Enable Selective Authentication over an External Trust

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

Selective authentication over an external trust restricts access to only those users in a trusted domain who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the trusting domain. To explicitly give authentication permissions to computer objects in the trusting domain to certain users, administrators must grant those users the Allowed to Authenticate permission in Active Directory Domain Services (AD DS). For more information, see Grant the Allowed to Authenticate Permission on Computers in the Trusting Domain or Forest. For more information about how selective authentication works, see Security Considerations for Trusts (https://go.microsoft.com/fwlink/?LinkID=111846).

To provide access to computers in the trusting domain to only those users in the trusted domain who have the Allowed to Authenticate permission applied to the computer objects, you can use this procedure to enable selective authentication over an external trust with the New Trust Wizard in the Active Directory Domains and Trusts snap-in or with the Netdom command-line tool. For more information about how to use the Netdom command-line tool to configure selective authentication settings, see Netdom Overview (https://go.microsoft.com/fwlink/?LinkId=111537).

Membership in Domain Admins or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Enabling selective authentication over an external trust

  • Using the Windows interface

  • Using a command line

To enable selective authentication over an external trust using the Windows interface

  1. Open Active Directory Domains and Trusts.

  2. In the console tree, right-click the domain that you want to administer, and then click Properties.

  3. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the external trust that you want to administer, and then click Properties.

  4. On the Authentication tab, click Selective authentication, and then click OK.

Note

Only the authentication settings for the outgoing trust are displayed when you click Properties and then click the Authentication tab in Active Directory Domains and Trusts. To view the correct authentication settings for the incoming side of a two-way, external trust, connect to a domain controller in the trusted domain, and then use Active Directory Domains and Trusts to view the authentication settings for the outgoing side of the same trust.

To enable selective authentication over an external trust using a command line

  1. Open a Command Prompt.

  2. At the command prompt, type the following command, and then press ENTER:

    Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /SelectiveAUTH:Yes /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>
    Parameter Description

    <TrustingDomainName>

    The Domain Name System (DNS) name (or NetBIOS name) of the trusting domain in the trust that is being managed.

    <TrustedDomainName>

    The DNS name (or NetBIOS name) of the domain that is trusted in the trust that is being managed.

    <DomainAdministratorAcct>

    The user account name with the appropriate administrator credentials to modify the trust.

    <DomainAdminPwd>

    The password of the user account in <DomainAdministratorAcct>.