Your browser does not allow storing cookies. We recommend enabling them.


Requirements for Trusted Domain Authentication on Windows

This section describes the requirements for allowing trusted domain authentication in Windows domains. These requirements apply to any passwordless authentication method when Tectia Server is located in another Windows domain than the client users accessing Tectia Server and services it offers. The client users may be located in a network domain that is external to a corporate network providing a service that is secured with Tectia Server. These requirements apply to Windows domain controllers only.

Domain controllers

Windows Server 2008 or a newer version is required.

Trust path between domains

A bidirectional trust path between Windows domains is required when the client and the service are in different domains. Otherwise Kerberos extensions from Microsoft called Service-for-User (S4U) do not work. If bidirectional trust cannot be used, you can set up a one-way trust relationship using the Tectia Server Configuration, tool Domain Policy page (see Domain Policy) or with the windows-domain element in the XML configuration file.

Functional level of domains

The functional level of domain controllers should be Native Win2003 in order for the Kerberos extensions to work properly.

You can raise the domain functional level by logging into the primary domain controller with administrator credentials. Locate the Active Directory Users and Computers and in the console tree, right-click the domain node whose functional level you want to raise.

DNS suffixes

DNS suffixes must be configured properly so that the trusted domains can see each other and can retrieve information about users.

On the DNS server, by clicking the Advanced button in a connection's Internet Protocol (IP) Properties dialog box, you can open the connection's Advanced TCP/IP Settings dialog box. On the DNS tab of this dialog box, you can create DNS suffixes to be used by the connection.


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more