Re: Access denied on network share in an other domain

r14,
I don't think that's really what you would want to do.

Leaving aside the idea of the Trust for a moment, the idea is that hosts in the DMZ (which could be compromised) should have no or limited access to the LAN. Limited access would means specified ports to specified hosts. For example LDAP or Radius or SecurID.

For the DMZ to get be able to a Share on the internal network is probably not desirable.

It sounds as though what you would do is to copy out your data from the internal network to the DMZ. This requires no inbound traffic to be allowed. You could use FTP or Robocopy to do this. The copy needs to use credentials that the DMZ recognises, e.g a local account on the DMZ server, or else you can use a one way trust where DMZ servers trust internal server.
Hope that helps,
Anthony
http://www.airdesk.com




"r14edge" <r14edge@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:E7D9C5ED-97A9-4323-A9F5-0073BDF124F7@xxxxxxxxxxxxxxxx
thanks for the reply Anthony. As for now, I'm able to log in my internal
domain using dmz domain credential. This prove me that my trust work, but for
some reason, my web servers in my DMZ are unable to get on a share in my
internal network. I'm starting to believe I got this concept of trust all
wrong. Furthermore, how can the concept of pass-through authentification
worked without a trust between two domains?

What I'm trying to achieve with my DMZ is to be able to have web in a DMZ
using a single storage area located in a internal network. Is there other way
to do this?

thanks


"Anthony [MVP]" wrote:

Fred,
If the DMZ domain trusts the internal domain you can Push files out to it.
If the internal domain trusts the DMZ domain (not what you want), the dmz
can Pull files out from it.
Ideally you would want the DMZ to have no inbound access to the LAN, so you
would want to push files out to the DMZ.
Anthony,
http://www.airdesk.com




"r14edge" <r14edge@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A7DD8E40-843A-4BFB-8057-58658DC9742F@xxxxxxxxxxxxxxxx
> Hello,
>
> I'm setting up a DMZ for my company and I'm facing a big problem. I
> planned my DMZ on using a remote file storage located in my internal
> network
> to host my web files. I've build my DMZ in a new domain and I have > setup a
> trust relationship between my internal domain and my DMZ domain. The > trust
> is
> one-way where the incoming trust is my internal domain and my outgoing
> trust
> is my DMZ domain. On my remote file server, I'm able to see the account > of
> my
> DMZ domain. I've set up the ACL on my share to be use by a specific
> account
> in the DMZ without any problem.
>
> Now, from any server in my DMZ, I'm able to get on the root > (\\10.0.0.0)
> of
> my share but when I click on the share itself, I got a access denied
> message.
> I notice in the security log of the remote server that any DMZ servers
> that
> tries to go on the remote file server, are logged under NT
> AUTHORITY\ANONYMOUS LOGON.
>
> What am I missing here? I believe that computers in my DMZ should log
> under
> their name in the logs files, right? When I switch the trust > relationship,
> it's working like a charm, but I'm exposing my internal Domain to my > DMZ
> and
> I don't want that.
>
> What can I do to solve this problem?
>
> Thank you for your replies,
>
> Fred


.

Relevant Pages

  • Re: DNS in DMZ
    ... the design chosen for this release is multiple forests ... server.company.dmz and is forwarded to a AD/DNS server in the DMZ. ... one way trust would work well if needed. ...
    (microsoft.public.windows.server.dns)
  • Re: Unable to join AD domain from DMZ network
    ... > the captured traffic between the server in DMZ to the DC from internal ... >> unless you lock it down to a specific port. ... >>> authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Gurus: server on perimeter vs. corporate advice
    ... But if you put the Sharepoint in the "DMZ", you would need to open various ... ports to allow communication from the DMZ to the Internal network (I think ... When you "open" such ports for a server that resides in the DMZ, ...
    (microsoft.public.security)
  • Re: Unable to join AD domain from DMZ network
    ... To me that points to something outside the machine (Firewall most likely culprit) ... > the captured traffic between the server in DMZ to the DC from internal ... >>> authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows 2K RRAS VPN on DMZ cant authenticate users
    ... Internal network, it's then controlled via ACL's to allow only that server ... DMZ can see the LAN in certain circumstances, ie doing what I'm doing, ... It's a Remote Access VPN with clients connecting to it using PPTP nothing ...
    (microsoft.public.win2000.networking)