Re: Pass-through authentication for clients on two different non-trusted domains.
From: Joe Mine (huytuanattpgdotcomdotau)
Date: Fri, 5 Mar 2004 13:54:21 +1100
Because I need to setup SQL replication between two non-trusted domains. And
the SQL experts says it can be done in this way. Setting up passthrough
authentication for two non-trusted domains.
"Roland Hall" <nobody@nowhere> wrote in message
> "Herb Martin" wrote in message
> : "Joe Mine" wrote in message
> : > How do I create a pass-through account that can access a share on
> : > non-trusted domain. Eg . The share I tried to access is in the NARC
> : domain.
> : > And at the moment I am on the HOT domain. If I create a pass-through
> : > account as: NARCHOT password: PASS in both domains, what it turns out
> : be
> : > is NARC\NARCHOT and HOT\NARCHOT but not just NARCHOT which doesn't
> : > conform as a pass-through account . So how exactly do I create a pass
> : > through account, please show the steps.Thanks.
> : To my knowledge there is no such thing for domains.
> Herb is right, AFAIK (disclaimer). (O:=
> If you don't trust a domain, why would you allow them to pass through with
> credentials on your domain?
> If you want to have access, then you access by passing the credentials.
> net use * \\server\share password /u:domain\username
> That user has to have share and NTFS rights to where it wants to go. If
> do not use the EVERYONE account, as you shouldn't, then all is ok.
> it is ALWAYS recommended to ONLY set NTFS permissions for groups, even if
> the group only has one member. All future maintenance, unless
> adding/removing access is handled in ADU&C, and not at the file system
> level. Want to add a user? Add them to the group. Done! If this is a
> member server, and not a DC, then create the account in the Local Domain.
> Create a local group and give the local group rights. Pass credentials
> you want to connect make a permanent mapping.
> Now, let's talk about your password. ALL passwords for ALL accounts
> be unique. There is no reason to ever duplicate one, unless by chance.
> Trusts are another story and they change their passwords eventually
> You already know that domain0\username is not the same as
> So, make the passwords unique. If you get compromised on one computer,
> there is no reason why you must make it easier for them to peruse the