Security considertaions across AD trusts

Hi
what are the security considerations (for Forest/DomainA) when creating a one-way trust between DomainA (the trusting domain) and Forest/DomainB (the trusted domain)
so resources in DomainA are exposed to users in DomainB
I am trying to articulate the security considerations (i.e. that the concept of Forest security boundary has been broken) to the owners of DomainA
this is because DomainA is also used to provide authentication services to DomainC - that have very strict security compliance policies
can DomainB enumerate users in DomainA?, can an Admin in DomainB elevate his/her rights in DomainA
presumably a misconfiguration of permissioning in DomainA could see rights given to resources used by DomainC
Thanks everyone

Hi,
Let me explain you using a sample scenario to solve your requirement,
For example, consider two AD forests - contoso.com and nwtraders.com
Requirement:
- I want the users from nwtraders.com to access all resources in contoso.com
- But the users from contoso.com should be able to access only selected resources in nwtraders.com.
Solution:
- In contoso.com, we should configure forest wide authentication on incoming trust, to enable users from nwtraders.com to access all resources in contoso.com.
- In nwtraders.com, we should configure selective authentication on incoming trust, to enable users from contoso.com to access only selected resources in nwtraders.com.
Checkout the below thread on similar discussion,
http://social.technet.microsoft.com/Forums/en-US/b47ee506-c014-4131-b16e-c9c86f7fd39f/add-to-domain-across-forest-trust?forum=winserverDS
Regards,
Gopi
JiJi
Technologies

Similar Messages

Sun.security.validator.ValidatorException: No trusted certificate found

Hello,
I am using Java 1.6.0_04 (JBoss-4.2.2.GA application). My application implements a WS client which needs to integrate with an external Web Service. This communication needs to be handled through https.
I have created a jks keystore with the server certificate, and passed its details to JBoss through the System Properties:
-Djavax.net.ssl.trustStore=/Path-to-file -Djavax.net.ssl.trustStorePassword=password     On my development environment I can call the Web Service correctly.
Although, on the production environment, I am getting the following exception:
javax.xml.ws.WebServiceException: java.io.IOException: Could not transmit message
     at org.jboss.ws.core.jaxws.client.ClientImpl.handleRemoteException(ClientImpl.java:317)
     at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:255)
     at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:164)
     at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:150)
     at $Proxy171.send(Unknown Source)
     at com.xpto.integration.SmsHelper.send(SmsHelper.java:57)
     at com.xpto.services.sms.SMSSenderServiceMBean.run(SMSSenderServiceMBean.java:106)
     at java.lang.Thread.run(Thread.java:619)
Caused by: java.io.IOException: Could not transmit message
     at org.jboss.ws.core.client.RemotingConnectionImpl.invoke(RemotingConnectionImpl.java:204)
     at org.jboss.ws.core.client.SOAPRemotingConnection.invoke(SOAPRemotingConnection.java:77)
     at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:337)
     at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:243)
     ... 6 more
Caused by: org.jboss.remoting.CannotConnectException: Can not connect http client invoker.
     at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:
333)
     at org.jboss.remoting.transport.http.HTTPClientInvoker.transport(HTTPClientInvoker.java:135)
     at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:122)
     at org.jboss.remoting.Client.invoke(Client.java:1634)
     at org.jboss.remoting.Client.invoke(Client.java:548)
     at org.jboss.ws.core.client.RemotingConnectionImpl.invoke(RemotingConnectionImpl.java:183)
     ... 9 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No truste
d certificate found
     at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
     at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
     at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)
     at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
     at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)
     at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405)
     at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLCo
nnection.java:166)
     at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:832)
     at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:23
0)
     at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:
275)
     ... 14 more
Caused by: sun.security.validator.ValidatorException: No trusted certificate found
     at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304)
     at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107)
     at sun.security.validator.Validator.validate(Validator.java:218)
     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:2
09)
     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:2
49)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
     ... 26 more     Both systems are configured with the same JBoss, JVM, ...
The certificate details are:
Owner=
CN=*...., OU=..., O=..., L=..., ST=..., C=PT
Issuer=
CN=..., O=..., C=PT
Version=3
Serial Number=BC81A81843E26C2597CD10354588F61E
Valid From=Monday, 3 March 2008 18:50
Valid Until=Tuesday, 3 March 2009 18:50
Signature Algorithm=SHA1withRSA
Fingerprints=
    MD5:     0A:A6:89:92:A4:CF:17:74:7C:4E:20:63:6B:81:AE:85
    SHA1:    35:01:74:8C:35:AB:9F:02:7B:23:3F:15:5E:73:C6:4D:DD:BB:C0:7A
Key Usage= critical
    List:
    . digitalSignature
    . keyEncipherment
    . dataEncipherment
    . keyAgreement
Extended Key Usage= none
     On production I have also tried adding the following properties:
-Djavax.net.ssl.keyStore=/Path-to-file -Djavax.net.ssl.keyStorePassword=password     But I still get the error.
Any one has any hint for this problem? Is there any property which I can define to ignore untrusted certificates?
Any help would really be welcome.
Thanks in advance.
Best regards,
Victor Batista

Hi,
Thanks for your prompt reply.
I have also tried to add all the chain of certificates on my truststore, although I get the exception:
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri Mar 07 12:54:22 WET 2008
     at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:256)
     at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:570)
     at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:123)
     at sun.security.validator.Validator.validate(Validator.java:218)
     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
     ... 26 moreAnd all the certificates are valid.
I really don't understand what is going on.
Can I Ignore expired certificates? Any property?
When I use -Djavax.net.ssl.trustStore pointing to my keystore, will cacerts be also used?
Do I need to import all the certificates in the chain of the server, or the top most is sufficient?
The server where I am having the problem has limited connectivity. It should have connectivity to the issuers of the certificates, in order to validate them, or not?
Thanks in advance,
Victor

Can we share one single RDBMS security store across multiple domains ?

Can we share one single RDBMS security store across multiple weblogic domains? The idea is to utilize the same set of users and group defined in Weblogic Security Realms across multiple weblogic domains. Is it possible ? are there any risk ?
i am using Oracle WebLogicServer11gR1 (10.3.6) Generic with Coherence.

Hi,
The document which you are referring is for WLS 10.0 and RDBMS security is introduced from WLS 10.3.0 onwards.
The reason why RDBMS security store should not be stored between two domains is RDBMS security store is used by authorization, role mapping, credential mapping, and certificate registry providers.
Once the RDBMS security store is configured in a domain, an instance of any of the preceding security providers that has been created in the security realm automatically uses only the RDBMS security store as a datastore, and not the embedded LDAP server.
It is just the replacement for Embedded LDAP.
Thanks & Regards,
Murali.
============

Firefox does not trust a particular secure website that I know is secure but it does trust other secure websites

Firefox does not trust a specific secure website that I know is secure, but it does trust other secure websites. Also, Internet Explorer trusts this website and Firefox on another computer trusts this same website. When I try to connect Firefox tells me that it does not have a valid certificate (even though I know one exists) and that I would have to make an exception to connect. Is there some way I can correct this and get the proper certificate into this particular Firefox program?

Can you post a link to that website?
It is possible that the server doesn't send a required intermediate certificate.
Firefox stores intermediate certificates that servers send for future use, so if you have visited a website that has send such a certificate then you won't see an error if you visit a server that doesn't send that intermediate certificate.
You can inspect the certificate chain via a site like this:
*http://www.networking4all.com/en/support/tools/site+check/
You can retrieve the certificate and check details like who issued certificates and expiration dates of certificates.
*Click the link at the bottom of the error page: "I Understand the Risks"
Let Firefox retrieve the certificate: "Add Exception" -> "Get Certificate".
*Click the "View..." button and inspect the certificate and check who is the issuer.
You can see more Details like intermediate certificates that are used in the Details pane.

WS-Security, WS-Policy, WS-Trust, etc ... Supported Versions??

Can anyone please point me to the Oracle documentation that details the current supported technology versions for WS-Security, WS-Policy, WS-Trust??

We use WS-Security on SOA 10.1.3.3.0 - the UsernameToken part. But be aware, that UsernameToken is only supported for request messages (calls made to bpel) and not responses. UsernameToken propagation to other web services/processes is possible.
But BPEL can't cope with UsernameToken in SOAP response message if for example you call oc4j web service from bpel. Unfortunately when you enable WS-Security UsernameToken in JDeveloper, it enables it for both output and input messages (then you get mustunderstand error). You have to manually remove <outbound> element from oracle-webservices.xml for it to work after you regenerate your web service.
JDeveloper or BPEL can't generate WS-Policy assertions for WSDL. If you don't know what I mean have a look at generated wsdl with WS-Security in glassfish V2. This means you can't enable WS-Security for web service clients in other IDEs than JDeveloper. But theoretically you can add these WS-Policy assertions to the wsdl yourself or write a WsseMessageHandler implementing SOAPHandler and then adding it to JAX-WS handler chain.

Maintaining security information across pages

Is there an efficient way to maintain the security principal/credential
          associated with the JNDI Context across pages within a session? Or is there
          some place that describes how the security information is retained/released
          by the servlet engine?
          We tried storing the Context in the session object and accessing it through
          a convenience method. This works for EJB lookup but results in the user
          reverting to "guest". A similar thing happens when using handles to retain
          access to a stateful bean across JSP pages. The only workaround currently
          is to get the InitialContext on every page, even if it's not being used.
          thanks,
          chris
          Chris McCarley
          Senior Software Architect
          Daleen Technologies, Inc.
          561.981.2391 voice
          561.999.8006 fax
          mailto: [email protected]
          www.daleen.com


I don't think you can use jsp:getProperty directly for an array.

Site's security certificate is not trusted - in fiori launchpad url

Hi ,
we are using HTTPS protocol in fiori launchpad , when the URL is opened in browser an error or warning comes up , it can be ignored by clicking
proceeding anyway button. in Fiori client for mobile ( android or iOS ) its not showing the page due to this problem.
our URL is a intranet URL ( within companies network ) how can we solve this problem , do we need to purchase any security certificate from some
authority or some configuration is required ?
Regards
Yashpal
Message was edited by: Michael Appleby

The following may also be helpful . Getting Started with Kapsel - Appendix D -- Security
I hope to update this document and the associated Getting Started with Kapsel - Part 8 -- AuthProxy
sections in the next week or two to demonstrate how to use OpenSSL to create a Certificate Authority and use the Certificate Authority to sign certificates.
Regards,
Dan van Leeuwen

Can/How does Label Security integrate with Documentum Trusted Content Serv

How easy wouldit be to use Oracle Label Security to manage all information in the Oracle dabase including Documentum metadata so that a single security policy cn be defined..at least for the information stored in the Oracle database.
How does the documentum security tag get mapped to an OLS label?
Customer needs only a high level understanding...
Steve Flournoy

I am not familiar with documentum but you can use OLS for:
Row level security based on labels added to the tables you want to protect. Apply the labels to the documentum metadata tables and you have implemented OLS. The Documentum tags can be mapped to OLS labels in Oracle Policy Manager:
Set up the OLS labels just like the documentum security tags in Oracle Policy Manager .
For even more customization use Application Contexts and Virtual Private Database Policies.

Moving File/Terminal Server Across Forest Trust

Hello all, I think this question is relatively straightforward but I wasn't able to find any direct answers with a forum search. I have two forests with a full trust, forest A and forest Z. Forest Z has been on the decommission track for two years, and after
this operation I intend to completely shut it down. I did not migrate users between forests, rather I created completely new user accounts in forest A for users who were in forest Z, and abandoned the forest Z user accounts. Forest Z still has several file
servers and a terminal server which I would like to move to a domain in forest A. On the file servers, there are shares which have permissions and sharing settings for forest A users, and the terminal server also has user profiles for forest A users..
The question is: when I move the file servers and terminal server from the domain in forest Z to a domain in forest A, will the file permissions from the previously non-local forest A remain in place, and will the user profiles from forest A still load when
users sign in to the terminal server? Any help would be greatly appreciated, thanks!

Hi,
Do you mean that forest A users have logged on the TS server and created their profiles on it? Now you want to move the TS server from forest Z to forest A?
Regards,
Denny
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Gmail imap issue "Equifax Secure Certificate Authority" Not trusted.

Anyone have an idea on what this is about? I had a warning to not accept it but I did and it did not fix the issue.

Okay...no problem after I read about the 2 step verification getting in the way and downloaded the gmail app

Sharepoint and SSRS report trust relationship ssl/tls secure channel remote certificate is invalid

I have no experience with sharepoint at all. but this is what I observed.
I intermittently getting this error message on my sharepoint. could not establish trust relationship for the ssl/tls secure channel. Remote Certificate is invalid according to the validation procedure.
Screnshot of the error
This is how the sharepoint page layout.
I have report.aspx. and below is the content of the aspx file.
The url is http://sharepoint.COMPANY.com/Pages/Report.aspx.
The URL is intranet only.
The sharepoint is hosted in SERVER1 and the SSRS is hosted in SERVER.
I observed this error happens on both HTTP and HTTPS http sharepoint COMPANY com/Pages/Report.aspx OR https sharepoint COMPANY com/Pages/Report.aspx
So far, the step I did was to follow this blog http://krishnasangani.blogspot.ca/2013/06/the-remote-certificate-is-invalid.html Restarted
IIS in SERVER1 AND SERVER2. but the problem persist. Another I have done is to click the certificate in internet explorer and everything looks ok on that side to (certificate is valid)
It seems to only happen earlier during the morning, then it fixes itself around 9 Oclock. It has been on going for about 2 weeks. Please help troubleshooting this.
<%@ Page Inherits="Microsoft.SharePoint.Publishing.TemplateRedirectionPage,Microsoft.SharePoint.Publishing,Version=14.0.0.0,Culture=neutral,PublicKeyToken=71e9bsasdasdasd9c" %> <%@ Reference VirtualPath="~TemplatePageUrl" %> <%@ Reference VirtualPath="~masterurl/custom.master" %><%@ Register Tagprefix="SharePoint" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bsasdasdasd9c" %>
<html xmlns:mso="urn:schemas-microsoft-com:office:office" xmlns:msdt="uuid:547SF010-65B3-11d1-A29F-00457845FFSW"><head>

<title>Report</title></head>
A few questions I have in mind is Any pointer to troubleshoot this problem AND By looking at the ASPX file, Would you be able to determine what method is my Sharepoint page calling the SSRS report , integrated mode, native mode? IEFrame? The reason I am asking
this is that maybe IF I google using the right terminology I can get to the similar problem and solution.
Thanks

Please let us know if you are using
SharePoint communicates to an external service via HTTPS
Please try perform following steps:
Fix is to setup a trust between SharePoint and the server requiring certificate validation.
In SharePoint Central Administration site, go to “Security” and then “Manage Trust”. Upload the certificates to SharePoint. The key is to get both the root and subordinate certificates on to SharePoint.
The steps to get the certificates from the remote server hosting the WCF service are as follows:
1. Browse from IE to the WCF service (e.g., https://remotehost/service.svc?wsdl)
2. Right click on the browser body and choose “Properties” and then “Certificates” and then “Certificate Path”.
This tells you the certificate chain that’s required by the other server in order to communicate with it properly. You can double-click on each level in the certificate chain to go to that particular certificate, then click on “Details” tab, “Copy to
File” to save the certificate with the default settings.
As an example, get both VeriSign & VeriSign Class 3 Extended Validation SSL CA.
reference : http://blogs.technet.com/b/sharepointdevelopersupport/archive/2013/06/13/could-not-establish-trust-relationship-for-ssl-tls-secure-channel.aspx
If my contribution helps you, please click Mark As Answer on that post and
Vote as Helpful
Thanks, ShankarSingh(MCP)

Current Security Context Not Trusted When Using Linked Server From ABAP

Hello,
I am experiencing a head-scratcher of a problem when trying to use a Linked Server connection to query a remote SQL Server database from our R/3 system. We have had this working just fine for some time, but after migrating to new hardware and upgrading OS, DBMS, and R/3, now we are running into problems.
The target database is a named instance on SQL Server 2000 SP3, Windows 2000 Server. The original source R/3 system was 4.7x2.00, also on SQL Server 2000 (SP4), Windows 2000 Server. I had been using a Linked Server defined via SQL Enterprise Manager (actually defined when the source was on SQL Server 7), which called an alias defined with the Client Network Utility that pointed to the remote named instance. This alias and Linked Server worked great for several years.
Now we have migrated our R/3 system onto new hardware, running Windows Server 2003 SP1 and SQL Server 2005 SP1. The application itself has been upgraded to ECC 6.0. I performed the migration with a homogeneous system copy, and everything has worked just fine. I redefined the Linked Server on the new SQL 2005 installation, this time avoiding the alias and referencing the remote named instance directly, and it tests out just fine using queries from SQL Management Studio. It also tests fine with OSQL called from the R/3 server console, both when logged on as SAPServiceSID with a trusted connection, and with a SQL login as the schema owner (i.e., 'sid' in lowercase). From outside of R/3, I cannot make it fail. It works perfectly.
That all changes when I try to use the Linked Server within an ABAP application, however. The basic code in use is
EXEC SQL.
   SET XACT_ABORT ON
   DELETE FROM [SERVER\INSTANCE].DATABASE.dbo.TABLE
ENDEXEC.
The only thing different about this code from that before the upgrade/migration is the reference to [SERVER\INSTANCE] which previously used the alias of just SERVER.
The program short dumps with runtime error DBIF_DSQL2_SQL_ERROR, exception CX_SY_NATIVE_SQL_ERROR. The database error code is 15274, and the error text is "Access to the remote server is denied because the current security context is not trusted."
I have set the "trustworthy" property on the R/3 database, I have ensured SAPServiceSID is a member of the sysadmin SQL role, I've even made it a member of the local Administrators group on both source and target servers, and I've done the same with the SQL Server service account (it uses a domain account). I have configured the Distributed Transaction Coordinator on the source (Win2003) system per Microsoft KB 839279 (this fixed problems with remote queries coming the other way from the SQL2000 system), and I've upgraded the system stored procedures on the target (SQL2000) system according to MS KB 906954. I also tried making the schema user a member of the sysadmin role, but naturally that was disastrous, resulting in an instant R/3 crash (don't try this in production!), so I set it back the way it was (default).
What's really strange is no matter how I try this from outside the R/3 system, it works perfectly, but from within R/3 it does not. A search of SAP Notes, SDN forums, SAPFANS, Microsoft's KnowledgeBase, and MSDN Forums has not yielded quite the same problem (although that did lead me to learning about the "trustworthy" database property).
Any insight someone could offer on this thorny problem would be most appreciated.
Best regards,
Matt

Good news! We have got it to work. However, we did it in something of
a backwards way, and I'm sure you'll laugh when you see how it was done. Also, the solution depends upon the fact that the remote server is still using SQL Server 2000, and so doesn't have quite so many restrictions placed upon it for distributed transactions and Linked Servers as SQL Server 2005 now does.
At the heart of the solution is the fact that the Linked Server coming FROM the remote server TO our SAP system works fine. Finally, coupled with the knowledge that using DBCON on the SAP side to the remote server also does actually provide a connection (see Notes 323151 and 738371), we set up a roundabout way of achieving our goal. In essence, from ABAP, we set up the DBCON connection to the remote server, at which point all the Native SQL commands execute in the context of the remote server. From within that connection, we
reference the tables in SAP via the Linked Server defined on the remote
server, as if SAP were the remote server, selecting data from SAP and inserting it into the remote (but apparently local to this connection) tables.
So, to spell it out, we define a Linked Server on the remote server pointing back to the SAP server as SAPSERV, with a SQL login mapping defined on the remote system pointing back to a SQL login in the SAP database. We also define a connection to the remote server from SAP using DBCON, using that remote SQL login for authentication.
Then, in our ABAP code, we simply do something along the lines of
exec sql.
   set connection 'REMOTE'
endexec.
exec sql.
   connect to 'REMOTE'
endexec.
exec sql.
   insert into REMOTE_TABLE
      select * from SAPSERV.SID.sid.SAP_TABLE
endexec.
exec sql.
   commit
endexec.
exec sql.
   disconnect 'REMOTE'
endexec.
This is, of course, a test program, but it demonstrated that it worked,
and we were able to see that entries were appropriately deleted and inserted in the remote server's table. The actual program for use is a little more complex, in that there are about four different operations at different times, and we had to resolve the fact that the temp table SAP_TABLE was being held in a lock by our program, resulting in a deadly embrace, but our developer was able to work that out, and all is now well.
I don't know if this solution will have applicability to any other customers, but it works for us, for now.
SAPSERV, REMOTE, REMOTE_TABLE, and SAP_TABLE are, of course, placeholder names, not the actual server or table names, so as not to confuse anyone.
Best regards,
Matt

Are there any security risks in two-way trusts?

Hello!
Can anybody enumerate security risks two-way trusts have? Security holes?
I mean two-way trusts between two domains from different forests Windows 2003\2008.
Thank you for any info.

Hi,
There are two potential threats to interforest trust relationships in Windows Server 2003 :
1: Attack on trusting forest by malicious user in a trusted forest :
A malicious user with administrative credentials who is located in a trusted forest could monitor network authentication requests from the trusting forest to obtain the security ID (SID) information of a user who has full access to resources in the trusting
forest, such as a Domain or Enterprise Administrator. SID filtering is set on all trusts by default to help prevent malicious users from succeeding with this form of attack
2: Attack on shared resources in a trusting forest by malicious users in another organization’s forest :
Creating an external or forest trust between two forests essentially provides a pathway for authentications to travel from the trusted forest to the trusting forest. While this action by itself does not necessarily create a threat to either forest, because
it allows all secured communications to occur over the pathway, it creates a larger surface of attack for any malicious user located in a trusted forest. Selective authentication can be set on interforest trusts to help minimize this attack surface area.
For more info , Please refer :
http://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx
Though the forest mentioned is on win 2003, this article applies to Win 2008,2008R2 forest environment as well.
Please revert in case of any queries
pankaj(MCT)

Trust and Key Store config values? - OBPM 10g (Linux) With Websphere6 (AIX)

HI,
We installed OBPM 10gR3 on Linux (10.3.2 for Websphere) with Websphere 6.1.0.21 on AIX,
When we try to save values in following section we are getting an error:
Engines > Edit Engine bpmengine > JMX Engine Management Configuration
Attributes are:
Host / Port / Security Enabled / Principal / Credentials / Trust store / Trust store password / Key store / Key store password
Can anybody please help what values to put for following parameters under JMX Engine Management Configuration with respect to Websphere Application Sever 6.1.0.21:
Trust store: ?
Trust store password: ?
Key store: ?
Key store password: ?
Please help us in case anybody came across this.
Thanks and Regards
SH

Well it seems that my trouble all started when I began using the 'printable = yes' option for shares. Since I removed that the troubles seem to have left me.
Does anyone know why that is listed as on option in smb.conf here:
# A publicly accessible directory, but read only, except for people in
# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = @staff
As well as in a few other examples if it doesn't work? I seen the example and assumed that option was needed to print from those shared directories.
Also, it seems that the comma is not needed between the 'valid users' names.
Also, I guess it wasn't Windows XP's fault either but rather my own ignorance. I like the idea of blaming Windows better though.....
I hope this servers to help others to aviod my mistakes.

Cisco ISE and forest trusts vs domain trusts

Hi All,
Is there any issues with forest trusts with Cisco ISE ?
I have a customer that had external trusts and ISE was working ok for PEAP MSChapv2 user auth across domains.
They recently removed external trusts and changed to forest trusts. Now auth doesn't work. Initial error was authc ok, authz fail.
I can search and get lists of AD groups ok for the remote domain.
Using the attribute tab, I can't get attributes for users in remote domain. I'm thinking since I can't see the memberof attribute, none of my authz pollicies will work.
I have done "leave" and "join" domain again.
In my lab, I have forest trusts and it actually works ok. A previous poster talked about kerberos issues across forest trusts ?
Cheers
Peter.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf
Kindly find the steps on the page no.170

Security considertaions across AD trusts

Similar Messages

Maybe you are looking for