Re: Enroll smart cards for different domain

From: Hans Walder (hans.walder_at_pointag.net)
Date: 09/19/03 

Date: Fri, 19 Sep 2003 16:35:26 +0300

Thank you again for this information

Best regards,
Hans

"David Cross [MS]" <dcross@online.microsoft.com> wrote in message
news:uAswVHrfDHA.3024@tk2msftngp13.phx.gbl...
> No, I am sorry, a CA may only support one forest currently based on its
> architecture. We will look to remove this limitation in future versions
of
> Windows Server.
>
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> http://support.microsoft.com
>
> "Hans Walder" <hans.walder@pointag.net> wrote in message
> news:OfXyRQbfDHA.2152@tk2msftngp13.phx.gbl...
> > Hello David,
> >
> > thank you again for your answer.
> >
> > Each of our domain belongs to one school and each domain is in its own
> > forest :(.
> >
> > Students from School A will also come to School B.
> >
> > But School A is only going to use smart card logon (at the moment) but
> > students
> > from School B should also be able to logon to our computers (with smart
> > cards -
> > because the smart card also contains several other services, i.e.
> > printing,...).
> >
> > We have raised all domains to Native Mode and they trust each other.
> >
> > Would it work if we also raise the Forest to Native Mode and make a
trust
> > between the Forests?
> >
> > Thank you everyone for any idea.
> > Best regards,
> > Hans
> >
> > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > news:eB8YbLXfDHA.128@tk2msftngp13.phx.gbl...
> > > yes this is supported as long as both domains are in the same forest,
> what
> > > is failing?
> > >
> > > make sure both CAs can issue the same template.
> > >
> > > Best Practices:
> > >
> >
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/ws3pkibp.asp
> > >
> > >
> > > --
> > > David B. Cross [MS]
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > >
> > > http://support.microsoft.com
> > >
> > > "Hans Walder" <hans.walder@pointag.net> wrote in message
> > > news:%23YuQudTfDHA.556@TK2MSFTNGP11.phx.gbl...
> > > > By the way, we are using Windows Server 2003 Native Mode and Windows
> XP
> > > > Professional Workstation.
> > > >
> > > > Thanks to all,
> > > > Hans
> > > >
> > > > "Hans Walder" <hans.walder@pointag.net> wrote in message
> > > > news:50fd01c37d1d$590db520$a501280a@phx.gbl...
> > > > > Hi everyone,
> > > > >
> > > > > We have the following test enviroment:
> > > > >
> > > > > Domain A
> > > > > - Domain Controller
> > > > > - Enterprise Certificate Authority (member of domain A)
> > > > >
> > > > > Domain B
> > > > > - Domain Controller
> > > > >
> > > > > And both domains trust each other.
> > > > >
> > > > > I can enroll smart cards for users from domain A.
> > > > >
> > > > > But is it also possible to do it for users from domain B?
> > > > > Or do we have to have our own CA for each domain?
> > > > >
> > > > > Small Hint: When I create a folder and want to add a user
> > > > > to the security tab I can choose users from both domains
> > > > > but if I enroll a smart card I can only choose them from
> > > > > domain A.
> > > > >
> > > > > Is this because the CA is only trusted to Domain
> > > > > Controller A but not do Domain Controller B?
> > > > >
> > > > > Does someone have any experiences on that?
> > > > >
> > > > > Thank you all,
> > > > > Hans
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Kerberose
    ... I have made a one way trust between my forest and my cutomer's forest. ... My customer tries to connect ... Regards ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: creating one way trust
    ... of different forest. ... It sounds for me that you do not need/have a trust, ... Once everything is replicated from the win2k svr. ... Let me try to understan a little more about youre network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Huge AD deployment
    ... That was the case in Windows 2000, but in Windows Server 2003 forest trusts ... note though is that a forest trust is only transitive for domains within the ... >> company.com in that data center and have every country trust company.com ... instead of going over the internet. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain Functional Levels and Trusts
    ... other type of trust, i.e., Forest Trust ... A Forest Trust and an External trust are TWO DISTINCT types ... FORESTS to be in Win2003 Forest Functional Level. ... External trusts are possible in any MODE, ...
    (microsoft.public.windows.server.active_directory)
  • RE: Two way forest trust fails only in one direction
    ... After deep research of the SMB signing, we saw that both servers need Reg Key: ... needed to match on both servers on both sides of the trust. ... B's Forest, but Company B can not access Company As forest at all. ... running DNS and WINS under Windows Active Directory. ...
    (microsoft.public.windows.server.active_directory)