BPuhl’s Blog

A little bit of everything without actually being much of anything

Trust Attribute CROSS_ORGANIZATION and Selective Auth

Posted by BPuhl on July 30, 2008

Ever used Selective Authentication on a Windows trust?

Ever looked at the trustedDomain object via LDP (or your favorite tool), “just to check”?

Ever blown right past the trustAttributes values, because all it says is: FOREST_TRANSITIVE | CROSS_ORGANIZATION and you’re looking for something which is a little bit more intuitive than that?

Ever spent 30 minutes Live Searching, Googling, MSDN’ing, and everything else trying to figure out where the fark the bit is that gets flipped to make it selective authentication – or alternatively, just verify your sneaky suspicion that the CROSS_ORGANIZATION bit is the one?

Yeah – I hadn’t either until recently.  Turns out to be ridiculously difficult to find someplace that matches up the fact that when you see this:

Dn: CN=mslpa.corp.microsoft.com,CN=System,DC=corp,DC=microsoft,DC=com
cn: mslpa.corp.microsoft.com;
distinguishedName: CN=mslpa.corp.microsoft.com,CN=System,DC=corp,DC=microsoft,DC=com;
dSCorePropagationData: 0x0 = (  );
flatName: MSLPA;
instanceType: 0x4 = ( WRITE );
isCriticalSystemObject: TRUE;
msDS-TrustForestTrustInfo: <ldp: Binary blob 161 bytes>;
name: mslpa.corp.microsoft.com;
objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=corp,DC=microsoft,DC=com;
objectClass (3): top; leaf; trustedDomain;
objectGUID: 211c8b93-b231-4a93-8bc5-e9bd865b1ecf;
securityIdentifier: <ldp: Binary blob 24 bytes>;
showInAdvancedViewOnly: TRUE;
trustDirection: 3 = ( BIDIRECTIONAL );
trustPartner: mslpa.corp.microsoft.com;
trustPosixOffset: 805306368;
trustType: 2 = ( UPLEVEL );

That the CROSS_ORGANIZATION flag (0x10) is the one which corresponds to Selective Authentication being in place for the trust.

Part of this whole exercise was born out of some confusion from people on the way that the UI mistakenly displays inbound and outbound trust information when there is a full trust in one direction, and selective authentication in the other, as detailed in http://support.microsoft.com/default.aspx?scid=kb;en-us;830572

And yes, I’m saying CROSS_ORGANIZATION and SELECTIVE AUTHENTICATION over and over again in my own petty attempt at convincing the search engines to return this post for the next person who comes along, looking to figure out what this CROSS_ORGANIZATION flag means.


3 Responses to “Trust Attribute CROSS_ORGANIZATION and Selective Auth”

  1. Tomek said

    Since MS Protocols documentation was released this is one of first places where I’m looking for such information, sometimes even before just checking how it works :).

    trustAttributes is described in MS-ADTS and it clearly states that CROSS_ORGANIZATION bit (0x10) is responsible .. and here is a catch … for authentication firewall (MS-ADTS, page 372). For some people it might be confusing but this is a term which is rather familiar for somebody who worked with selective authentication.

    But search engines are silent when asked about it … strange

  2. BPuhl said

    Yeah, actually the protocol documentation is ultimately where I found validation. But I was flabbergasted that I had to go that far, to find the simple answer…so I figured I’d just throw this up here, so at least it will give the search engines something to chew on.

    After all, blogs seem to be the new form of documentation


  3. Dave Loder said

    Throw up another revision to the Community Content on MSDN. joe already hit that topic once.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: