|Applies To||RSA ClearTrust Agent 4.7 for Microsoft IIS|
RSA ClearTrust 184.108.40.206
Microsoft Windows 2000 Server SP2
|Issue||How to set up NT authentication on ClearTrust in multi-domain environment|
Assume there are two domains set up in a particular network environment, say DomainA and DomainB. DomainB trusts DomainA, but DomainA does not trust DomainB; in other words, a one-way trust is established. If the NT domain controller parameter in the ClearTrust servers' Default.conf is set as follows (and the ClearTrust Web agent is configured for NT authentication):
, then a UserA from DomainA can log in successfully, but a UserB from DomainB cannot log in.
|Cause||ClearTrust relies on the network configuration to accomplish NT authentication in a multi-domain environment. Although ClearTrust does not allow you to specify multiple PDCs for different domains; it's not truly required to accomplish multi-domain authentication. You can configure Default.conf file to specify multiple NT domain hosts, but those are considered PDCs/BDCs for a particular domain so if one PDC/BDC was not available another one could be reached for NT authentication. The "securecontrol.aserver.auth.nt_domain_controllers" parameter is set for a PDC and optionally additional one or more BDCs for the same domain. PDC/BDC for additional domains can not be specified against this parameter.|
NOTE: There is a difference in the way NT authentication is accomplished in Windows-based ClearTrust 220.127.116.11 Plugin versus 4.7 Web Agent. The 18.104.22.168 Plugin on Windows relies on the NT operating system where the Plugin is installed for NT authentication (on UNIX the 22.214.171.124 Plugin relies on the ClearTrust Authorization Server to perform NT authentication). The 4.7 Web Agent on Windows (and UNIX) implements NT authentication only through the ClearTrust Authorization Server. Therefore, you need to provide the PDC (and optionally the BDC) name for the parameter 'securecontrol.aserver.auth.nt_domain_controllers' in the Default.conf file for the ClearTrust 126.96.36.199 servers when using 4.7 Web Agent.
|Resolution||Setting up a full trust, i.e. a two-way trust, between the two (or more) domains will allow ClearTrust to authenticate users from both (all) domains using NT authentication|
If a two-way trust cannot be established between the two domains, and it is required that users from both domains be able to do NT authentication, ClearTrust can be configured as follows:
Assuming the example given above where DomainB trusts DomainA but DomainA does not trust DomainB, set the NT domain controller parameter in the ClearTrust servers' Default.conf as follows (the ClearTrust Web Agent should be configured for NT authentication):
, then a UserA from DomainA as well as UserB from DomainB can successfully log in.
|Legacy Article ID||a12252|