none
[MS-PAC] contains group membership from trusted domains RRS feed

  • Question

  • Hi

    We have an application which validates each of the SID in the group membership from the PAC. There is a customer situation where this is failing since the group SID from a trusted domain, which is offline. I am unable to reproduce this in our lab and the customer is not cooperating.

    Our user from primary domain can be part of trusted domain's 'domain local group' but that group membership won't show up in the PAC information

    Is this expected ? My guess is yes since domain local group have domain only scope

    Which can be case where PAC contains group SID from other trusted domains as well ?


    • Edited by vmittal Wednesday, December 27, 2017 9:16 AM Cosmetics
    Wednesday, December 27, 2017 9:16 AM

Answers

  • As it turns out after having some email exchanges b/w MS team and myself, say there are 2 domains A and B. And domain A trusts domain B, that is, dom A --> dom B is trust direction. The trust is either external or forest trust

    And your resource is joined to domain A. There are 2 scenarios to consider:

    1) User from dom B accesses:

    This user will bring in its global SID from domain B in the PAC

    2) User from dom A accesses:

    This user will have only it's own domain SIDs in PAC. Its domain local group membership in domain B, if any, won't be reflected in the PAC.

    However, if there are groups migrated from dom B to dom A and user is now part of this domain, those sidHistory SID will appear in the PAC which might look like dom B memberships are in PAC, which is not the case.

    • Marked as answer by vmittal Sunday, January 21, 2018 8:30 AM
    Sunday, January 21, 2018 8:30 AM

All replies

  • Hi luvshines, 

    Thank you for your question. I've alerted the team and one of the Open Specifications engineers will respond shortly to assist you. 

    Best regards,
    Tom Jebo
    Sr Escalation Engineer
    Microsoft Open Specifications

    Wednesday, December 27, 2017 3:52 PM
    Moderator
  • Hello luvshines, I will be helping you with your issue. I am currently researching the problem and will provide you with an update soon. Thank you for your patience.

    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open specifications
    Thursday, December 28, 2017 1:07 AM
    Moderator
  • Thanks for looking into this.

    Much appreciated

    Thursday, December 28, 2017 6:49 AM
  • Hello luvshines, we need to gather some information about the application and environment. Such discussions are best suited for offline conversation. Would you be able to contact me by sending email to dochelp at microsoft dot com ?

    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open specifications
    Thursday, January 4, 2018 2:05 AM
    Moderator
  • Sure, what information would you need ?
    Friday, January 5, 2018 8:21 AM
  • Hello luvshines, please contact me via email:  dochelp at microsoft dot com 

    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open specifications
    Friday, January 5, 2018 3:44 PM
    Moderator
  • As it turns out after having some email exchanges b/w MS team and myself, say there are 2 domains A and B. And domain A trusts domain B, that is, dom A --> dom B is trust direction. The trust is either external or forest trust

    And your resource is joined to domain A. There are 2 scenarios to consider:

    1) User from dom B accesses:

    This user will bring in its global SID from domain B in the PAC

    2) User from dom A accesses:

    This user will have only it's own domain SIDs in PAC. Its domain local group membership in domain B, if any, won't be reflected in the PAC.

    However, if there are groups migrated from dom B to dom A and user is now part of this domain, those sidHistory SID will appear in the PAC which might look like dom B memberships are in PAC, which is not the case.

    • Marked as answer by vmittal Sunday, January 21, 2018 8:30 AM
    Sunday, January 21, 2018 8:30 AM