Specifically, an application that calls the LsalogonUser API by using a Kerberos S4U client request to authenticate a user in a trusted forest may fail when the following conditions are true:
- The ClientUPN value that's provided to LsalogonUser represents a user in a trusted forest where selective authentication is enabled.
- The ClientRealm value that's provided to LsalogonUser is in the form of a NetBIOS name (flat name), not a fully qualified domain name (FQDN).
If the ClientRealm value was passed in a flat name format, the Kerberos client does not use the referral ticket it received as part of the referral process. Therefore, the client must request a service ticket for the Krbtgt account in the user domain.
When selective authentication is enabled, the domain controller in the user’s domain checks the “Allowed to Authenticate” permission on the Krbtgt account to see whether the identity of the caller that's making the ticket request has access.
Note The caller that makes the service ticket request has the identity that the thread that calls LsalogonUser was impersonating at the time.
If the “Allowed to Authenticate” permission is not present, the domain controller in the user’s domain generates a KDC_ERR_POLICY error and an extended error of STATUS_AUTHENTICATION_FIREWALL_FAILED (0xC0000413).
Method 1: Remove selective authentication from the trust
The domain controller in the target resources domain will ignore the “Allowed to authenticate” permission on the account. This behavior may not be desirable in a secure environment.
Method 2: Add the caller’s identity to the "Allowed to Authenticate" permission on the Krbtgt account in the target user's domain
Because the Krbtgt account is a protected account, you must add the "Allowed to Authenticate" permission for the caller's identity to the AdminSdHolder account object. To do this, follow these steps:
- Open a command prompt on a domain controller in the target user's domain.
- Run the following command to add the "Allowed to Authenticate" permission to the AdminSdholder object:dsacls "CN=AdminSDHolder,CN=System,DC=ForestB,DC=com" /G DomainA\callers-identity:CA;"Allowed to Authenticate"Notes
- DC=ForestB,DC=com is the distinguished name of the user's target forest.
- DomainA is the name of the domain where the identity of the account that's calling LsaLogonUser is located.
- Callers-identity is the account name of the identity under which the LsaLogonUser call is being made.
- Run the following command to verify the "Allowed to Authenticate" permission on the target account:dsacls "CN=AdminSDHolder,CN=System,DC=ForestB,DC=com"
- Run dsa.msc on the user's target domain, and then locate the Krbtgt account.
- Select the properties of the target account, and then click the Security tab.
- Add the "Allowed to Authenticate" permission to the account under which the LsaLogonUser call is being made.
Article ID: 2959395 - Last Review: 15 Apr 2014 - Revision: 1