1 / 15

Windows Server 2003 建立網域間之信任關係

Windows Server 2003 建立網域間之信任關係. 林寶森 jeffl@ms11.hinet.net. Domain A. Domain B. Trusting and Trusted Domains. Trusting. Trusted. Trust. Resources. Accounts. One-Way and Two-Way Trust. One-Way. Trust. Resources. Accounts. Two-Way. Trust. Trust. Resources/Accounts.

harlan
Download Presentation

Windows Server 2003 建立網域間之信任關係

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Server 2003建立網域間之信任關係 林寶森 jeffl@ms11.hinet.net

  2. Domain A Domain B Trusting and Trusted Domains Trusting Trusted Trust Resources Accounts

  3. One-Way and Two-Way Trust One-Way Trust Resources Accounts Two-Way Trust Trust Resources/Accounts Resources/Accounts

  4. Transitive vs. Non-Transitive Trust B B A C A C

  5. Kerberos Realm Types of Trusts Tree/Root Trust Forest 1 Forest Trust Forest 2 Parent/ChildTrust Forest (root) Forest (root) Domain D Domain B Domain Q Domain A Domain P Domain E Shortcut Trust External Trust Realm Trust Domain F Domain C

  6. Trust Types Associated with Server Operating Systems Operating System Trust Type Between Windows Server 2003 forests Forest trusts, one-way or two-way external trusts Windows Server 2003 and Windows 2000 forests One-way or two-way external trusts Windows Server 2003 and Windows NT 4.0 forests One-way or two-way external trusts Windows Server 2003 and servers running other operating systems Realm trust

  7. nwtraders.msft Properties Trusts General Managed By Domains trusted by this domain: Relationship Tran… Domain Name sales.contoso.msft marketing.contoso.ms contoso.msft Shortcut Shortcut Tree Root Yes Yes Yes Add… Verify a trust contoso.msft Properties Edit… General Remove To verify and if necessary reset this trust relationship, click Verify. This is useful as a troubleshooting tool. Verify Domains that trust this domain: Domain Name Relationship Tran… sales.contoso.msft contoso.msft Shortcut Tree Root Yes Yes Add… Edit… OK Cancel Apply Revoke a trust Remove Netdom Command Line NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name /Verify NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name /Remove Verifying and Revoking Trusts

  8. When a domain administrator from a trusted domain attaches a well-known security principal onto the SID of a privileged user account from the trusted domain SID spoofing Enables administrators to discard credentials that use SIDs that are likely candidates for spoofing SID filtering SID filtering must be disabled to allow migrated users and groups from other domains to access this domain’s resources by using SIDHistory Disabling SID filtering How to Prevent SID Spoofing Using SID Filtering netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine:No

  9. How Name Suffix Conflicts Are Detected and Resolved • Name suffix conflicts occur when • A DNS name is already in use • A NetBIOS name is already in use • A domain SID conflicts with another name suffix SID • Name suffix conflicts in a domain cause access to that domain from outside the forest to be denied

  10. Parent/Child and Tree/Root Trust Created Automatically Two-Way Transitive by Default Shortcut Trust Intra-Forest Only Partially One-Way Transitive Forest Trust Windows 2003 Forest Only Partially One-Way Transitive Realm Trust Trust Relationships with Other Operating Systems that also Support Kerberos Protocol One-Way Transitive or One-Way Non-Transitive Use Kerberos Authentication Only External Trust Trust Relationships with Windows Domains that are not in the same Forest One-Way Non-Transitive Use NTLM Authentication Only Characteristic of Trusts

  11. User Password Hash→Nonce 3 User Name, Domain 1 2 Nonce 4 4 User Password Hash 5 User Password Hash→Nonce User Password Hash ← How NTLM Authentication Works Domain Controller Client SecurityAccountsDatabase

  12. User Name TGT+Timestamp TGT+SA KAB KAB How Kerberos Authentication Works KDC & TGS User Target Server The TGS creates a pair of tickets, one for the client and one for the server the client wants to access resources on. Each ticket contains the name of the user requesting the service, the recipient of the request, a timestamp that declares when the ticket was created, and a time duration that says how long the tickets are valid. Both tickets also contain a new key (KAB). The KDC looks up the user’s master key (KA), which is based on the user’s password. The KDC then creates two items, a session key (SA) to share with the user, and a Ticket Granting Ticket (TGT). The client computer now has a session key and a TGT. To access a resource, the client presents its TGT and a timestamp encrypted with the session key that is already shared with the KDC When a user enters a user name and password, the computer sends the user name to the Key Distribution Centre (KDC).

  13. nwtraders.msft KDC 3 KDC 4 Server 1 5 How Kerberos V5 Works contoso.msft Forest Root Domain Kerberos Authentication KDC 2 KDC Session Ticket marketing.contoso.msft Client sales.nwtraders.msft

  14. Shortcut Trust How Trusts Work in a Forest Forest Root Domain Tree One Tree Root Domain Domain 1 Domain A Domain 2 Tree Two Domain B Domain C

  15. 6 nwtraders.msft contoso.msft 4 2 5 7 3 8 1 9 How Trusts Work Across Forests Forest 1 Forest 2 Forest trust Global catalog Global catalog Seattle Vancouver vancouver.nwtraders.msft seattle.contoso.msft

More Related