Requirements for Trusted Domain Authentication on Windows

This section describes the requirements for allowing trusted domain authentication in Windows domains. These requirements apply to any passwordless authentication method when Tectia Server is located in another Windows domain than the client users accessing Tectia Server and services it offers. The client users may be located in a network domain that is external to a corporate network providing a service that is secured with Tectia Server. These requirements apply to Windows domain controllers only.

Domain controllers

Windows Server 2008 or a newer version is required.

Trust path between domains

A bidirectional trust path between Windows domains is required when the client and the service are in different domains. Otherwise Kerberos extensions from Microsoft called Service-for-User (S4U) do not work. If bidirectional trust cannot be used, you can set up a one-way trust relationship using the Tectia Server Configuration, tool Domain Policy page (see Domain Policy) or with the windows-domain element in the XML configuration file.

Functional level of domains

The functional level of domain controllers should be Native Win2003 in order for the Kerberos extensions to work properly.

You can raise the domain functional level by logging into the primary domain controller with administrator credentials. Locate the Active Directory Users and Computers and in the console tree, right-click the domain node whose functional level you want to raise.

DNS suffixes

DNS suffixes must be configured properly so that the trusted domains can see each other and can retrieve information about users.

On the DNS server, by clicking the Advanced button in a connection's Internet Protocol (IP) Properties dialog box, you can open the connection's Advanced TCP/IP Settings dialog box. On the DNS tab of this dialog box, you can create DNS suffixes to be used by the connection.