Failure of Win API LsaQueryTrustedDomainInfo(..) on a WinN..

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

We have a trust relationship set up between domain servers Win 2003
and WinNT PDC(SP4) machine. We have verified that an NT user could log
on to a Win2k3 domain and vice-versa indicating mixed domain trust was
successfully created.

Question 1: Is this a supported configuration?

Now, we are trying to obtain trust relationship properties for the Win
NT PDC machine containing information as/similar stored in
TRUSTED_DOMAIN_INFORMATION_EX structure.

The problem is -
Win API LsaQueryTrustedDomainInfo(..) fails with "Access is denied"
error on a Windows NT machine when the IN parameter to Information
class is TrustedDomainInformationEx (even though the Trust
Relationship has been successfully created).

The Win API Call Sequence is
- LsaOpenPolicy (..) // null to systemname, POLICY_ALL_ACCESS was
granted to in parameter ACCESS_MASK
- LsaEnumerateTrustedDomains(..) // valid SIDs of one or more trusted
domains returned in out parameter Buffer
- LsaQueryTrustedDomainInfo(..) // in parameter to Information class
as TrustedDomainInformationEx

Reference -
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/lsaquerytrusteddomaininfo.asp
This link mentions support for WinNT server 3.51 and later.

Our executable was made to run as an administrative account and/or as
a local system user on WinNT PDC.

Question 2 - Is there any alternative API to obtain trust relationship
properties on a Win NT PDC machine containing information as/similar
stored in TRUSTED_DOMAIN_INFORMATION_EX structure? OR Are we doing
anything that is incorrect?

Regards,
Soumen

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I am only addressing the question "Is this a supported config?"
to which I believe the answer is no. SP4 for NT was released
with some back-port of what was envisioned would be needed
for AD inter-op but this was back when it was still call Windows
NT5 instead of Windows 2000.
Have you tried with the NT domain at SP 6a?

You issues of course may be due to other reasons, but I do
believe it is true to say that trust of W2k3 with NT4 at SP 4
is not a supported config.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Soumen Das" <soumen@gmail.com> wrote in message
news:cf62634e.0412290200.531670ab@posting.google.com...
> We have a trust relationship set up between domain servers Win 2003
> and WinNT PDC(SP4) machine. We have verified that an NT user could log
> on to a Win2k3 domain and vice-versa indicating mixed domain trust was
> successfully created.
>
> Question 1: Is this a supported configuration?
>
> Now, we are trying to obtain trust relationship properties for the Win
> NT PDC machine containing information as/similar stored in
> TRUSTED_DOMAIN_INFORMATION_EX structure.
>
> The problem is -
> Win API LsaQueryTrustedDomainInfo(..) fails with "Access is denied"
> error on a Windows NT machine when the IN parameter to Information
> class is TrustedDomainInformationEx (even though the Trust
> Relationship has been successfully created).
>
> The Win API Call Sequence is
> - LsaOpenPolicy (..) // null to systemname, POLICY_ALL_ACCESS was
> granted to in parameter ACCESS_MASK
> - LsaEnumerateTrustedDomains(..) // valid SIDs of one or more trusted
> domains returned in out parameter Buffer
> - LsaQueryTrustedDomainInfo(..) // in parameter to Information class
> as TrustedDomainInformationEx
>
> Reference -
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/lsaquerytrusteddomaininfo.asp
> This link mentions support for WinNT server 3.51 and later.
>
> Our executable was made to run as an administrative account and/or as
> a local system user on WinNT PDC.
>
> Question 2 - Is there any alternative API to obtain trust relationship
> properties on a Win NT PDC machine containing information as/similar
> stored in TRUSTED_DOMAIN_INFORMATION_EX structure? OR Are we doing
> anything that is incorrect?
>
> Regards,
> Soumen

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

> Have you tried with the NT domain at SP 6a?

Yes, we did try with NT domain at SP 6a and are facing the exact same
issues as described earlier.

Regards,
Soumen

Roger Abell wrote:
> I am only addressing the question "Is this a supported config?"
> to which I believe the answer is no. SP4 for NT was released
> with some back-port of what was envisioned would be needed
> for AD inter-op but this was back when it was still call Windows
> NT5 instead of Windows 2000.
> Have you tried with the NT domain at SP 6a?
>
> You issues of course may be due to other reasons, but I do
> believe it is true to say that trust of W2k3 with NT4 at SP 4
> is not a supported config.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Soumen Das" <soumen@gmail.com> wrote in message
> news:cf62634e.0412290200.531670ab@posting.google.com...
> > We have a trust relationship set up between domain servers Win 2003
> > and WinNT PDC(SP4) machine. We have verified that an NT user could
log
> > on to a Win2k3 domain and vice-versa indicating mixed domain trust
was
> > successfully created.
> >
> > Question 1: Is this a supported configuration?
> >
> > Now, we are trying to obtain trust relationship properties for the
Win
> > NT PDC machine containing information as/similar stored in
> > TRUSTED_DOMAIN_INFORMATION_EX structure.
> >
> > The problem is -
> > Win API LsaQueryTrustedDomainInfo(..) fails with "Access is
denied"
> > error on a Windows NT machine when the IN parameter to Information
> > class is TrustedDomainInformationEx (even though the Trust
> > Relationship has been successfully created).
> >
> > The Win API Call Sequence is
> > - LsaOpenPolicy (..) // null to systemname, POLICY_ALL_ACCESS was
> > granted to in parameter ACCESS_MASK
> > - LsaEnumerateTrustedDomains(..) // valid SIDs of one or more
trusted
> > domains returned in out parameter Buffer
> > - LsaQueryTrustedDomainInfo(..) // in parameter to Information
class
> > as TrustedDomainInformationEx
> >
> > Reference -
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/lsaquerytrusteddomaininfo.asp
> > This link mentions support for WinNT server 3.51 and later.
> >
> > Our executable was made to run as an administrative account and/or
as
> > a local system user on WinNT PDC.
> >
> > Question 2 - Is there any alternative API to obtain trust
relationship
> > properties on a Win NT PDC machine containing information
as/similar
> > stored in TRUSTED_DOMAIN_INFORMATION_EX structure? OR Are we doing
> > anything that is incorrect?
> >
> > Regards,
> > Soumen

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Then I would try taking this up in the MSDN forums as
it seems either something in your calling parms, or the
implemention of the APIs

--
Roger Abell


<soumen@gmail.com> wrote in message
news:1104478725.543661.300660@c13g2000cwb.googlegroups.com...
> > Have you tried with the NT domain at SP 6a?
>
> Yes, we did try with NT domain at SP 6a and are facing the exact same
> issues as described earlier.
>
> Regards,
> Soumen
>
> Roger Abell wrote:
> > I am only addressing the question "Is this a supported config?"
> > to which I believe the answer is no. SP4 for NT was released
> > with some back-port of what was envisioned would be needed
> > for AD inter-op but this was back when it was still call Windows
> > NT5 instead of Windows 2000.
> > Have you tried with the NT domain at SP 6a?
> >
> > You issues of course may be due to other reasons, but I do
> > believe it is true to say that trust of W2k3 with NT4 at SP 4
> > is not a supported config.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Soumen Das" <soumen@gmail.com> wrote in message
> > news:cf62634e.0412290200.531670ab@posting.google.com...
> > > We have a trust relationship set up between domain servers Win 2003
> > > and WinNT PDC(SP4) machine. We have verified that an NT user could
> log
> > > on to a Win2k3 domain and vice-versa indicating mixed domain trust
> was
> > > successfully created.
> > >
> > > Question 1: Is this a supported configuration?
> > >
> > > Now, we are trying to obtain trust relationship properties for the
> Win
> > > NT PDC machine containing information as/similar stored in
> > > TRUSTED_DOMAIN_INFORMATION_EX structure.
> > >
> > > The problem is -
> > > Win API LsaQueryTrustedDomainInfo(..) fails with "Access is
> denied"
> > > error on a Windows NT machine when the IN parameter to Information
> > > class is TrustedDomainInformationEx (even though the Trust
> > > Relationship has been successfully created).
> > >
> > > The Win API Call Sequence is
> > > - LsaOpenPolicy (..) // null to systemname, POLICY_ALL_ACCESS was
> > > granted to in parameter ACCESS_MASK
> > > - LsaEnumerateTrustedDomains(..) // valid SIDs of one or more
> trusted
> > > domains returned in out parameter Buffer
> > > - LsaQueryTrustedDomainInfo(..) // in parameter to Information
> class
> > > as TrustedDomainInformationEx
> > >
> > > Reference -
> > >
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/lsaquerytrusteddomaininfo.asp
> > > This link mentions support for WinNT server 3.51 and later.
> > >
> > > Our executable was made to run as an administrative account and/or
> as
> > > a local system user on WinNT PDC.
> > >
> > > Question 2 - Is there any alternative API to obtain trust
> relationship
> > > properties on a Win NT PDC machine containing information
> as/similar
> > > stored in TRUSTED_DOMAIN_INFORMATION_EX structure? OR Are we doing
> > > anything that is incorrect?
> > >
> > > Regards,
> > > Soumen
>