Trust Attribute CROSS_ORGANIZATION and Selective Auth
Posted by BPuhl on July 30, 2008
Ever used Selective Authentication on a Windows trust?
Ever looked at the trustedDomain object via LDP (or your favorite tool), “just to check”?
Ever blown right past the trustAttributes values, because all it says is: FOREST_TRANSITIVE | CROSS_ORGANIZATION and you’re looking for something which is a little bit more intuitive than that?
Ever spent 30 minutes Live Searching, Googling, MSDN’ing, and everything else trying to figure out where the fark the bit is that gets flipped to make it selective authentication – or alternatively, just verify your sneaky suspicion that the CROSS_ORGANIZATION bit is the one?
Yeah – I hadn’t either until recently. Turns out to be ridiculously difficult to find someplace that matches up the fact that when you see this:
Dn: CN=mslpa.corp.microsoft.com,CN=System,DC=corp,DC=microsoft,DC=com
cn: mslpa.corp.microsoft.com;
distinguishedName: CN=mslpa.corp.microsoft.com,CN=System,DC=corp,DC=microsoft,DC=com;
dSCorePropagationData: 0x0 = ( );
flatName: MSLPA;
instanceType: 0x4 = ( WRITE );
isCriticalSystemObject: TRUE;
msDS-TrustForestTrustInfo: <ldp: Binary blob 161 bytes>;
name: mslpa.corp.microsoft.com;
objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=corp,DC=microsoft,DC=com;
objectClass (3): top; leaf; trustedDomain;
objectGUID: 211c8b93-b231-4a93-8bc5-e9bd865b1ecf;
securityIdentifier: <ldp: Binary blob 24 bytes>;
showInAdvancedViewOnly: TRUE;
trustAttributes: 0x18 = ( FOREST_TRANSITIVE | CROSS_ORGANIZATION );
trustDirection: 3 = ( BIDIRECTIONAL );
trustPartner: mslpa.corp.microsoft.com;
trustPosixOffset: 805306368;
trustType: 2 = ( UPLEVEL );
That the CROSS_ORGANIZATION flag (0x10) is the one which corresponds to Selective Authentication being in place for the trust.
Part of this whole exercise was born out of some confusion from people on the way that the UI mistakenly displays inbound and outbound trust information when there is a full trust in one direction, and selective authentication in the other, as detailed in http://support.microsoft.com/default.aspx?scid=kb;en-us;830572
And yes, I’m saying CROSS_ORGANIZATION and SELECTIVE AUTHENTICATION over and over again in my own petty attempt at convincing the search engines to return this post for the next person who comes along, looking to figure out what this CROSS_ORGANIZATION flag means.
BPuhl's Blog 
Tomek said
Since MS Protocols documentation was released this is one of first places where I’m looking for such information, sometimes even before just checking how it works :).
trustAttributes is described in MS-ADTS and it clearly states that CROSS_ORGANIZATION bit (0x10) is responsible .. and here is a catch … for authentication firewall (MS-ADTS, page 372). For some people it might be confusing but this is a term which is rather familiar for somebody who worked with selective authentication.
But search engines are silent when asked about it … strange
BPuhl said
Yeah, actually the protocol documentation is ultimately where I found validation. But I was flabbergasted that I had to go that far, to find the simple answer…so I figured I’d just throw this up here, so at least it will give the search engines something to chew on.
After all, blogs seem to be the new form of documentation
~B
Dave Loder said
Throw up another revision to the Community Content on MSDN. joe already hit that topic once.