AD Authentication across forests

We are working with an environment with 2 AD domains, each in their own forest.  The BOE server is installed in DOMAIN1 (BOE 3.1 FP3.1, Tomcat 5.5, Windows 2003 SP2) and can authenticate DOMAIN1 AD users without issue.  We can also SSO users in DOMAIN1 into InfoView and successfully login to Designer using a DOMAIN1 user.
However, user in DOMAIN2 cannot login to Designer, or InfoView.  We have successfully run KINIT for both domains, but BOE is being stubborn.
The error when attempting to login to Designer is as follows:
[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Kerberos target name <service acct's SPN> is unknown. Please contact your system administrator to make sure it's set up properly. (FWM 00003)(hr=#0x80042a01)
We have attempted using the userID in the following formats:
userID
userID@DOMAIN2
I realize that we cannot SSO the users from another forest, but we could authenticate the the users from DOMAIN2 at one point but we had to rebuild the server due to other issues we were working.
Here is our krb5.ini:
[libdefaults]
     default_realm = DOMAIN1
     dns_lookup_kdc = true
     dns_lookup_realm = true
     udp_preference_limit = 1
[domain_realm]
     .domain1 = DOMAIN1
    domain1 = DOMAIN1
     .domain2 = DOMAIN2
     domain2 = DOMAIN2
[realms]
     DOMAIN1 = {
     kdc = DC1.DOMAIN1
     kdc = DC2.DOMAIN1
     kdc = DC3.DOMAIN1
     kdc = DC4.DOMAIN1
     admin_server = DC1.DOMAIN1
     default_domain = DOMAIN1
     DOMAIN2 = {
     kdc = DC1.DOMAIN2
     kdc = DC2.DOMAIN2
     admin_server = DC1.DOMAIN2
     default_domain = DOMAIN2
[capaths]
     DOMAIN2 = {
     DOMAIN1 =
Any thoughts?

Is that A 2-way forest trust of external trust (verify in sites and services) forest trusts require Ad 2003 forest functional level or above. Work on the clinet tools 1st. If you do have forest trusts then use the FQDN registry key specified above.
If that fails then launch a microsoft tool such as mmc (users and computers - dsa.msc), save it to the desktop and then run as the account you are testing. attempt to connect to the other forest in the tool. Trusts can be made secure so that users require to be added to a local group for permissions. If that's the case the mmc will fail to run or connect with the user account  you are testing and you need to get that working prior to BOE.
BOE client tools ride on top of AD infrastructure and shouldn't require any configuration to work provided the AD infrastructure works 1st.
Regards,
Tim

Similar Messages

  • Authentication across multiple applications

    Hi,
    I'm having trouble with authentication across multiple applications.
    Ideally I would like to log in to one application and have my credentials survive across the session for the other applications when they run.
    What is the best approach to do this?
    Thanks,
    Mark

    Thanks for your reply Frank.
    We've decided to switch to JAVA SSO but I'm having trouble getting to the configuration page in the 11g OC4J.
    I've posted a new thread with these questions:
    Configuring JAVA SSO with 11g OC4J
    Thanks,
    Mark

  • Event ID 538 and 540 Authentication Across Subnets

    Server: 2003 (Domain Controller)
    I am seeing multiple logon/logoff security events on my domain controllers.
    Successful Network Logon:
    User Name:           
    BASDSC-DP1$
    Domain:                 
    BAHS
    Logon ID:                               
    (0x0,0x9C615D8)
    Logon Type:           
    3
    Logon Process:      Kerberos
    Authentication Package:       
    Kerberos
    Workstation Name:
    Logon GUID:          
    {2e9cd56f-dac6-00ea-b487-3211b9be5fac}
    Caller User Name: -
    Caller Domain:       -
    Caller Logon ID:     -
    Caller Process ID: -
    Transited Services: -
    Source Network Address:      10.20.0.17
    Source Port:           
    59526
    User Logoff:
    User Name:           
    BASDSC-DP1$
    Domain:                 
    BAHS
    Logon ID:                               
    (0x0,0x9C615D8)
    Logon Type:           
    3
    I know these indicate successful logon/logon attempts. The problem is these logons are from users and computers at different sites/subnets under their own Domain Controller.
    Sometimes there will be four logon/logoff attempts from the same computer all within one second. There are no direct shares between the users or computers. I cannot believe that their own domain controllers are busy where computers would have to go across
    the domain for authentication. Is there a way I can specifically determine why this is happening? My concern is that this is unnecessary traffic on the network.
    Thanks

    Hi,
    I agree with Philippe. The DC Locator could locate the closest DC.
    Each Windows Server 2003 or later based DC registers DNS records that indicate the site where the DC is located. The site name is registered in several records so that the various roles the DC might perform (i.e. Global catalog server or Kerberos server)
    can be associated with the DC’s site. When DNS is used, the DC Locator searches first for a site-specific DNS record before it begins to search for a DNS record that is not site-specific.
    If the DC of other site that runs Windows Server 2008 or Windows Server 2008 R2, it is possible that the DC locator of clients fail over to the next closest site when they can’t find a DC in the closest site. It could be performed by enabling the
    Try Next Closest Site Group Policy setting.
    Also, when the setting is not enabled, DC Locator uses the following algorithm to locate a DC:
    Try to find a DC in the same site.
    If no DC is available in the same site, try to find any DC in the domain.
    And I notice that you mentioned that this same computer logged on and off its own DC seventeen times within seconds at 7:14:xx, the it logged on your DC in 7:16:xx. So please involve administrators in other sites to check if there are some Group Policies
    were configured in the DC of their sites.
    For more details, please refer to the following article,
    Enabling Clients to Locate the Next Closest Domain Controller
    http://technet.microsoft.com/en-us/library/cc733142.aspx
    How DNS Support for Active Directory Works
    http://technet.microsoft.com/en-us/library/9d62e91d-75c3-4a77-ae93-a8804e9ff2a1#w2k3tr_addns_how_rotg
    Best Regards,
    Tina

  • User Account Authentication across multiple Solaris servers - Best Practice

    Hi,
    I am new to Solaris admin and would like to know the best practice/setup for authenticating user accounts across multiple solaris servers.
    Currently we have 20 - 30 Solaris 8 & 10 servers which each have their own user accounts setup. I am planning to replace these with a similar number of Solaris 10 servers and would like to centralise the user accounts and their authentication.
    I would be grateful for any suggestions on the best setup and any links to tutorials.
    Thanks
    Jools

    i would suggest LDAP + kerberos, LDAP for name lookups and krb5 for auth. provides secure auth + extensable directory for users and other apps if needed. plus, it provides a decent spring board to add other unix plats into the mix since this will support any unix/linux/bsd plat. you could integrate this design with a windows AD env if you want as well.
    [http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp] sol + ldap+ AD
    [http://docs.lucidinteractive.ca/index.php/Solaris_LDAP_client_with_OpenLDAP_server] sol + ldap (openldap)
    [http://aput.net/~jheiss/krbldap/howto.html] sol + ldap + krb5
    now these links are all using some diff means, however they should give you some ideas as to whats out there. sol 10 comes with suns ldap server and you can use the krb5 server which comes with it as well. many many diff ways to do this. many many more links out there as welll. these are just a few.

  • Authentication Across Multiple Web Applications (Revisited)

              Its been an ongoing battle, but I've made some insight into this situation. The problem stands as it seems impossible to authenticate against one web application deployed as a WAR archive and have that authentication carry across to another web application with the same security constraints. I've been told by BEA that, quote:
              "It seems to me that we are violating section 11.6 of the servlet 2.2 spec which talks about webapps"
              I've also been told that this is fixed in WLS 6.0, reference issue #38732.
              For those of us building production environments using 5.1 instead of 6.0 XML based configuration, this does NOT solve our problem.
              I've dug further into the bowels of 5.1 and found that if you manually set the realm name in the login-config of the security constraint in the web.xml file in each WAR deployment as such:
                   <login-config>
                        <auth-method> [whichever method] </auth-method>
                        <realm-name>WebLogic Server</realm-name>
                   </login-config>
              Authentication will carry across web applications. However, I've noted that the session management then becomes unpredictable. For example:
              I log into the application TESTAPP1 which contains a protected servlet that outputs the session ID and attempts to get the authenticated principal name from the "_wl_authuser_" session variable. Upon first load of the page (after the login dialog box), the session is null [can be fixed with .getSession(true) call instead] and the "_wl_authuser_" object does not exist. Reload the page and the session appears as well as the "_wl_authuser_" object. Strange.
              I then move to TESTAPP2, which does not prompt me for authentication but also is missing the session in the same manner. Upon browser reload, the session is created with a different ID and the "_wl_authuser_" object is now available with the appropriate principal name.
              Upon moving back to TESTAPP1, I am not prompted for authentication however, I am assigned yet another session ID after browser reload, different from the first.
              So it seems that although authentication is carried across web applications, the session IDs as you move from TESTAPP1 to TESTAPP2 change, and then change again but not back to the original when going back to TESTAPP1.
              This is a particular problem since we are using Vignette's V5 as our main client and tracking sessions through V5 - this would quickly become unmanageable if a single page view access three or four different application components with three or four different session ids.
              I'm wondering if we can expect the same behavior from WLS 6.0?
              Ideally, I'd like to see WebLogic use a single session ID to track users across multiple web applications but still have session independence between applications. So if I store something in session in TESTAPP1, its not available in TESTAPP2. Does this outline the behaviour in WLS 6.0? Can anyone verify this?
              Some food for thought. Thanks!
              ./Chris
              Senior Systems Anaylst
              MassMutual Financial Group
              

    Hello! I am searching an answer to this question too!!!
    Did you get some news regarding this item?
    Regards,
    C.M.

  • 'Send as' permission across forest not working

    I want to grant 'send-as' permission to an user on a distribution group (security group) of different forest.
    I tried granting this via Active Directory but whenever we try to send mail as this distribution group, Outlook complaints "You can't send a message on behalf of this user unless you have permission
    to do so. Please make sure you're sending on behalf of the correct sender, or request the necessary permission. If the problem continues, please contact your helpdesk."

    Hi,
    Please make sure two forests are trusted each other. And both the user and the distribution group are not hidden from address list and have mailbox enabled. Please run the following command to check whether the user is assigned to send as permission:
    Get-ADPermission DistributionGroup| where {($_.ExtendedRights -like “*Send-As*”)}
    If all configuration are correct, please restart the Microsoft Exchange Information Store service in Exchange server and create a new profile in Outlook to have a try.
    Thanks,
    Winnie Liang
    TechNet Community Support

  • AD RMS across forests with external AD trust

    The RMS servers is deployed in the resource AD forest abc.com . My client also wants to let the users in other AD forests to use the RMS services. However, they only have “external trust” type with
    the resource AD. I can find Microsoft document to support the “forest trust” scenario.
    http://technet.microsoft.com/en-us/library/ee918789%28v=ws.10%29.aspx
    But I cannot find any document that Microsoft will support the “external trust” scenario. Can anyone confirm whether this scenario work and any potential issue?
    Do note that we already deployed FIM for directory synchronization. There are contact objects in the resource forest to present users/groups in the account forests.
    William Yang

    Hi William,
    "Only one Active Directory Rights Management Services (AD RMS) root cluster is permitted in each forest. If your
    organization wants to use rights-protected content in more than one forest, you must have a separate AD RMS root cluster for each forest. " 
    Ref. http://technet.microsoft.com/en-us/library/dd772648(v=ws.10).aspx
    So if you want to use two forests with ADRMS, deploy it to each forest and create TUD or TPD. Also you
    can think of having federation services with ADFS together with ADRMS.
    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

  • Endpoint Install across Forests

    I have added a second AD forest to my main SCCM site.
    That second forest reports discovery status failed to connect but publish status succeeded.
    I have tried to deploy Endpoint to a test collection in the second forest, all systems in the collection says client is installed and active but Endpoint has not been installed.
    Endpoint is running fine on the main AD forest and collections.
    I have tried to google this on my own but have been unsuccessful. I thought I'd ask here to see if I can get a little more focus on where to begin to troubleshoot this.
    Thanks! 

    I am not quite sure what you are asking. I deployed Endpoint the exact same way as I did in my main forest and that is working.
    Client Settings - Endpoint Protection,
    Client Settings - Software Deployment and Updates
    Software Update Group - Endpoint Protection
    Custom Workstation AV policy
    Those are the 4 things I deployed to the Test collection in the second forest.
     

  • Moving File/Terminal Server Across Forest Trust

    Hello all, I think this question is relatively straightforward but I wasn't able to find any direct answers with a forum search. I have two forests with a full trust, forest A and forest Z. Forest Z has been on the decommission track for two years, and after
    this operation I intend to completely shut it down. I did not migrate users between forests, rather I created completely new user accounts in forest A for users who were in forest Z, and abandoned the forest Z user accounts. Forest Z still has several file
    servers and a terminal server which I would like to move to a domain in forest A. On the file servers, there are shares which have permissions and sharing settings for forest A users, and the terminal server also has user profiles for forest A users..
    The question is: when I move the file servers and terminal server from the domain in forest Z to a domain in forest A, will the file permissions from the previously non-local forest A remain in place, and will the user profiles from forest A still load when
    users sign in to the terminal server? Any help would be greatly appreciated, thanks!

    Hi,
    Do you mean that forest A users have logged on the TS server and created their profiles on it? Now you want to move the TS server from forest Z to forest A?
    Regards,
    Denny
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • FIM add-ins & password reset across Forests?

    Hi,
    Forest A (resource forest) has FIM Sync, Service & Portal.
    Forest B is where the user account and domain computer exists.
    Forest A & B are joined by a 2-way trust.
    If we deploy the FIM add-ins and extensions on a workstation in Forest B, will the user be able to reset their password?
    thanks,
    dw

    Yes, in your case users are able to use SSPR functionality. Users must be synct by FIM. You have a trust, so they are able to logon to the Portal. Last but not least DNS allows Name Resolution and correct SPN Settings for the Service account must be done.
    Henry

  • Are admins in different forests automatically adminis in the other forest after a trust is created?

    Hello Community
        In Windows Server when you have a ForestA containing an admin and a ForestB containing
    an admin, if a trust relationship between ForestA and ForestB is created will the admins have
    administrative privileges in each others forest by default after the trust relatioship is created or does the
    admin in one forest have to explicitly give the admin in the other forest admin privileges?
        Thank you
        Shabeaut

    Hi,
    Administrators won’t become administrators of another forest after forest trust is created. Actually, forest trust only provides a secure channel to allow authentication flow across forests, while it doesn’t assign any privileges/permissions
    to administrators/users from the other forest.
    In addition, Domain Admins group is a Global group, which means that it only contains members from the local domain, therefore, we can’t add users from another forest into Domain Admins group of the local forest.
    More information for you:
    How Domain and Forest Trusts Work
    http://technet.microsoft.com/en-us/library/cc773178(v=WS.10).aspx
    Understanding Groups
    http://technet.microsoft.com/en-us/library/dd861330.aspx
    What's the different between builtin local/administrators and Domain Admins in AD 2003?
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/7866aacc-d6b8-412e-ab1e-69d152d1c7c4/whats-the-different-between-builtin-localadministrators-and-domain-admins-in-ad-2003?forum=winserverDS
    Best Regards,
    Amy

  • Need help on Cross Forest Exchange 2007 - 2013 with Linked Mailboxes

    Hey all,
    So I'm in a bit of a pickle with my Exchange design and am trying to figure out if there's a way to migrate mailboxes across forests where Linked mailboxes are being used. I've done a bit of reading and have noted stuff like preparing the move request in
    AD, etc. But I'm wondering if someone can break it down for me.
    http://1drv.ms/1lWjLqG
    The above is a OneNote diagram of how we have moved over time. Please forgive my sloppy handwriting but I hope it gets the point across. I will text it out here as well:
    Original Design
    The original design of the domains when I joined the company were fabrikam and contoso. Contoso is a domain that sits entirely in the "DMZ". Fabrikam was the internal AD forest where most services and users authenticated to. In Contoso, there
    are 2 domain controllers, the "Front End" Exchange Server (Edge Transport), and the "Back End" server, which is CAS/Mailbox.
    There is a forest trust between contoso and fabrikam where "Linked Mailboxes" are created in Contoso, and then the LinkedMasterAccount is set to Fabrikam.
    Migration/Hybrid Design
    Due to the fact that these two domains were configured massively inappropriately, riddled with security holes as well as strange permissions configurations, the decision was made to create a new internal AD domain. In my OneNote, I've labeled this 'specialbank.com'.
    A long while ago we migrated users from Fabrikam to SpecialBank via trusts. To facilitate access to Exchange, a new trust was created between Contoso and SpecialBank to allow us to update the LinkedMasterAccount parameter to the new Specialbank domain.
    We have most of our users authenticating to their mailboxes via SpecialBank, while the mailboxes still reside in Contoso.
    Migration from Exchange 2007 to Exchange 2013
    I am attempting to now figure out the best way to migrate the mailboxes from Contoso to a new set of Mailbox servers in SpecialBank. This will also be an upgrade from Exchange 2007 (Current) to an Exchange 2013 installation.
    The latest Service Packs and CUs are installed in both.
    What would be the best procedure to move these mailboxes? To my knowledge, the current best practice/recommended way is to perform a user/SID migration from Contoso to SpecialBank. But I already have accounts in
    SpecialBank that users are actively using.
    I'm not opposed to doing a simple PST export from Contoso to SpecialBank, but we're looking at around 120 mailboxes. So I'm trying to make my life a little easier instead of spending a weekend here.
    If I try to do it in batches, I need to figure out how to handle autodiscover and CAS. Since I'm creating an entirely new Exchange environment, I'm trying to limit what I place in the existing configuration. But I'm not opposed to setting up something temporarily
    if I need to in order to make the migration transparent to users.
    Can anyone help?

    Hi ,
    From you description i came to know contoso is the resource forest and special bank is the account forest .
    You just wanted to migrate the linked mailboxes from resource forest to account forest and also you would want the migrated mailboxes to get merged to the respective user accounts in the account forest to become as a normal user mailbox.Am i right ?
    Please correct me if i am wrong . I have found some blogs in internet please have a look in to that especially the first one.
    http://www.outlookforums.com/threads/60210-cross-forest-mailbox-move-and-linked-mailbox/
    http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27974905.html
    Regards
    S.Nithyanandham
    Thanks S.Nithyanandham

  • Security considertaions across AD trusts

    Hi
    what are the security considerations (for Forest/DomainA) when creating a one-way trust between DomainA (the trusting domain) and Forest/DomainB (the trusted domain)
    so resources in DomainA are exposed to users in DomainB
    I am trying to articulate the security considerations (i.e. that the concept of Forest security boundary has been broken) to the owners of DomainA
    this is because DomainA is also used to provide authentication services to DomainC  - that have very strict security compliance policies
    can DomainB enumerate users in DomainA?, can an Admin in DomainB elevate his/her rights in DomainA
    presumably a misconfiguration of permissioning in DomainA could see rights given to resources used by DomainC
    Thanks everyone

    Hi,
    Let me explain you using a sample scenario to solve your requirement,
    For example, consider two AD forests - contoso.com and nwtraders.com
    Requirement:
    - I want the users from nwtraders.com to access all resources in contoso.com
    - But the users from contoso.com should be able to access only selected resources in nwtraders.com.
    Solution:
    - In contoso.com, we should configure forest wide authentication on incoming trust, to enable users from nwtraders.com to access all resources in contoso.com.
    - In nwtraders.com, we should configure selective authentication on incoming trust, to enable users from contoso.com to access only selected resources in nwtraders.com.
    Checkout the below thread on similar discussion,
    http://social.technet.microsoft.com/Forums/en-US/b47ee506-c014-4131-b16e-c9c86f7fd39f/add-to-domain-across-forest-trust?forum=winserverDS
    Regards,
    Gopi
    JiJi
    Technologies

  • Cisco ISE and forest trusts vs domain trusts

    Hi All,
    Is there any issues with forest trusts with Cisco ISE ?
    I have a customer that had external trusts and ISE was working ok for PEAP MSChapv2 user auth across domains.
    They recently removed external trusts and changed to forest trusts.  Now auth doesn't work.  Initial error was authc ok, authz fail.
    I can search and get lists of AD groups ok for the remote domain. 
    Using the attribute tab, I can't get attributes for users in remote domain.  I'm thinking since I can't see the memberof attribute, none of my authz pollicies will work.
    I have done "leave" and "join" domain again.
    In my lab, I have forest trusts and it actually works ok.  A previous poster talked about kerberos issues across forest trusts ?
    Cheers
    Peter. 

    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf
    Kindly find the steps on the page no.170

  • Synchronizing multiple Mac Mini Server Open Directories across branch offices

    Greetings from Central Asia -
    The non-profit that I work with has been undergoing a long-overdue IT upgrade and we recently purchased some Mac Mini Servers (still running Snow Leopard Server) to act as the core of our network across our 3 offices in 3 different cities.
    We have employees moving between offices regularly, so I'm hoping to find a way to synchronize our user database between our head office and our branch offices instead of creating separate databases in each location.  We use RADIUS and pfSense with a CaptivePortal for controlling who has internet access as well as have file shares, so keeping user database management to a minimum is an ideal.
    I come from a mostly Microsoft Domain background with regards to these things so I'm not entirely sure where to start.  Hopefully some hopeful folks here will steer me in the right direction!
    I have a (mostly) unrelated question though - OS X Server seems to have two separate user databases - the "local" DB and the LDAP/OpenDirectory DB.  Is there a way to make these function together? When creating users and assigning them to groups, which is best practice to use? How do I give an LDAP/OD user login rights to the server?
    Thanks in advance,
    Tim

    I would prefer to keep the two databases seperate, with the local database providing a few specific users with access when OD is inaccessable.
    The local database is basically a self-hosted LDAP server. 
    The local and OD databases do function with the appearance of one single user account presentation at login and for typical operations, too.
    Do keep all of the usernames unique; the local users, as well as the OD users.
    For your configuration, the usual pattern here is one or more open directory replicas in each lobe of the network.
    These replicas then coordinate with the master copy among themselves.  You'll have one distributed copy, but the lobes won't be tied to authentication across what may or may not be an entirely stable network; users authenticate off the local replica.
    There are also folks that use Microsoft Active Directory as the back-end for Mac OS X, as well; there are various means to this end, including what is known as the magic triangle configuration.
    As for learning more about OD, I'd read the Snow Leopard Server Open Directory administration documentation as a starting point.  The Lion Server documentation is thin.
    The Mac Enterprise Mailing List archives can also be enlightening; that's probably the most concentrated source of information on more complex management environments.

Maybe you are looking for

  • Use itunes with multiple users on this computer

    Our laptop is used by both my wife and I. I set up itunes uder my profile. When my wife opens her profile on the laptop, itunes is empty as if it is only under my profile. How do I get Itunes to open when any user logs on to the laptop?

  • Why no firewire support for new iPods?

    If firewire is so much better and faster why did the geniuses at Apple decide to discontinue support for it? It took me over 30 minutes to upload music & videos to my new iPod w/ USB, which would have taken 5-10 minutes with Firewire. I don't get it!

  • "Error occurred while packaging the application" Apple iOS, Launch on Device

    After several successful launches to a physical iOS device (iPad) I suddenly started getting this error "Error occurred while packaging the application". It occurs within a couple of seconds after I click "Run".  I am running the current FB 4.5.1 on

  • How to turn on hotspot in ios 8 in iphone 5?

    HOw can i solve my problem nd can i downgrade my iphone from ios 8 to ios 7?

  • Macbook Pro causing lag on home network

    Hello, I got 2 PCs and a Macbook Pro connected to my Home Network. Whenever the Macbook Pro is connected to it the networks starts to have constant lag spikes. If only the 2 PCs are connected everything runs smooth. I tried using an Ethernet cable in