png

Check this against AD ... and voila  

http://3.bp.blogspot.com/-HGKdjFcxdnk/Uj24NNXFuII/AAAAAAAAAGA/51vmE6accBA/s400/adverified.png

All working!!

References