Directory Programming .NET

Greetings,

I was a bit stumped by this at first, but it kind of makes sense, but I wanted to run it past people.

So in my scenario I have 2 AD forests we will call Forest1 and Forest2.  Both forests are windows 2003 functional level, and have a Cross-Forest Trust.

Essentially I want to do a SIMPLE bind using user1@forest1.com to forest2.com, and vice versa.   If I attempt this today,  I get "Invalid Credentials".   This appears to be because the user account is not found matching the UPN user1@forest1.com within forest2.com.

Now at first I thought it should be found since a Cross-Forest trust exists, and the Name Suffix Routing values exist for the domain suffixes, but this did not seem to work.

It turns out (I am assuming) these routing values do not have an effect on creating referrals for a simple bind attempt, but only for the KDC as per ttp://support.microsoft.com/default.aspx/kb/929272

So checking the Configuration partitions on both forest show there are NO crossRef values for the other forest defined, so this makes sense why the user cannot be found based upon UPN.

So this leads me to http://support.microsoft.com/kb/241737 which explains how to add crossRef objects to allow External domain referrals.   

So I believe i Need to add a crossRef object for forest2.com to the forest1.com's partition list, and vice verse to allow cross forest binding by UPN.

I was curious if others have done this before, and if I was on the right track?

This would mean applications which can only use simple binds would be able to use the UPN to identify the users crossForest when other mechanisms are not available.

 

---

http://jeftek.com

I was under the impression that this cannot be made to work at all with simple bind.  I think Dmitri G. or someone else with much more knowledge than me told me this, but I'm not positive.

You might try asking on activedir.org or the microsoft.public.windows.server.active_directory newsgroup as I'm pretty positive he doesn't follow this forum but he frequently answers questions over there.

What you should be able to do is create an ADAM instance with synced bind proxy objects for the users in both forests and get simple binds against ADAM to auth to either forest via the forest trust.  That's definitely a significant amout of additional work to get all of that sync happening though, so it might not be interesting to you.

Thanks Joe!

I am already using an aggregate directory similar to what you are describing, but that in itself has alot of limitations.

I have posted about it here before:

http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!930.entry

I'll cross post to the AD list and see what I find out.

Thanks for the feedback!

---

http://jeftek.com

In Testing it out,  adding the crossRef to the external Domain does NOT allow simple Bind to work cross forest using the UPN.

---

http://jeftek.com

That's kind of what I expected.  I'm afraid you may need the meta directory solution to make this work if the hard requirement is to use LDAP simple bind.

Joe,

I tried to summarize what I looked at, and ultimately what did not work on my blog if you were curious.  Thanks for the help in thinking about this though.

http://jeftek.com/iam/activedirectory/upn-and-cross-forest-ldap-simple-binds/

---

http://jeftek.com