Re: Pass-through authentication for clients on two different non-trusted domains.
From: Joe Mine (huytuanattpgdotcomdotau)
Date: 03/05/04
- Next message: Herb Martin: "Re: Pass-through authentication for clients on two different non-trusted domains."
- Previous message: Drew Cooper [MSFT]: "Re: EFS Certificate Issue"
- In reply to: Roland Hall: "Re: Pass-through authentication for clients on two different non-trusted domains."
- Next in thread: Herb Martin: "Re: Pass-through authentication for clients on two different non-trusted domains."
- Reply: Herb Martin: "Re: Pass-through authentication for clients on two different non-trusted domains."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 5 Mar 2004 13:54:21 +1100
Because I need to setup SQL replication between two non-trusted domains. And
the SQL experts says it can be done in this way. Setting up passthrough
authentication for two non-trusted domains.
"Roland Hall" <nobody@nowhere> wrote in message
news:ulfu6teAEHA.3184@TK2MSFTNGP09.phx.gbl...
> "Herb Martin" wrote in message
news:OL9t0fbAEHA.3256@TK2MSFTNGP09.phx.gbl...
> : "Joe Mine" wrote in message
news:#WMpmSaAEHA.2316@TK2MSFTNGP10.phx.gbl...
> : > How do I create a pass-through account that can access a share on
> another
> : > non-trusted domain. Eg . The share I tried to access is in the NARC
> : domain.
> : > And at the moment I am on the HOT domain. If I create a pass-through
> login
> : > account as: NARCHOT password: PASS in both domains, what it turns out
to
> : be
> : > is NARC\NARCHOT and HOT\NARCHOT but not just NARCHOT which doesn't
> : > conform as a pass-through account . So how exactly do I create a pass
> : > through account, please show the steps.Thanks.
> :
> : To my knowledge there is no such thing for domains.
>
> Herb is right, AFAIK (disclaimer). (O:=
>
> If you don't trust a domain, why would you allow them to pass through with
> credentials on your domain?
> If you want to have access, then you access by passing the credentials.
>
> net use * \\server\share password /u:domain\username
>
> That user has to have share and NTFS rights to where it wants to go. If
you
> do not use the EVERYONE account, as you shouldn't, then all is ok.
However,
> it is ALWAYS recommended to ONLY set NTFS permissions for groups, even if
> the group only has one member. All future maintenance, unless
> adding/removing access is handled in ADU&C, and not at the file system
> level. Want to add a user? Add them to the group. Done! If this is a
> member server, and not a DC, then create the account in the Local Domain.
> Create a local group and give the local group rights. Pass credentials
when
> you want to connect make a permanent mapping.
>
> Now, let's talk about your password. ALL passwords for ALL accounts
should
> be unique. There is no reason to ever duplicate one, unless by chance.
> Trusts are another story and they change their passwords eventually
anyway.
> You already know that domain0\username is not the same as
domain1\username.
> So, make the passwords unique. If you get compromised on one computer,
> there is no reason why you must make it easier for them to peruse the
whole
> network.
>
> HTH...
>
>
- Next message: Herb Martin: "Re: Pass-through authentication for clients on two different non-trusted domains."
- Previous message: Drew Cooper [MSFT]: "Re: EFS Certificate Issue"
- In reply to: Roland Hall: "Re: Pass-through authentication for clients on two different non-trusted domains."
- Next in thread: Herb Martin: "Re: Pass-through authentication for clients on two different non-trusted domains."
- Reply: Herb Martin: "Re: Pass-through authentication for clients on two different non-trusted domains."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
