• State Verified Answer
  • Replies 18 replies
  • Answers 2 answers
  • Subscribers 20 subscribers
  • Views 8013 views
  • Users 0 members are here
Options
Related

Access token related query

douglas shawn 1986
over 3 years ago

Hello Support Representatives,

I have general query regarding Access Token. I hope you guys will answer and explain it.

So during migration, servers(containing resources) have been migrated from source domain to target domain. Source Domain Local groups are appended in resource DACL. These source domain local groups have been migrated to target domain without Sidhistory and during migration group scope has been changed to "Global". These migrated global groups nested inside source domain local groups.

If target domain users are member of migrated global group and target users login to target domain joined workstation, then what Sids will be included in access token? Will Access token include both - Sid of migrated target group as well as Sid of source domain local groups? 

Please clarify - Does access token of user contain Sid of recursive groups which are inter domain and scope not matching to direct group of user as per above example.

Another scenario: This time Servers (containing resources) are in source domain only. Source Domain Local groups are appended in resource DACL. These source domain local groups have been migrated to target domain without Sidhistory and during migration group scope has been changed to "Global". These migrated global groups nested inside source domain local groups. If source and target domain users both are member of migrated global group and target users login to target domain joined workstation and source users login to source domain joined workstation then what Sids will be included in access token? I guess target users will not be able to access resource as his token will not include source domain local group because he logged in via target domain joined workstation. But what about source user login to source domain joined workstation, will his access token include both - Sid of migrated target group as well as Sid of source domain local groups? 

Please clarify - Does access token of user contain Sid of recursive groups which are inter domain and scope not matching to direct group of user as per above example.

Please answer and explain both scenarios. 

Top Replies

  • 0 over 3 years ago in reply to Jeff Shahan

    Thank you so much  for explanation. I don't have any queries but I just need you to validate my understanding on below mentioned points.

    Looking forward to your prompt reply.

    As I understand correctly, 

    When a user logs on to a Windows domain, the operating system generates an access token. This access token is used to determine which resources the user may access. The user access token includes the following data:

    • User SID.
    • SIDs of all global and universal security groups that the user is a member of.
    • SIDs of all nested global and universal security groups.

    As you told access token contains Universal(Forest) groups. These universal groups can belong to any domain in the forest irrespective of logged on user's domain. Please confirm.

    Every process executed on behalf of this user has a copy of this access token.

    When the user attempts to access resources on a computer, the service through which the user accesses the resource will impersonate the user by creating a new access token based on the access token created at user logon time. This new access token will also contain the following SIDs:

    • SIDs for all domain local groups in the remote server's domain that the user is a member of.
    • SIDs for all machine local groups on the remote server that the user is a member of.

    The service uses this new access token to evaluate access to the resource. If a SID in the access token appears in any ACEs in the DACL, the service gives the user the permissions specified in those ACEs.

    Scenario:

    There are 2 forests. Forest A and Forest B. There is 2 way forest trust relationship between these forests. Resource is in Forest B. There is Universal Group named UG-A created in Forest A. User-A is member of UG-A. This Universal Group UG-A is applied in Forest B resource ACL. So if User-A in Forest A tries to access resource in Forest B, then his access token contains Sid of Universal Group (UG-A) which will cross the trust boundary and evaluate access to the resource. So in this case, access is granted.

    So it means all SIDs (Sids included in access token generated after logon to workstation + Sids included in new access token generated by server) will be compared against any ACEs in resource ACL while accessing resource on remote server(whether or not remote server belongs to same domain or different domain or same forest or different forest). Please confirm.

  • 0 over 3 years ago in reply to 1986 henry mark

    I understand this making harder to understand. Sorry for the inconvenience. But I request please confirm and validate my understanding on above mentioned points last time. I assure that then I'll not continue further on this. I don't want to bother you again on this.

    Thanks for your understanding.

  • 0 over 3 years ago in reply to 1986 henry mark

    When a user logs on to a Windows domain, the operating system generates an access token. This access token is used to determine which resources the user may access. The user access token includes the following data:

    • User SID.
    • SIDs of all global and universal security groups that the user is a member of.
    • SIDs of all nested global and universal security groups. (This is redundant to the point above, users are members of groups either explicitly (Directly) or implicitly (indirectly through nesting) 

    As you told access token contains Universal(Forest) groups. These universal groups can belong to any domain in the forest irrespective of logged on user's domain. Please confirm.

    NOTE    : The Forest wide security groups only apply in an intra-forest login. In an inter-forest logon, with an external trust, only the universal groups from within the trusted domain are included. 

    In this question you omitted to say where the user login was happening. It that is the workstation logon, the workstation local groups are also included as I explained above. If it is a member server the member server local groups are included. Additionally you omitted the Domain local groups that the server/workstation is a member of. 

    1986 henry mark said:
    Every process executed on behalf of this user has a copy of this access token.

    Not really. The remote host users SID of the token to create it's own "Impersonation" Token. This was explained in my prior reply. 

    When the user attempts to access resources on a computer, the service through which the user accesses the resource will impersonate the user by creating a new access token based on the access token created at user logon time. This new access token will also contain the following SIDs:

    • SIDs for all domain local groups in the remote server's domain that the user is a member of.
    • SIDs for all machine local groups on the remote server that the user is a member of.

    No, the new impersonation token will be created and only include the following: 

    • Domain User
    • Server's Local Groups
    • Server's Domain Local Groups
    • Authenticating Domain Global Groups and Forest Universal Groups (See NOTE ABOVE)

    Scenario:

    • There are 2 forests. Forest A and Forest B.
    • There is 2 way forest trust relationship between these forests.
    • Resource is in Forest B.
    • There is Universal Group named UG-A created in Forest A.
    • User-A is member of UG-A.
    • This Universal Group UG-A is applied in Forest B resource ACL. (This is contrary MS Resource Access Control Best Practice AGUDLP See https://en.wikipedia.org/wiki/AGDLP)

    So if User-A in Forest A tries to access resource in Forest B, then his access token contains Sid of Universal Group (UG-A) which will cross the trust boundary and evaluate access to the resource. So in this case, access is granted.

    You took a long way to get there, buy yes, the UG-A granted the access.

    So it means all SIDs (Sids included in access token generated after logon to workstation + Sids included in new access token generated by server) will be compared against any ACEs in resource ACL while accessing resource on remote server(whether or not remote server belongs to same domain or different domain or same forest or different forest). 

    No. Not all Domain Local groups do NOT cross the trust boundary. You left them out of this scenario, but your statement:

    1986 henry mark said:
    Sids included in access token generated after logon to workstation + Sids included in new access token generated by server

    But again the sid included are not all that are in the workstations token. It is a new token created by the resource holding server you are accessing. So it is not Workstation + Server + Domain , it is User + Server + domain.

  • 0 over 3 years ago in reply to Jeff Shahan

    Thank you so much for your reply. Sorry again, but there seems to be contradiction. That's why I'm writing. I've found below Microsoft article which says the same thing which I mentioned in my previous reply. 

    As per below link, it does not say you told that token will include "Authenticating Domain Global Groups and Forest Global Groups". Please have a look.

    https://docs.microsoft.com/en-us/windows/win32/ad/how-security-groups-are-used-in-access-control

    Confusion arises because of statement: "Authenticating Domain Global Groups and Forest Global Groups" mentioned in previous replies.

    I hope you will cross check and clear this out.

    Suppose there are 2 domains Domain A and Domain B. Resource is in Domain B joined server. User belongs to Domain A. So when user login on Domain A  and try to access resource in Domain B joined server. So in this case, I just want to confirm that Authenticating Domain is only Domain A not Domain B. Correct?

    So it means it can contain only Domain A Global groups, Domain A Universal groups and Domain B Universal groups. So forest global groups mean all universal groups of all domains in a forest (intra-forest logon). Correct?

    Another confirmation:

    In Inter-forest logon, there are 2 situations: external trust and forest trust. 

    So incase of external trust: Global groups with in trusted domain are not included in the token, only universal groups with in trusted domain are included in the token. Correct? 

    But in case of forest trust: Both Global groups from authenticating domain and all Universal groups within trusted forest are included in token. Correct?

    So in case of external trust: Only universal groups (within trusted domain) Sids will cross trust boundary. Correct?

    But in case of forest trust: Sids of Global groups from authenticating domain as well as Sids of Universal groups with in trusted forest will cross trust boundary. Correct?

    So in short, only Global groups Sids and Universal groups Sids cross trust boundary always. Domain Local groups Sids never cross trust boundary. Correct?

    Please reply and validate/confirm if my understanding is correct on all above mentioned points and close the discussion.

    Thank you again for your extreme support. I really appreciate your patience and cooperation.

  • 0 over 3 years ago in reply to 1986 henry mark

    Its my humble request, just to reply final time on above mentioned points. Because I found very difficult to find these details with clarity available anywhere on the net. I hope you can understand the concern on this matter and will support final time.

    Thank you.

  • 0 over 3 years ago in reply to 1986 henry mark

    Your support has been commendable so far. I am really happy :-) extreme helping nature. I don't want to loose any hope. Literally, I'm  not getting answers and explanations anywhere on the other technical forums and support forums . Kindly understand from my standpoint and just explain final time. OR alternatively, you can share some URLs of reference or support articles where I can find answers and explanations of above mentioned points which includes this stuff.

    Thanks in advance!

  • 0 over 3 years ago in reply to 1986 henry mark

    FYI, I am not "Support" I am a "Principal Strategic Systems Architect" handle migration solutions with 20+ years of field migration experience. I know this stuff off the top of my head. So to supply you with links, I would have to take time and find the links. That is not something I have time to do. 

  • 0 over 3 years ago in reply to 1986 henry mark
    1986 henry mark said:

    As per below link, it does not say you told that token will include "Authenticating Domain Global Groups and Forest Global Groups". Please have a look.

    https://docs.microsoft.com/en-us/windows/win32/ad/how-security-groups-are-used-in-access-control

    Confusion arises because of statement: "Authenticating Domain Global Groups and Forest Global Groups" mentioned in previous replies.

    I hope you will cross check and clear this out.

    MS states in that link the following
    When a user logs on to a Windows 2000 domain, the operating system generates an access token. This access token is used to determine which resources the user may access. The user access token includes the following data:

    • User SID.
    • SIDs of all global and universal security groups that the user is a member of.
    • SIDs of all nested global and universal security groups.

    I used the word "Forest Global", that was a typo, it should have read "Forest Universal". 

    1986 henry mark said:
    Suppose there are 2 domains Domain A and Domain B. Resource is in Domain B joined server. User belongs to Domain A. So when user login on Domain A  and try to access resource in Domain B joined server. So in this case, I just want to confirm that Authenticating Domain is only Domain A not Domain B. Correct?

    When user A accesses a resource on a server joined to domain B, the server uses it's secure channel to the DC in domain B. Since Domain B is not the source of authority, the DC in Domain B uses the secure channel to a DC in Domain A. So while it is true that the authenticating domain is domain A, it passed through the trust and a DC in Domain B. 

    1986 henry mark said:
    So it means it can contain only Domain A Global groups, Domain A Universal groups and Domain B Universal groups. So forest global groups mean all universal groups of all domains in a forest (intra-forest logon). Correct?

    No, it means all Domain A global groups, all forest universal groups for the forest domain A is a member.

    1986 henry mark said:
    In Inter-forest logon, there are 2 situations: external trust and forest trust. 

    The only difference between the two type of trusts is the scope of authentication possible. Am external trust only the domain with that trust can authenticate its users. For a forest trust, any domain within the forest can authenticate its users. 

    1986 henry mark said:
    So incase of external trust: Global groups with in trusted domain are not included in the token, only universal groups with in trusted domain are included in the token. Correct? 

    Only global groups and universal group in the domain that the user account exist. 

    1986 henry mark said:
    But in case of forest trust: Both Global groups from authenticating domain and all Universal groups within trusted forest are included in token. Correct?

    Same as above for the reasons above that. 

    1986 henry mark said:
    So in short, only Global groups Sids and Universal groups Sids cross trust boundary always. Domain Local groups Sids never cross trust boundary. Correct?

    Correct.