This section describes the requirements for allowing trusted domain authentication in Windows domains. These requirements apply to any passwordless authentication method when Tectia Server is located in another Windows domain than the client users accessing Tectia Server and services it offers. The client users may be located in a network domain that is external to a corporate network providing a service that is secured with Tectia Server. These requirements apply to Windows domain controllers only.
- Domain controllers
Windows Server 2008 or a newer version is required.
- Trust path between domains
A bidirectional trust path between Windows domains is required when the client and the service are in different domains. Otherwise Kerberos extensions from Microsoft called Service-for-User (S4U) do not work. If bidirectional trust cannot be used, you can set up a one-way trust relationship using the Tectia Server Configuration, tool Domain Policy page (see Domain Policy) or with the
windows-domainelement in the XML configuration file.
- Functional level of domains
The functional level of domain controllers should be
Native Win2003in order for the Kerberos extensions to work properly.
You can raise the domain functional level by logging into the primary domain controller with administrator credentials. Locate the Active Directory Users and Computers and in the console tree, right-click the domain node whose functional level you want to raise.
- DNS suffixes
DNS suffixes must be configured properly so that the trusted domains can see each other and can retrieve information about users.
On the DNS server, by clicking the Advanced button in a connection's Internet Protocol (IP) Properties dialog box, you can open the connection's Advanced TCP/IP Settings dialog box. On the DNS tab of this dialog box, you can create DNS suffixes to be used by the connection.