-
Título
SIDHistory and SID filtering - target migrated users are unable to access resources -
Descrição
SIDHistory has been added to accounts during migration and SID filter quarantining is turned off (/quarantine:NO), but users still don't have access to resources; even though the SIDHistory of the User Object and Group Membership SIDHistory has been validated using ADSI Edit.
-
Causa
For a domain-to-domain trust, security identifier (SID) filtering does not allow for the use of SIDs from outside the trusted domain to enable access to any resource within the trusting domain. For a forest-to-forest trust, SID filtering does not allow for the use of SIDs from any domain outside the trusted forest to enable access to any resource within any domain in the trusting forest.
Forest trust was used in the current scenario instead of external domain to domain trust. This type of trust was introduced in Windows Server 2003 and / EnableSidHistory switch needs to be used in place of /quarantine switch. Basically:
DOMAIN to DOMAIN trust: use /quarantine:YES/NO
FOREST to FOREST trust: use / EnableSidHistory:YES/NO
When troubleshooting, it is a good idea to use Whoami.exe Microsoft command line utility (part of Windows 2000 Resource Kit). If executed with /all switch, it will list all the SID values contained in the security token of currently logged in user. Running it under the context of source and target environments would show if particular domain's SIDs are filtered.
-
Resolução
Starting with 2000 SP4 SID filter quarantining is set by default on all external domain trusts. Also any forest trusts have SID filtering enabled by default. Netdom command line utility needs to be used to manage trusts, for Windows 2003 the syntax is:
NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name /Quarantine:no /EnableSIDHistory:yes
/UserD:user /PasswordD:password /UserO:user /PasswordO:password
where:
trusting_domain_name: is the name of the trusting domain.
/Domain: Specifies the name of the trusted domain or Non-Windows Realm.
/UserD: User account used to make the connection with the domain specified by the /Domain argument
/PasswordD: Password of the user account specified by /UserD.
/UserO: User account for making the connection with the trusting domain
/PasswordO: Password of the user account specified By /UserO.For Windows 2000 use the following command:
NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name /FilterSIDs:no
/UserD:user /PasswordD:password /UserO:user /PasswordO:passwordAn overview of Netdom can be found in the following Microsoft TechNet article:
http://technet2.microsoft.com/windowsserver/en/library/460e3705-9e5d-4f9b-a139-44341090cfd41033.mspx?mfr=true/quarantine[:{YES | NO}]Sets or clears the domain quarantine attribute. If no value is specified then the current quarantine state is displayed.ValueDescriptionYESSpecifies that only SIDs from the directly trusted domain will be accepted for authorization data returned during authentication. SIDS from any other domains will be removed.NOSpecifies that any SID will be accepted for authorization data returned during authentication. This is the default value./EnableSIDistorySpecifying yes allows users who migrate to the trusted forest from any other forest to use SID history to access resources in this forest. Valid only for an outbound forest trust. This should be done only if the trusted forest administrators can be trusted enough to specify SIDs of this forest in the SID history attribute of their users appropriately. Specifying no would disable the ability of the migrated users in the trusted forest to use SID history to access resources in this forest. Specifying /EnableSIDHistory without yes or no will display the current state.Please in particular note here:"You should not enable SID filter quarantining on forest trusts, that is, by using the netdom command with the /quarantine:yes option. However, if you have migrated users from one Windows Server 2003 forest to another and the migrated users need access to resources in the former domain, you can relax the default SID filtering that is applied to a forest trust by using the netdom command with the /enablesidhistory:yes option. Using that command on a forest trust reduces the level of SID filtering on the forest trust. So, ensure that you trust the administrators of the trusted domain, as well as their security practices."
IMPORTANT: There are two types of SID filtering - SID filter quarantining with/quarantine(more broad and concentrating on SID values) and SID filtering with/enablesidhistory(more or less just SIDHistory attribute related, only applies to forest trusts ), they are often mixed together even in Microsoft documentation. SID Filter quarantining is enabled by default on all external DOMAIN trusts involving DCs with 2000 SP4 and more and SID filtering is enabled by default on all FOREST trusts (regardless of DCs as forest trust was first implemented in 2003 domains). In case of forest trust please use only/enablesidhistoryswitch, while in case of external domain trusts use/quarantineswitch. -
Informações adicionais
You can also override the forest trust by creating an external trust so that the domain that holds the resources trusts the target domain and then removing SID filtering on the external trust. Additional related Microsoft articles: Security Considerations for Trusts (See the "Disabling SID Filtering" section): http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/1f33e9a1-c3c5-431c-a5cc-c3c2bd579ff1.mspx Active Directory Operations Guide - Managing Trusts (See the "Procedure for Preventing Unauthorized Privilege Escalation" section): http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd05.mspx Active Directory Operations Guide - Appendix B - Procedures Reference (See the "Configure SID Filtering" section): http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part2/adogdapb.mspx#E04D0AA