000019772 - How to set up NT authentication on ClearTrust in multi-domain environment

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019772
Applies ToRSA ClearTrust Agent 4.7 for Microsoft IIS
RSA ClearTrust 4.6.1.1
Microsoft Windows 2000 Server SP2
IssueHow to set up NT authentication on ClearTrust in multi-domain environment
Assume there are two domains set up in a particular network environment, say DomainA and DomainB. DomainB trusts DomainA, but DomainA does not trust DomainB; in other words, a one-way trust is established. If the NT domain controller parameter in the ClearTrust servers' Default.conf is set as follows (and the ClearTrust Web agent is configured for NT authentication):

    securecontrol.aserver.auth.nt_domain_controllers=<PDC/BDC-of-DomainA>

, then a UserA from DomainA can log in successfully, but a UserB from DomainB cannot log in.
CauseClearTrust relies on the network configuration to accomplish NT authentication in a multi-domain environment. Although ClearTrust does not allow you to specify multiple PDCs for different domains; it's not truly required to accomplish multi-domain authentication. You can configure Default.conf file to specify multiple NT domain hosts, but those are considered PDCs/BDCs for a particular domain so if one PDC/BDC was not available another one could be reached for NT authentication. The "securecontrol.aserver.auth.nt_domain_controllers" parameter is set for a PDC and optionally additional one or more BDCs for the same domain. PDC/BDC for additional domains can not be specified against this parameter.
NOTE: There is a difference in the way NT authentication is accomplished in Windows-based ClearTrust 4.6.1.1 Plugin versus 4.7 Web Agent. The 4.6.1.1 Plugin on Windows relies on the NT operating system where the Plugin is installed for NT authentication (on UNIX the 4.6.1.1 Plugin relies on the ClearTrust Authorization Server to perform NT authentication). The 4.7 Web Agent on Windows (and UNIX) implements NT authentication only through the ClearTrust Authorization Server. Therefore, you need to provide the PDC (and optionally the BDC) name for the parameter 'securecontrol.aserver.auth.nt_domain_controllers' in the Default.conf file for the ClearTrust 4.6.1.1 servers when using 4.7 Web Agent.
ResolutionSetting up a full trust, i.e. a two-way trust, between the two (or more) domains will allow ClearTrust to authenticate users from both (all) domains using NT authentication
If a two-way trust cannot be established between the two domains, and it is required that users from both domains be able to do NT authentication, ClearTrust can be configured as follows:

Assuming the example given above where DomainB trusts DomainA but DomainA does not trust DomainB, set the NT domain controller parameter in the ClearTrust servers' Default.conf as follows (the ClearTrust Web Agent should be configured for NT authentication):

    securecontrol.aserver.auth.nt_domain_controllers=<PDC/BDC-of-DomainB>

, then a UserA from DomainA as well as UserB from DomainB can successfully log in.
Legacy Article IDa12252

Attachments

    Outcomes