Understanding Proxy Authentication with multiple domains in AD LDS

Understanding Proxy Authentication with multiple domains in Active Directory LDS


What is Proxy Authentication?

Proxy Authentication allows a user to authenticate against an AD LDS instance while using the password that is stored in Active Directory. In AD LDS you can use AdamSync.exe to create a UserProxy or UserProxyFull object in AD LDS. The Proxy object in AD LDS looks like a traditional user object however it does not have a password stored on it. When an application is pointed to the AD LDS instance and tries to authenticate the AD LDS server pass the SID and password to the domain controller to verify the credentials are correct.


Proxy Authentication with Multiple Domains

If you are syncing multiple domains with your AD LDS instance you will notice that the LDS server will search each domain for the SID of the user to authenticate the user. For example, Lets say your AD LDS server is syncing accounts with DomainA.com & DomainB.com and the server is joined to DomainA.com. When i authentication request is received from a user on DomainB.com the AD LDS server will search DomainA.com first and then search DomainB.com before it finds the account. This is not necessarily a problem because the relative identifier portion of a SID is unique relative to the domain. However if you are using ADMT to migrate users from DomainA to DomainB and you are migrating SIDHistory in the process you can run into issues with authentication. The problem is when a user authenticates using DomainB credentials but the AD LDS server starts searching DomainA first it will find the SID associated with the migrated account in DomainA before searching DomainB. This particular situation may not pop up often but can cause many hours of headache if you are not aware of it.










Useful References
http://technet.microsoft.com/en-us/magazine/2008.12.proxy.aspx