Configuring Selective Authentication Settings
Updated: March 2, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Trusts that are created between Windows Server 2003 forests can use legacy authentication settings (settings that were used in Windows 2000 Server) or selective authentication. Selective authentication is a security setting that can be enabled on external trusts and forest trusts between Windows Server 2003 forests. Selective authentication provides Active Directory administrators who manage a trusting forest more control over which groups of users in a trusted forest can access shared resources in the trusting forest. Because creating an external trust or forest trust provides a pathway for all authentication requests between the forests, this increased control is especially important when administrators need to grant access to shared resources in their organization’s forest to a limited set of users in another organization’s forest.
For more information about how selective authentication settings work, see "Security Considerations for Trusts" in the Windows Server 2003 Technical Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=35413).
You can use either of the following tools to perform the procedures for this task:
Active Directory Domains and Trusts
For more information about how to use the Netdom command-line tool to configure selective authentication settings, see "Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
To complete this task, perform the following procedures:
Enable selective authentication over an external trust
Enable selective authentication over a forest trust
Enable domain-wide authentication over an external trust
Enable forest-wide authentication over a forest trust
Grant the Allowed to Authenticate permission on computers in the trusting domain or forest