Information Technology Reference
In-Depth Information
Two or more trees in a forest is one way to have multiple name suffixes. An administrator
can also create other name suffixes, called
alternate UPN name suffixes
, that can be assigned as
a user's UPN suffix for logon purposes. The UPN suffix enables the user to log on with the
format
username
@
domain
. By default, the user's domain is set as the UPN suffix. An adminis-
trator can create an alternate UPN suffix to enhance logon security by disassociating the domain
name from the user logon name. Assigning alternate UPN suffixes can also simplify logons. If a
domain name is lengthy, such as ny.america.niftytools.com, an administrator could allow users
to log on with just the name
user
@nifty. UPN suffixes don't have to comply with domain-naming
standards, so including a top-level domain in the suffix isn't necessary.
To create a UPN suffix, right-click the root node in Active Directory Domains and Trusts
and click Properties. The UPN Suffixes dialog box opens, where you can enter a new UPN
suffix and click Add.
The Authentication Tab
The Authentication tab has the same options as the Outgoing
Trust Authentication Level window shown previously in Figure 10-13: forest-wide or selective
authentication. As discussed, forest-wide authentication is recommended for forest trusts when
both forests belong to the same organization. Selective authentication, recommended for forests
in different organizations, enables you to specify users who can authenticate to selected resources
in the trusting forest. After choosing selective authentication, you add users and groups from the
trusted forest to the DACL of computer accounts in the trusting forest and assign the “Allowed
to authenticate” permission to these computer accounts. When selective authentication is
enabled, by default, users from the trusted forest can't authenticate to the trusting forest. If users
try to authenticate to a computer in the trusting domain and haven't been granted authentica-
tion permission, they get an error message similar to Figure 10-16.
Figure 10-16
Selective authentication error message
Activity 10-10: Configuring Selective Authentication
Time Required:
10 minutes
Objective:
Configure selective authentication.
Description:
Configure selective authentication and try to access resources in the
w2k8adXX.com domain from the w2k8ad1XX.com domain. Then add the Administrator
account from w2k8ad1XX.com to the DACL of serverXX.w2k8adXX.com with the Allowed to
authenticate permission.
1. Log on to
ServerXX
as Administrator, and open Active Directory Domains and Trusts.
2. Right-click
w2k8adXX.com
and click
Properties
. Click the
Trusts
tab.
3. Click
w2k8ad1XX.com
in the top list box and click the
Properties
button. Review the
options in the General tab, and then click the
Name Suffix Routing
tab to review the avail-
able options.
4. Click the
Authentication
tab, click the
Selective authentication
option button, and then click
OK
twice.
5. Log on to
Server1XX
as Administrator with
Password02
.
Search WWH ::
Custom Search