I have an Active Directory Lightweight Directory Services set up. I have objects that represent users in the Active Directory (Domain_A). I have set their objectSID attribute, and users can authenticate to LDS with their Active Directory password. I love it.
Here is a formatted Wireshark network trace of a successful LDS proxy authentication :
LDAP bindRequest(1) "cn=ixe013,cn=Users,cn=Fizz,dc=Buzz,dc=tst" simple KRB5 AS-REQ KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED KRB5 AS-REQ KRB5 AS-REP KRB5 TGS-REQ KRB5 TGS-REP LDAP bindResponse(1) success LDAP unbindRequest(2)
I want to bring in new users, from a different Active Directory (Domain_B) that has not trust relationship whatsoever with the Active Directory from Domain_A.
Is there a way to tell LDS in which domain to look for users or does it always look in the domain it is in, maybe by using another protocol than Kerberos ?
+I figured out user provisionning, no need to mention it. Thanks !
The objectSID on the user proxy is looked up using MS-LSAT. http://msdn.microsoft.com/en-us/library/cc234496(v=prot.10).aspx has details. Take a netmon (https://www.microsoft.com/download/en/details.aspx?displaylang=en&id=4865) trace on LDS server while doing BIND to see what happens.
Once the domain of the user is identified, then it will try and use the username, domain and password of the principal you did the BIND with to get it verified against a DC of the relevant domain. If it can find a KDC, then Kerberos gets used as per your diagram.
As Domain A and B have no trust the SID lookup will fail. Hence this implementation you are attempting will not work.