• State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 6325 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to access source domain from ARS

naveed.siddiqui
over 5 years ago

Hi,

I have recently added a source domain in the ARS by configuring the service account. Is there a way I can start managing that domain from the ARS console ? because currently I can only view the source domain...

Parents
  • 0 over 5 years ago

    just a note. ARS is per domain app and can managed Untrusted Domains.

    #1. Ports. No trust between ARS Admin Service Windows Server and the Target Managed Domain is needed. Given required ports are open between Server and untrusted Domain (see documentation appendix)

    #2. Target Managed Domain\svc-ars-proxy (AD\Domain ADmins) overwrite account to be set inside ARS. (I recommend to have svc-ars-proxy per each domain from the that domain)

    #3. Delegation. ARS uses login user token (SID) to identify and grant delegated granular Roles (via Access Template) to the "HelpDesk" user. Therefore ARS acts as Network Resource (File Server) asking DC to verify and authenticate the binded  user identity and grant Kerberos Ticket for this session to access the network resource (itself). 

    #4. Given #3 dictates which groups to use  to grant access to the target domain AD02 fromAD01\ARServer. For example, AD01\HelpDesk_AD02_group (member AD01\HelpDesk_user_AD02) accesses AD01\ARServer to manager target untrusted AD02 managed Domain (with AD02\svc-ars-proxy set)

Reply
  • 0 over 5 years ago

    just a note. ARS is per domain app and can managed Untrusted Domains.

    #1. Ports. No trust between ARS Admin Service Windows Server and the Target Managed Domain is needed. Given required ports are open between Server and untrusted Domain (see documentation appendix)

    #2. Target Managed Domain\svc-ars-proxy (AD\Domain ADmins) overwrite account to be set inside ARS. (I recommend to have svc-ars-proxy per each domain from the that domain)

    #3. Delegation. ARS uses login user token (SID) to identify and grant delegated granular Roles (via Access Template) to the "HelpDesk" user. Therefore ARS acts as Network Resource (File Server) asking DC to verify and authenticate the binded  user identity and grant Kerberos Ticket for this session to access the network resource (itself). 

    #4. Given #3 dictates which groups to use  to grant access to the target domain AD02 fromAD01\ARServer. For example, AD01\HelpDesk_AD02_group (member AD01\HelpDesk_user_AD02) accesses AD01\ARServer to manager target untrusted AD02 managed Domain (with AD02\svc-ars-proxy set)

Children
No Data