AD Cross-forest authentication - groups missing from PAC
Turns out that the Shortcut trusts was causing the problem.
When AD Kerberos authentication travels across domains, the target realm (ie. dmzRoot.tld
) identifies a trust relationship through which the users originating realm (eg. childA.ForestRoot.tld
) is a trusted domain.
Since both the transitive forest trust towards ForestRoot.tld
and the external trust (shortcut trust) towards childA
matches that condition, the target realm has to choose one, and the the shortcut trust takes precedence (because it is explicit) over the implicit trust relationship in the forest trust.
Since SID filter quarantining is enabled on outgoing trusts by default, only SID's from the trusted realm (in this case, the childA
domain) will be honoured upon authentication, foreign SID's will be filtered out.
In conclusion there are two solutions to this:
- Remove the External Trusts, and rely on the Forest trust. Since the forest trust is transitive, all SID's from within the entire forest will remain in your token.
-
Disable SID Filter Quarantining on the outgoing trust from the
dmzRoot.tld
domain
Hope that made sense