This section describes the requirements for allowing trusted domain authentication in Windows domains. These requirements apply to any passwordless authentication method when Tectia Server is located in another Windows domain than the client users accessing Tectia Server and services it offers. The client users may be located in a network domain that is external to a corporate network providing a service that is secured with Tectia Server. These requirements apply to Windows domain controllers only.
Windows Server 2008 or a newer version is required.
A bidirectional trust path between Windows domains is required when the client and
the service are in different domains. Otherwise Kerberos extensions from Microsoft
called Service-for-User (S4U) do not work. If bidirectional trust cannot be used, you
can set up a one-way trust relationship using the Tectia Server
Configuration, tool Domain Policy page (see Domain Policy) or with the
element in the XML configuration
The functional level of domain controllers should be
in order for the Kerberos extensions to work properly.
You can raise the domain functional level by logging into the primary domain controller with administrator credentials. Locate the Active Directory Users and Computers and in the console tree, right-click the domain node whose functional level you want to raise.
DNS suffixes must be configured properly so that the trusted domains can see each other and can retrieve information about users.
On the DNS server, by clicking the Advanced button in a connection's Internet Protocol (IP) Properties dialog box, you can open the connection's Advanced TCP/IP Settings dialog box. On the DNS tab of this dialog box, you can create DNS suffixes to be used by the connection.