1

I'm currently working with two Windows 2008 servers, each running on completely separate domains with no possibility of setting up a trust relationship between them.

What I need to find a way of doing is having a service on "Domain Controller A" able to write onto a fileshare on "Domain B".

I am able to map a drive from Domain Controller A to "Domain B" (\\Folder) using an account from Domain B, (Domain_B\Account). However, I'm unable to run the service on Domain Controller A under this account as Domain_B\Account is unable to be authenticated by it.

Is there a way of doing this apart from setting permissions of "\\Folder" to allow read/write for the EVERYONE account, which I'm reluctant to do for the obvious security reasons?

Jawa
  • 3,679
Silthias
  • 11

1 Answers1

0

One solution:

(Note this will not work on a domain controller as they do not differentiate between AD and Local logins on a domain controller)

  1. Create a local user on Computer A ie ComputerA\SharedServiceUser
  2. Create a local user on Computer B with exactly the same username and password ie ComputerB\SharedServiceUser
  3. Set permissions on the share on Computer B for the local user created on ComputerB
  4. Set the service on ComputerA to run as the local user on ComputerA

This works because windows password hashes don't salt. So when the service on ComputerA passes its identity across the network as .\SharedServiceUser with Hash as password it matches the local user identity on ComputerB .\SharedServiceUser

Sam
  • 101