Force domains and forests to be one-way trusted

Use the Force domains and forests to be one-way trusted group policy to specify a list of two-way trusted domains that need to be treated as one-way trusted domains. This is useful when two-way trusted domains are not accessible from UNIX machines, for example, they are behind a firewall. Configuring this parameter allows x-forest users to authenticate onto the trusting machines.

To set this group policy, select Computer Configuration > Centrify Settings > DirectControl Settings > Adclient Settings > Force domains and forests to be one-way trusted.

The default is an empty list.

Provide the following information for the group policy:

  • A list of forests or domains to be treated as one-way trusted.

    Specify a list of two-way trusted forests, and domains that have two-way external trust relationship with the local domain, to be treated by DirectControl Agent as one-way trusted forests or domains.

This parameter is likely to be used together with the configuration parameters, Specify NTLM authentication domains and Specify AD to NTLM domain mappings, if these forests and domains are not accessible from UNIX machines.

  • Use the group policy, Specify NTLM authentication domains, to specify the list of domains that use NTLM authentication instead of Kerberos authentication.
  • Use the group policy, Specify AD to NTLM domain mappings, to map AD domains to NTLM domains.

Alternative to using this group policy, Force domains and forests to be one-way trusted, you can use the configuration parameter, adclient.one-way.x-forest.trust.force.