StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
2373380
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2010-03-03T17:14:32.373
FavoriteCount
0
LastActivityDate
2010-03-12T19:50:26.883
LastEditDate
2010-03-12T19:50:26.883
LastEditorUserId
83839
OwnerUserId
83839
ParentId
2320857
PostTypeId
2
Score
10
ViewCount
0
LastEditorDisplayName
text
Body
After a call to Microsoft, this was resolved: we hadn't put the "Allowed to Authenticate" permission on a number of the users running services on the host machines. The documentation all referred to having to give your clients that permission on the machines you are accessing (including the DC in some cases), but said nothing about also having to add your remote clients to the "security" tab of the host user running the services. So I'll summarize with some contrived user, domain, and machine names, as well as one actual service account which exists by default. "A" domain: The domain where the client is trying to connect from "B" domain: This is the domain where a machine is hosting the service being connected to by a user in domain A. Client@A: user from the A domain connecting to a service in the B domain. ServiceAccount@B: user from the B domain that is hosting the WCF service that Client@A is connecting to. krbtgt@B: this is a built-in user who's description is "Key Distribution Center Service Account". It will be under Active Directory Users and Computers under "Users" as long as you have "Advanced Features" enabled under the "view" menu. It won't show up at all unless you have done that. B-DC: The domain controller of domain B B-host: The host machine for the WCF service we're connecting to. So, to let Client@A connect to the WCF service being run on B-host by user ServiceAccount@B by using SSPI/Windows authentication, on an external trust with Selective Authentication, you need to do the following: <ol> <li>Open up AD Users & Computers and under the "view" menu enable "Advanced Features"</li> <li>Find the B-DC object (under Domain Controllers by default, but could be elsewhere if you've moved it) and open up the "security" tab. The tab won't exist unless you've enabled Advanced Features in step 1. Add the Client@A user to the group or user names, and make sure that "read" and "allowed to authenticate" are checked for that user.</li> <li>Find the B-host object (under Computers by default, but could be elsewhere if you've moved it) and open up the "security" tab. The tab won't exist unless you've enabled Advanced Features in step 1. Add the Client@A user to the group or user names, and make sure that "read" and "allowed to authenticate" are checked for that user.</li> <li>Find the krbtgt@B user under "Users". The account itself will not be visible without "advanced features" enabled. Go to the security tab and add the Client@A user with the "allowed to authenticate" and "read" permissions checked.</li> <li>Find the serviceaccount@B user and do the same as you did for krbtgt.</li> </ol> NOW it should work. It's weird you need all that just to run a windows-authenticated (so not certificates) WCF connection across the boundary like that, but there you go. You need to add your remote user to FOUR different objects in AD to get it to work. Presumably adding the remote user to some domain-local groups in domain B that had the right permissions would also work, but that's not tested yet. Edit: and then get krbtgt overwritten by the PDC Emulator with the rights on AdminSDHolder in under an hour. Every hour. Basically, krbtgt is super-protected. You have to alter AdminSDHolder, and it propogates out a lot. The command to add JUST "allowed to authenticate" is: <pre><code>dsacls "[DN of object]" /g "[groupname]:ca;allowed to authenticate" </code></pre> Look up the "dsacls" tool if you want more info on what it does. It's pretty handy for both altering the access control lists, and printing them out. Better than the GUI in fact. Anyways, this actually works now. There's the FULL answer.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POWCF SSPI Failure with External Trust - Selective versus Domain wide
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USKevin Anderson
UserOwnerUserId
1. USKevin Anderson
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POWCF SSPI Failure with External Trust - Selective versus Domain wide
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTBountyClose
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTAcceptedByOriginator
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.