Trust Attribute CROSS_ORGANIZATION and Selective Auth
Posted by BPuhl on July 30, 2008
Ever used Selective Authentication on a Windows trust?
Ever looked at the trustedDomain object via LDP (or your favorite tool), “just to check”?
Ever blown right past the trustAttributes values, because all it says is: FOREST_TRANSITIVE | CROSS_ORGANIZATION and you’re looking for something which is a little bit more intuitive than that?
Ever spent 30 minutes Live Searching, Googling, MSDN’ing, and everything else trying to figure out where the fark the bit is that gets flipped to make it selective authentication – or alternatively, just verify your sneaky suspicion that the CROSS_ORGANIZATION bit is the one?
Yeah – I hadn’t either until recently. Turns out to be ridiculously difficult to find someplace that matches up the fact that when you see this:
dSCorePropagationData: 0x0 = ( );
instanceType: 0x4 = ( WRITE );
msDS-TrustForestTrustInfo: <ldp: Binary blob 161 bytes>;
objectClass (3): top; leaf; trustedDomain;
securityIdentifier: <ldp: Binary blob 24 bytes>;
trustAttributes: 0x18 = ( FOREST_TRANSITIVE | CROSS_ORGANIZATION );
trustDirection: 3 = ( BIDIRECTIONAL );
trustType: 2 = ( UPLEVEL );
That the CROSS_ORGANIZATION flag (0x10) is the one which corresponds to Selective Authentication being in place for the trust.
Part of this whole exercise was born out of some confusion from people on the way that the UI mistakenly displays inbound and outbound trust information when there is a full trust in one direction, and selective authentication in the other, as detailed in http://support.microsoft.com/default.aspx?scid=kb;en-us;830572
And yes, I’m saying CROSS_ORGANIZATION and SELECTIVE AUTHENTICATION over and over again in my own petty attempt at convincing the search engines to return this post for the next person who comes along, looking to figure out what this CROSS_ORGANIZATION flag means.