Multi Forest AD Authentication

Similar Messages

• Multi-Forest LDAP Authentication

  Hi Guys
  We are trying to implement authentication and import across multiple domains
  We originally tried to build our own custom code but this has failed due to some unforseen errors.
  I have revert back to the inbuilt ciac option for import person and EUA
  The import for one domain is working however, i wish use multiple forests and to add a unique identifier to the login name to avoid login name clashes
  for example
  ASE\#sAMAccountName#
  or
  #userPrincipalName#
  When i try to add this i receive the error that no person fround in the result of the LDAP getperson search
  I have tried the format for EUA as
  uid=#LoginId#,dc=ase,dc=internal
  DomainName\#LoginId#
  #LoginId#
  Any help will be greatly apreciated
  Regards,
  Matt

  If you are logging into java (i.e. tomcat55) and have set up a krb5.ini. All users that are not in the default domain need to logon with username @FQDN.COM where FQDN.COM is their fully qualified domain name in all caps. That FQDN.COM should be entered in the krb5.ini (in all caps) with at least 1 KDC defined.
  Do a search on SMP (look at the forum sticky for the link) for rules for krb5.ini and I have a more in depth explanation for multi forest and multi domain as it pertains to the krb5.ini.
  To verify AD connectivity is ok use a client tool like deski/designer/business views. Since there tools don't use java you can logon with domain\user (no case sensitivity).
  Also to note urgently issues should open cases with support the forums are not the place and it is against the rules of engagement (also in the sticky post )
  Regards,
  Tim

• Active Directory multi forest Kerberos authentication Tomcat

  Sorry. It is wrong forum. I forwarded my question to Business Objects forum.
  Hi,
  I have Business Objects Enterprise XI R2 with Tomcat installed on Windows 2003. My BO server and users are placed in different Active Directory forests (BO domain x forest A, users domain y forest B). I would like to authenticate users from domain y in my BO using Kerberos.
  There is a trust between whose domains. I also set SPN and configured "Windows AD" tab in Central Management Console.
  I can add AD group from domain y and list users from that domain in Central Mangement Console. But when user from domain y tries to logon to BO he gets error java.lang.NullPointerException. Due to this error, he is unable to connect.
  There is also an error logged in Tomcat stdout.log file:
  70051106 [http-8080-Processor22] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction  - LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
  If anyone has come across this situation, please share the solution.
  Thanks & Regards,
  Piotr
  Edited by: Piotr Heise on Mar 27, 2009 2:08 PM

  Hi
  Is your enterprise is configured to a Java Active Directory?
  Then there can bemultiple causes:
  - The Java and the Central Management Server (CMS) are using encryption types that do not match.
  - The Service Principal Name in the CMC is incorrect
  Then to resolve this perform the following steps:
  - In the Central Configuration Manager, double-click the CMS, and note the service account used.
  - In Windows Domain users and computers, go to account properties for the CMS service account.
  - Select Use DES encryption types for this account. In large AD deployments this change can take time to propagate.
  - Login to the CMC and verify (Authentication -> Active Directory -> Service Principal Name) is in the format BOBJCentralMS/HOSTNAME.DOMAIN.COM
  - Restart the CMS server and log on.
  In a clustered CMS environment ensure that all CMS's are running under the same domain account.
  Hope this helps!!!
  Regards
  Sourashree

• SPNego for multi-forest using IBM JDK

  Hi All,
  I need to setup SPNego authentication for EP7 and IBM JDK for a multi-forest landscape (2 Active directory domains).  There's a guide about how to do this for Sun JDK : https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/c771c3d3-0c01-0010-b5b6-86755a2cf778 but I need one for IBM JDK as the login stack mudules are different.
  Can anyone supply me with a guide or any helpful information regarding this ?  Do you know if it works?  I've currently got SPNego working for a single domain.
  Thanks in Advance,
  Anthony

  Jan,
  ok, thanks. I will now explain how I think we can help.
  Firstly, to be sure you understand - I represent a SAP partner company known as CyberSafe, and we have a product which uses SPNEGO for Kerberos authentication in a browser environment, so my answer relates mainly to our product functionality, and not related to the SAP login module, which has less functionality.
  I must also apologise in case anybody reading this thread has an issue with me discussing non-SAP software. My view is that the most important thing on this forum is to help you (the SAP customer) get a solution that meets your needs, and if this involves SAP Partner products as well as SAP products, then that is acceptable.
  Firstly, our product does not use the Java implementation of Kerberos. Instead, we use a JNI (Java Native Interface) so that our host based Kerberos library can be used to implement the protocol. This means that any differences between IBM, SUN or any other vendor JDK version related to Kerberos functionality, multi-domain support etc. are not relavent to our product. We support many things in our product which are not supported in Java implementations of Kerberos, so you don't need to wait for new versions of JDK to take advantage.
  Secondly, and perhaps more relavent to this discussion is that our login module authenticates the user by decrypting the service ticket received using the key in the Key Table File on the host, and then we map this principal name onto a SAP user id. We then (via. the login module stack) cause the SAP system to issue an SSO2 logon ticket for this user id. The secret is the way we perform the mapping - we are not dependant on UME datasources for this, and I will describe below how we acheive mapping by using an example :
  Lets suppose a user is authenticated as user.name@DOMAIN1, the SAP system login module has been setup using domain 2 (Realm = DOMAIN2) and trusted via a key in a key table file, with principal name of HTTP/hostname@DOMAIN2. Then, using normal Kerberos cross realm trust, and cross realm TGTs the browser requests a ticket from AD for HTTP/hostname@DOMAIN2, and this is issued by AD in domain 2 using the cross realm TGT, but the principal name of the authenticated user inside this service ticket is user.name@DOMAIN1. The login module on the SAP server can decrypt the ticket it receives to find the users Kerberos principal name.
  So, the login module knows the user is user.name@DOMAIN1, it then has to decide how to determine the SAP user id. Our login module currently supports two different methods of performing this mapping, but we are adding more methods in each release to make the product even more flexible. Currently we support the following methods :
  1. Simple mapping - this is where we remove the realm name and convert the principal name to upper case, so in this example user.name@DOMAIN1 would be mapped to a SAP userid of USER.NAME and used to issue an SSO2 ticket. Clearly this is only suitable for single domains, and makes administration very easy - many of our customers use this method, but you would need a different mapping method due to yoru multiple domains.
  2. USRACL mapping - Since we also sell an SNC product for SAP GUI SSO, our customers already maintain mapping of Kerberos principal name to SAP user id using a table in ABAP engine called USRACL. This table is maintained using SU01 transaction. We now have support in our login module to read the USRACL table using the authenticated Kerberos principal name of the user (e.g. user.name@DOMAIN1) and find the required SAP user id, so that an SSO2 logon ticket can be issued.
  I hope this helps you understand. If you are interested in more detail about our product, and how we might be able to help you, please feel free to contact me offline instead of via this forum.
  Thanks,
  Tim

• VDI in multi forest

  Hello everyone,
  We have a situation with a Remote Desktop Services with virtual desktops where we are limited in our possibilities. We have a multi forest domain structure with trusts between the forests, some trusts are 2 way trusts, some trusts are 1 way trusts and some
  forests have no trust at all.
  We are trying to implement a RDS solution with virtual desktops, the servers are in domain 1 and the client VDI VM’s are in domain 2. Our question is in which trust configuration is this supported and is there any documentation?
  Our consideration is that we are not flexible and we need a hardware cluster for every forest and it’s getting very expensive.
  Thank in forward i hope to get a trustful answer.
  Kind regards,
  Jasper Sybrandy

  Hi,
  Sorry for late response. But seems there are no good document regarding your case, but you can refer beneath article.
  Test Lab Guide: Virtual Desktop Infrastructure Quick Start
  https://technet.microsoft.com/en-in/library/hh831585.aspx
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• MBAM 2.5 in Multi-Forest with two way trust

  Hi All,
  If we have two forests with two way trust, say A and B. If MABM 2.5 is setup in domain A and the urls used in the GPO of domain B to make the clients report to MABM. What additional steps do we need to take to ensure all functionality work fine namely
  - Users from domain B logging in to the self service of MBAM. How will the authentication work? Do we need to add All users from Domain B to any group?
  - Also I read that the Self Service website should not be hosted over the internet as per Microsoft. Why is it?
  Thanks in Advance,
  Regards,
  Vijay

  You have to define the group policies in all of the domains where the client resides and place the MBAM Web server in the root domain. Make sure the client can access the MBAM service endpoints. If clients can access the endpoints, you only need to define
  the MBAM GPO's to the domain where client resides.
  Check out this link :
  MBAM 2.5 installation - Multi Domain
  Cheers,
  Gaurav Ranjan / Sr. Analyst-Professional Services
  MICROLAND Limited -India leading Infrastructure Management Services Company
  NOTE:Mark as Answer and Vote as Helpful if it helps

• Question about MP affinity in a multi-forest scenario without AD publishing

  I am looking at deploying an SCCM system that will feature multiple forests and the caveat of NOT being able to use any sort of AD publishing or schema extension. Knowing this, and that
  clients will use the MP residing in their forest by default...
  When AD publishing is not leveraged, will a client in a remote forest use the MP located within its forest?
  If true, does this become a single point-of-failure when the client can't communicate with the MP in its forest?

  AD publishing does not affect affinity at all. AD Publishing simply provides a "boot strap" location method where a client can find an MP if it has no knowledge of any MPs in the site. However, the choice of which MP to use is never based upon
  this boot strap location from AD. Clients always query an MP to determine which MP to use (thus the need for the boot strap process otherwise you're stuck with chicken-egg).
  Also remember that this is just "affinity" and thus not truly guaranteed although in nearly all cases that I've seen/sued this, it does follow the affinity pretty well.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• SUP configuration multi forest

  Seeking some advice for the below scenario. Not able to push software updates to client machines in both the forests.
  Two forests A and B with trust. 
  One SCCM 2012 primary server with SUP and WSUS, SQL on seperate box - In Forest A. 
  Firewall Ports are opened. Software / Package deployment works fine for the client machines in both the forest.
  WSUS sync is successful.
  From Cleint machines able to ping and telnet to SCCM/SUP/WSUS (All in One) server, also able to browse through WSUS site created in IIS.
  Not able to push software updates to client machines in both the forests.
  Do we need multiple SUP role in this case.  Is there any work around ?
  Appriciate your help on this.
  Thanks
  Gurudatt

  In general no, there is no reason that you will need a SUP to support an alternate forest.
  Have you reviewed wuahandler.log on a client in this alternate forest?
  Is software distribution successful to clients in this alternate forest?
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Multi Forest Client Management

  Our system has 4 forests with multiple child domains in each forest. We will be collapsing 3 of those forests into Forest 1 Domain 1A over the next few years. Our SCCM 2012 server is in Domain 1A and we currently have clients from 2 other
  child domains in Forest 1. The request to start getting the other forest workstations for forests 2,3, and 4 as clients of our DOMAIN 1A SCCM server. The other forests have their own SCCM environments (2007 or 2012) that will be going away.
  1. Since the forest 2, 3, and 4 workstations have a SCCM client on them already, what would be the path look like to get DOMAIN 1A's SCCM cleint installed? Uninstall existing client and push the DOMAIN 1A SCCM cleint to them?
  2. Once we have the other forests workstations loaded, will the domain change affect the DOMAIN 1A SCCM client that is installed on each of them when that time comes?
  3. Are we better off waiting and letting those forests manage their clients until the migration, rather than trying to install the SCCM cleint they will eventually have prior to them going through a mirgration to a new domain?

  How about subnets and the overlapping subnets issue?
  Since the SCCM environments are all separate and not aware of each other, would putting the other regions subnets in DOMAIN 1A's SCCM boundaries affect those other regionas SCCM implementations or current clients?
  To me, I can't see that it would. The DOMAIN 1A SCCM server would jsut be able to see new boundaries and once AD Sysytem Discovery was configured, it could see the new workstations from the other forests. We are currently not auto installing the SCCM client
  in DOMAIN 1A and we use subnet ip ranges for boundaries.
  The other regions SCCM servers and clients should be unaware of the fact that the DOMAIN 1A SCCM server has those subnets and I don't think that discovery process would interfere would it?

• Multi-forest communication on same host

  I have a single hyper-v host running on server 2012R2. On the host I have two domain controllers in separate forests. Domain A is connected to an external network and has the subnet 192.168.200.1/24. Domain B is connected to an internal network and has
  the subnet 192.168.25.1/24. How would I go about making the two domain controllers talk to one another using name resolution?
  John Marcum | Microsoft MVP - Enterprise Client Management
  My blog: System Center Admin | Twitter:
  @SCCM_Marcum | Linkedin:
  John Marcum

  Hi John,
  I would like to check if you need further assistance .
  Best Regards,
  Elton JI
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] .
  Thanks. I think I have it working.
  John Marcum | Microsoft MVP - Enterprise Client Management
  My blog: System Center Admin | Twitter:
  @SCCM_Marcum | Linkedin:
  John Marcum

• Multi forest User discovery

  Hello All,
  I currently have a scenario where we have SCCM 2012 R2 sitting in domain A, forest A.
  We have another domain, domain B in forest B, that we also want to manage using our SCCM in Domain A.
  We have a one-way outgoing external trust from domain A towards domain B.
  This means that we can use resources from domain B in domain A.
  From my SCCM server in Domain A, I want to discover users in domain B.
  I've setup a new Active Directory Forest in the administration pane for domain B and have assigned a domain admin account from domain B as the connection account.
  In the Active Directory Users Discovery method, I've added an entry for the Domain B to discover users in a LDAP specific pathand have added that same domain admin account to discover the users in Domain B.
  However, when I run the Active Directory Forest Discovery method, the ADForestDisc.log displays the following:
  ERROR: [ForestDiscoveryAgent]: Failed to connect to forest DomainB.infra. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted.
  The adusrdis.log displays the following messages:
  ERROR: Failed to read account (DomainB\FILIPADMIN) from site control file (0x87D20702)
  ERROR: Failed to enumerate directory objects in AD container LDAP://OU=USERS,OU=***NAME***,DC=DomainB,DC=INFRA
  I've added the domain suffix to the hosts file of my SCCM Server, so it should be able to resolve the suffix..
  Can anyone help me on this?
  How can I get discovery going?
  Thanks!
  Filip

  Hello Jörgen,
  The issue is fixed in the meantime.
  The account I was using had an underscore in the netbios domain name.
  I updated this to the FQDN of the domain (domain_old\account -> domain.infra\account)
  Next I also found the following article from Anoop:
  http://anoopcnair.com/2013/05/23/configmgr-2012-tip-on-untrusted-forest-ad-system-discovery/
  I updated my discovery job to include one of the DC's and now it is working.
  For now, I have added the DC to the hosts file of the computer.
  How would you correctly set up name resolution?
  Kind regards,
  Filip

• Questions on Multi forests scenario

  Hi All,
  One of our customer raised the below questions:
  Environment
  Forest A
  Domain (Contoso.com)
  User accounts
  Exchange 2010 + UM role
  Forest B
  Domain (Fabrikom.com)
  Lync 2013 server with EV enabled.
  We have Two way Trust and FIM in place.
  Questions
  Is there any restrictions on functionality when setting up User\Exchange in one forest and Lync in another forest with a two way trust and FIM?
  With the two way trust, can the permissions\access to resources and service in Forest A be restricted from Forest? and is this support in the aforementioned design ?
  Please advise.  Many Thanks.

  Hi,
  Base on my knowledge, it is the supported scenario to deploy User\Exchange and Lync Server in different forest.
  you need to establish a two-way trust between the resource forest and user forests to enable distribution group expansion when groups from user forests are synchronized as contacts to the resource forest.
  Best Regards,
  Eason Huang
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Eason Huang
  TechNet Community Support

• PCNS multi-forest config?

  Hi,
  Forest A contains FIM services, and a copy of the users from Forest B (via FIM provisioning).
  Forest B contains the users, and this is where users will change passwords from workstations.
  We would like passwords to replicate from Forest B to Forest A.
  Have setup a 2 way trust between the forests, and then:
  Have installed PCNS in Forest B only
  Then, ran the following in Forest A: setspn -A PCNSCLNT/DC1.ForestA.com ForestA\FIMSyncService
  Then,, ran the following in Forest B: pcnscfg.exe ADDTARGET /N:FIMServer /A:FIM.ForestA.com /S:PCNSCLNT/DC1.ForestA.com /FI:"Domain Users" /FE:"Domain Admins" f:3
  Are the above steps correct?
  Thank you,
  SK

  thanks Cameron...so in my example is this still correct:
  - setspn is run in forest A (where FIM is deployed)
  - pcnscfg is run in Forest B?
  Secondly, the article is a bit confusing: http://technet.microsoft.com/en-us/library/cc720654%28v=ws.10%29.aspx#bkm1
  there are 2 MA options below ... since I have an MA for Forest A & B, which option do I enable on which MA?
  Configure the Management Agent for Active Directory
  Because Active Directory is the only supported password source for password synchronization, all password change requests must be sent to MIIS 2003 by the Management Agent for Active Directory. Also, management agents that are targeted to receive password
  change notifications from the Active Directory domain must be enabled in the Management Agent for Active Directory.
  To configure the Management Agent for Active Directory to receive password change requests
  In Identity Manager, open Properties for the Management Agent for Active Directory.
  Select the partition from the list, and then, in Password Synchronization, select
  Enable this partition as a password synchronization source.
  Click Targets to display the Target Management Agents dialog box.
  Select the management agents to be the targets to receive password change notifications from the authoritative Active Directory domain.
  Optionally, under Specify maximum number of password changes for a 24 hour period, change the default setting, which is 5.
  Configure the Target Management Agents
  You now individually configure the management agents for the connected data sources that will receive password change notifications from the authoritative Active Directory domain.
  To configure a target management agent for a connected data source
  In Identity Manager, open Properties for the management agent that you want to configure.
  For Configure Extension, select Enable password management. This enables both password synchronization and the Windows Management Instrumentation (WMI) interface for the management agent.
  Optionally, click Settings to configure any of the following options:
  Maximum retry count – Specifies the number of times MIIS 2003 attempts to push a password change to the connected data source when there are connectivity errors.
  Retry interval (seconds) – Specifies how much time elapses between retry attempts.
  Require secure connection for password synchronization operations –Specifies that a secure connection to the connected data source is required before the management agent attempts to push a password change to that connected data source.
  If you do not select this option, the management agent pushes the password change to the connected data source regardless of the security level. Examples of secure connections are Secure Sockets Layer (SSL) and "Sign and encrypt LDAP traffic."

• Multi forest LDAP and Extension mobility

  hello,
  We want to support the following configuration:
  MultiForest LDAP integration with CUCM 10.5.
  So we want to set the "LDAP Attribute for User ID" on UserPrincipalName (UPN). > [email protected]
  We also want to support Extension Mobility.
  Is there a way to make te login proces easier than logging in with [email protected] and the PIN code?

  Unfortunately no, the EM process uses whatever you chose for userID for the login.

• AD authentication to external AD - XI R2?

  Hi all,
  We have the following situation:
  1. BOE XI R2 installed and the server is a part of active directory A
  2. BO server using IIS as application server (not Tomcat)
  3. BO users working in active directory B
  4. A and B are not in the same forest
  5. A and B have LAN visibility, but trusting or restructuring A and B to be part of the same forest is impossible
  The task is to enable AD authentication (preferably over NTLM) on the BO server (AD A) against the users in AD B.
  The very scarce documentation from BO on this subject suggests/states that both ADs must be in the same forest. Unfortunately there are reasons which prevents us from placing these domains in the same forest.
  I think there should be some workaround, but can't figure it out. Any help will be greatly appreciated!
  Thanks in advance!

  We can work you around for 2 forests. Basically you should use AD for the local forest and LDAP-AD for the remote one. If you wan SSO you will need a JAS and can use infoview trusted auth for the LDAP users or SDK trusted auth .net code (not recommended).
  SP1 for XI 3.0 will be our 1st version with true multi forest support. I'm not sure when it's going to be released (hopefully by the end of Q3 or early Q4) but we don't have an ETA right now.
  Regards,
  Tim