|
Posted by Roger Abell [MVP] on April 14, 2007, 1:47 am
Please log in for more thread options
> Wow ! fast Help from MVP !
>
> The accessing user is in the top domain, the NTFS ressource is a on a
> server in the other sub domain.
>
> using your words to describe the interesting part of my question : (At
> that point, the token from the TGT is copied into the service ticket and
> extended with added information about memberships unique to the
> environment of that resource) . Does a NTFS permission read to
> authenticated users could skip this step ?
>
Theoretically yes, it could have been implemented that way, but it
was not and it would be inefficient. As I had indicated, the NTFS
grants have not been looked at yet when this happens.
>
> Is replacing authenticated users by topdomain\domain users could require
> more Kerberos activity ? Should i check speed performance counters for
> very high volume ?
>
I do not see how there would be any difference in activity.
It is pretty much constant.
Your bigger concern might be to make sure Kerberos is actually
being used, rather than attempted and then this getting followed
by a failover to use of NTLM.
Roger
>
> eLJgxxdfHHA.4596@TK2MSFTNGP05.phx.gbl...
>> Perhaps a little info on how things work algorithmically would
>> help you assess what questions you are needing to ask. For example,
>> you have not indicated what domain is the account domain of the
>> accessing user.
>>
>> At login via Kerberos the account gets a TGT (ticket granting ticket)
>> that contains within it that account's user token. At this point the
>> token
>> contains among other things a representation of all group memberships
>> of that account in that domain. Of course, "that domain" is the domain
>> of the account (the only one that can be authoritative in authenticating
>> the account login).
>> Now, when that account attempts to access a resource, if that resource
>> can be accessed via Kerberos, the TGT is presented in order to obtain
>> a service ticket for the resource. At that point, the token from the TGT
>> is copied into the service ticket and extended with added information
>> about memberships unique to the environment of that resource (another
>> domain? machine local? etc.).
>> Finally, the resource is accessed, at which point the type of access in
>> the demand is compared to the grants on the resource and the user
>> token infomation.
>> So, to get to your question, notice that if the account is authenticated
>> (not anonymous) then the TGT already indicates Authenticated Users,
>> but that is immaterial to your apparent question since the token gets
>> expanded as needed in forming the service ticket before the resource
>> access ckecks happen.
>> Now, perhaps you can rephrase your concerns/question?
>>
>> Roger
>>
>>> In a Multidomain W2k3 Forest mode model.
>>> Do you think that the KDC of a sub-domain is less used because the
>>> authenticated user is a NT authority group ?
>>>
>>> in my situation : a top domain user read a file from a sub-domain file
>>> server with authenticated user NTFS permission. My question is : will
>>> the sub-domain KDC service(or other service) be involved ?
>>>
>>> If i use more specific NTFS Permissions thant authenticated user. What
>>> will be the impact of performance on a great amount of file access by
>>> different users ?
>>>
>>> note : i tried to follow NTDS counters in Perfon without success.
>>>
>>> Thank'S
>>>
>>>
>>
>>
>
>
| 
XML Sitemap