Hi together, just a small update on my further tests, as soon as you
have set up a BI-directional trust between the bastion and the resource
forest and additionally granted the users the "allow2authenticate" right
on the computer objects in the target forest (also necessary if
forest-wide authentica...
HI @henrymoehsel , Kerberos Authentication Policies do not work cross
forest logon. This means you can't get a TGT if you logon to a computer
joined to a foreign forest. But you can access to computer in the
foreign forest with any connection who doesn't request an interactive
logon. e.g. WinRM or P...
Hi @Simone_Oor,for these permissions and applications, where the usage
of Shadow Principals is possible, I use SPs. That's the most Hello
@Simone_Oor,I use SPs for these authorizations and applications where
the usage of shadow principals is possible. In the target scenario, the
corresponding SPs ar...
@henrymoehsel Do you use ESAE users into resource domain Domain Local
Group nesting, or do you work with Shadow Principals ? (I have a bastion
forest set up that may allow me some testing next week)
Hi - Thank you for all the information in this article. I have a strange
behavior that I can't explain. I have adjusted the attribute on computer
objects from 31 to 28 to remove DES support. On one computer object, the
attribute is automatically changed back from 28 to 31. There is no GPO
set and no...
Latest Comments