Cross Domain Windows Endpoint Authentication?

Dietz

Hi There

I have service broker working 100% with an initiator - forwarder - target, all in the same domain using windows authentication on the endpoints, for all instances' the sql server service run under the same domain account, which in turn is granted connect on the various endpoints. This all works 100%

However i have a scenario where the initiator will be in a different trusted domain.

I need to know if i am correct in thinking that the initiator sql server servcie account can run under DomainA\sqlservice, the target instance sql server servcie can run under DomainB\sqlservice, then on the forwarder i simply grant connect on the forwarder endpoint to both DomainA\sqlservice and DomainB\sqlservice.

Is this correct, will this work

Thanx

Remus Rusanu

The initiator and acceptor both authenticate each other. There have to be a mutual trust relationship between domainA and domainB. Often this is not possible in practice, this is when certificate based authentication can be used instead as an alternative. Note that an endpoint can support both types of authentications simultaneously.

HTH,
~ Remus

Dietz

Hi Remus

Thank you for the response.

So the forwarder simply forwards the message and credentials between initiator and target, correct

The fact that the forwarder can connect to either does not resolve the matter

Thanx

Remus Rusanu

The forwarder forwards messages and messages have all the necessary means to authenticate services using certificates (the service owner and remote service binding stuff). No windows authnetication is required, nor possible, at the message level, so no real Windows credential forwarding occurs (in the terms of Kerberos delegation and such).

The endpoint authentication (the GRANT CONNECT ON ENDPOINT::... and SQL Service account stuff) refers to allowing two processes (SQL Server) to authenticate each other in order to exchange messages. This can be Windows or certificate based (to be precise, is TLS as provided by schannel SSPI)

So if a forwarder F (in DomainF) sits between two machines A (in DomainA) and B (in DomainB) then the forwarder has to be able to connect to both A and B, it can use Windows or Certificate based authentication for either of these connections. So, if Windows authentication is used, DomainA and DomainF must have a trust relationship and DomainF and DomainB must also have a trust relationship. However, absolutely no requirement exists between DomainA and DomainB directly, since A and B never directly connect. The only 'authentication' between A and B happens only at the higher level of the SSB services and is always based on certificates.

BTW, to be absolutely accurate (and just to complicate things in case were too easy to understand), when a SQL Server SSB in DomainA whishes to connect to a SQL Server instance in DomainB (and viceversa) mututal trust is not required, one way trust is enough. But if one way trust is used (say DomainB trusts DomainA but not viceversa) the SQL Server instance in the untrusted domain (DomainB in our case) must be installed to run as an user in the trusted domain (DomainA\user)

HTH,
~ Remus

Dietz

Hi Remus

Thank You for the reply.

I must admit though i am a bit more lost.

Either way i cannot even get the first thing to work. We have Domain A and Domain B, i 1 way trust relationship exists between DOmainA and DomainB, that is DomainB trusts DomainA.

BUT, if you go onto the sql server instance in DomainB, i can go to Users ANd groups and add a DomainA user, so the instance in DomainB can authenticate DomainB accounts, HOWEVER when i go into sql server management studio and create a new login, DomainA\user , it says that it cannot find sucha user or group, i can click the search by the login name navigate to domainA and find the user but when i click ok i get the same error message, so i really dont know whats going on, since at a windows level i can add DomainA users but not in sql server

So obviously there ar emore issues than simply this.

Just to clarify the scenario is as follows.

Initiator - DomainA

Forwarder DomainB

Target DomainB

- 1 way trust relationship between DomainA - DomainB, DomainB trusts DomainA.

Intiator sql service account runs under DomainB user, i want to make the forwarder service account run under a Domain B account but like i said i cannot add the login in sql server even though i can add the user ont he server innormal windows

ANyway thanx for the help , this is a serious issue, i think we may open a microsoft case to resolve it today, or move a bunch of servers to the other domain, either way lots of fun awaits.

Cheers

Remus Rusanu

What happens is that the SQL Server process running in DomainB cannot authenticate itself with DomainA to interogate the Active Directory (because its service account is in DomaniB and DomainA does not trust it). Open a query window to the SQL instance in DomainB and run this statement:

EXECUTE AS USER = 'DomainA\SomeUserName';

It will give an error with an OS error code, that code is the explanation why you cannot create users of DomainA on the instance on DomainB.

One way would be, as I mentioned above, to run the instance in DomainB (say the Forwarder) as an user in DomainA (that, specify the service account). But once you do this, you will ot be able to authenticate the Forwarder with the Target (for the same reasons). If you cannot establish mutual trust your only way out is certificate based authentication between Initiator and Forwarder.

HTH,
~ Remus