Overview
There are two domains: domainA and domainB. I am seeking to make the configuration, so that a web server from domainB can leverage an AD service account in another domainA.
In the environment where domainB is located, I have a web server that needs to reach back to domainA to be able to query all of the users. The owners of the domainA account created a service account user that allows domainB to query the user base. We have established that the account works when testing directly from the domainB controller to the domainA controller. When we try to run a ldapsearch from the web server using the service account user, we run into some issues:
[ec2-user@hostname ~]$ ldapsearch -x -LLL -h $domainB_ipAddress -D $service_account_username -w $ad_pwd -b "OU=xxxxx,DC=xxxxx,DC=xxxxx,DC=xxxxx"
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839
Note: This user is successfully authenticated from the domainB AD controller to the domainA AD controller using ldp.exe bind, so I believe the credentials are ok.
Our Current Approach
Based on the feedback I have received from my team, we should be making the request of the service account from domainB web server to the domainB controller, which will then forward this information on to the trusted domainA controller and return back the desired information back to the domainB web server.
I'm a little confused about how this forwarding is supposed to occur, but we have a requirement that we cannot reach directly into the domainA controller from any non-AD server from domainB.
Requested Feedback
- Is it correct to assume that any request should be forwarded from the domainB controller to the domainA controller? If so, what needs to be in place for that to happen?
- If requests cannot be forwarded, what would we need to do to get users from the trusted domainA into the domainB controller, so that the service account could reference them there?
