AD Cross-forest authentication - groups missing from PAC

authentication active-directory windows-server-2008-r2

Turns out that the Shortcut trusts was causing the problem.

When AD Kerberos authentication travels across domains, the target realm (ie. dmzRoot.tld) identifies a trust relationship through which the users originating realm (eg. childA.ForestRoot.tld) is a trusted domain.

Since both the transitive forest trust towards ForestRoot.tld and the external trust (shortcut trust) towards childA matches that condition, the target realm has to choose one, and the the shortcut trust takes precedence (because it is explicit) over the implicit trust relationship in the forest trust.

Since SID filter quarantining is enabled on outgoing trusts by default, only SID's from the trusted realm (in this case, the childA domain) will be honoured upon authentication, foreign SID's will be filtered out.

In conclusion there are two solutions to this:

  • Remove the External Trusts, and rely on the Forest trust. Since the forest trust is transitive, all SID's from within the entire forest will remain in your token.
  • Disable SID Filter Quarantining on the outgoing trust from the dmzRoot.tld domain

Hope that made sense

Related

Give EC2 IAM role read access to S3 bucket
Starting IIS Manager has Web Platform Prompt
Vagrant synced folders aren't case sensitive
How to safely install a new IOS image on a Cisco device when the installed flash memory size isn't enough for two of them?
"Preparing Paste Information" when copying files on server using RDP
Why does yum index get corrupted?
Is it safe to delete redis dump and temp files from /var/lib/redis/
How does yum with Red Hat Network Subscription work inside the rhel Docker images?
Why only a single loopback address on IPv6?
Enable error logging on PHP-FPM 7 with Nginx?
How to forcibly completely clear PHP7 opcache?
How to rewrite paths in Amazon Application Load Balancer?