Q: When administrators set up trust relationships between forests in a Windows Server 2003 environment, they can enable a feature that Microsoft refers to as selective authentication. What is this feature and how can administrators use it to fine-tune interforest security traffic?
A: When you enable the selective authentication feature of a forest trust relationship, users accessing cross-forest resources from one forest cannot authenticate to a domain controller or resource server (e.g., file server, print server) in the other forest unless they are explicitly allowed to do so. Selective authentication is available for both forest and external trust relationships if both forests are at the highest Windows Server 2003 functional level. This highest functional level, which is also Windows Server 2003's native functional level, requires that all domain controllers run Windows Server 2003.
Microsoft added selective authentication in Windows Server 2003 to allow a more granular cross-forest trust definition. In beta versions of Windows Server 2003, Microsoft referred to selective authentication as the authentication firewall. When selective authentication isn't enabled, in terms of access control, all users from the foreign forest become almost perfect peers of the local forest users. This situation exists because foreign forest users are added to the Authenticated Users group of the local forest when they cross the trust. Even though foreign forest users also become members of the Authenticated Users group when you enable the selective authentication option, those users can authenticate to the local forest only after they pass an additional access-control check. Selective authentication is always configured on the outgoing side of a cross-forest trust relationship.
You can enable a forest trust relationship's selective authentication function from the Trust Wizard or from the properties of the trust relationship. To enable the function from the trust property sheet, select the Authentication tab and select Allow authentication only for selected resources in the local forest (as Figure 1 illustrates). When you try to access a resource in a foreign forest for which selective authentication has been enabled from a machine in the local forest, you'll see the error Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.
To enable users to authenticate to domain controllers in forests for which the selective authentication option is enabled, the forest administrator must change the access control settings of the Active Directory (AD) domain controller objects. To change the settings, use the Microsoft Management Console (MMC) Active Directory Users and Computer snap-in, access the appropriate domain controllers' properties, and give the user the Allowed to Authenticate permission (as Figure 2 illustrates). For example, if users need to access resources on a file server in a forest for which the selective authentication option is enabled, change the access control settings of the file server's machine account.
The additional access control check for the Allowed to Authenticate permission is triggered by a special security identity that is added to a user's access token when the user attempts to access a resource under a forest trust for which the selective authentication option is enabled. This SID is called Other Organization and has the value S-1-5-1000. You can easily check for the SID's presence in a user's access token by using the Whoami command-line tool and the /groups switch.