Network challenge - trusted domains

Within my organization, I have two domains A and B. There is a Classic ASP web intranet application hosted in an IIS server
in Domain B (Windows Authentication enabled, all other authentication modes disabled). As for as I know, A and B is
in a Domain Trust relationship.
The problem here is, when users logged in to Domain A try to access the web application mentioned above, it prompts for the Domain
B user id and password. My understanding is that since both domains are trusted, Domain A users should also be able to access the web application. Please suggest any possible
reasons for this behavior.

The App Pool Identity seems to be one using Classic Mode, and it has "No Managed Code" selected.
The application hosted is developed using Classic ASP.
This has nothing to do with the identity
REF: Application
pool identity
The site is not added in the IE trusted zones - we cannot do this on all client computers. I am looking
for whether there exists some Active Directory/Network setting that displays this prompt.
You can do it with a GPO, but meantime you can do it manually on a client just for troubleshooting purpose
REF:
How to configure Internet Explorer security zone sites using group polices 
Not sure whether the IIS host trusted for delegation or not. Could you please let me know what
it does?
Delegates IIS to request a kerberos ticket on behalf of the user
Some info here: http://www.adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx
This post is provided AS IS with no warranties or guarantees, and confers no rights.
~~~
Questo post non fornisce garanzie e non conferisce diritti

Similar Messages

  • DNS/LDAP Issue for Trusted Domain

    Hi
    I'm trying to configure  Configuration Manager 2012 R2 Forest Discovery to a trusted domain.
    Objects from the trusted domain (users/computers) show up in the Collections, but when I check under Administration\Active Directory Forests I can see Discovery Status "Failed to connect using default account" and Publishing status "Cannot
    Contact LDAP Server".
    I've added the SCCM server to local admin at the trusted domain via GPO and have also created the system Management container.
    When I check the log ADForestDisc.log I get this error message:
    "Failed to connect to forest X. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted."
    I have setup Conditional Forwarders in DNS in both domains.
    I have also read other forums about this issue and should have the answer:
    "This error occurs for all of the domains that you mentioned and is typical when SRV records for DCs in those remote domains cannot be found. Forest discovery relies on DNS name resolution of SRV records to locate a suitable DC to communicate with."
    "The site server performing the forest discovery must be able to resolve the SRV records for the DCs or root domain of the other forest."
    We are using Windows AD integrated DNS in both domains.
    I'm not so familiar with DNS configuration so I appreciate if someone could tell more specific how to fix this.
    Thanks in advance

    Hi
    Thank you for your answer. This issue is solved. I've missed to open some ports in the router/firewall between the LANs.
    The status under Active Directory Forests is Succeded now, but when I check under boundaries, I can only see the "Default-First-Site-Name" site for the first domain (same LAN as CM Server) and I can only see the IP address range for that LAN.
    I don't Think  this is a big issue, but shouldn't the site name and address range for the other LAN (where the trusted domain is) be automatically found to during forest Discovery when I've checked the options to create site and ip boundaries automatically?

  • OSD Across a Non-Trusted Domain

    Hello All,
    Thank you in advance for the help. I am trying to validate a configuration I would like to put in place for a client.
    The client has Configuration Manager 2012 set up to manage computers in a non-trusted domain with no MPs in the non-trusted domain. There are DPs in the non-trusted domain. The site runs in an https configuration for these clients. We have configured a subordinate
    CA in their forest that trusts the CA in the forest that hosts the ConfigMgr site servers and all certs are working fine.
    My question: Will OSD function correctly for computers in the non-trusted domain? Or so I need to have an MP in the non-trusted domain as well?
    Thanks!

    Hi Jason,
    Yes, you are correct - there are multiple HTTP MPs that are reachable from the non-trusted forest's computers on the Intranet. There is also an HTTPS MP in the DMZ which is reachable from the internal network as well (we use split-brain DNS for this). The
    DMZ MP in HTTPS mode can handle the requests from the non-trusted forest's clients and I envision DPs being configured in the non-trusted forest's domain in HTTPS mode to provide the DP service for the non-trusted domain's clients.
    One of the other respondants indicated that they believed this config would work as long as the client could reach a PXE enabled DP. I don't see a reason this won't work as well with a boot image with a cert on it or via Software Center, right?
    Does this configuration sound kosher?
    Thank you!

  • Windows 8 and Server 2012. Not detecting network is a domain.

    Hi Guys,
    I hope I have posted this to the correct forum.
    I have 2 x Windows 8 PCs that do not detect that they are connected to a domain (network location awareness not working). I can join them to the domain but they still don't recognise the network as a domain. Instead they identify it as "private".
    Other PCs on the network (Win XP and Win 7) work prefectly, just the windows 8 machines don't work.
    Also, when I do join them to domain I also receive this message.
    "changing the Primary Domain DNS name of this computer to "" failed. The name will remain xxxx.local. The error was: the specified domain either does not exist or could not be contacted. "
    I have tried the following
     - DHCP and DNS has being tried both as static and dynamic (can ping DNS server which is the domain controller Windows Server 2012) .
     - Updated PC NIC drivers.
     - No AV is installed on either server or PC.
     - Updated PC to windows 8.1.
     - Disabled both server and PC firewalls.
     - Check NLA service and all dependent services are running.
     - Disabled all adapters on server except for one.
    I am really hoping someone can help with this as I would really appreciate it.
    Thanks.
    Shaun

    Hi Guys,
    I managed to find a solution to the problem. I noticed that the DNS server zones did not look quite right. The _msdcs zone was missing the subfolders (dc, domains, gc, pdc).
    To fix this issue: on the NIC adapter I had to tick the box "register this connection's addresses in DNS" (found under TCP/IP v4 > advanced > DNS tab).
    I then had to remove the DNS role, reboot then re-add the role. Problem solved. Hopefully this saves someone else pulling their hair out for an entire day.

  • Getting Error The trust relationship between the primary domain and the trusted domain failed in SharePoint 2010

    Hi,
    SharePoint 2010 Backup has been taken from production and restored through Semantic Tool in one of the server.The wepapplication of which the backup was taken is working fine.
    But the problem is that the SharePoint is not working correctly.We cannot create any new webapplication ,cannot navigate to the ServiceApplications.aspx page it shows error.Even the Search and UserProfile Services of the existing Web Application is not working.Checking
    the SharePoint Logs I found out the below exception
    11/30/2011 12:14:53.78  WebAnalyticsService.exe (0x06D4)         0x2D24 SharePoint Foundation          Database                     
     8u1d High     Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15' 
    11/30/2011 12:14:53.78  WebAnalyticsService.exe (0x06D4)         0x2D24 SharePoint Foundation          Topology                     
     2myf Medium   Enabling the configuration filesystem and memory caches. 
    11/30/2011 12:14:53.79  WebAnalyticsService.exe (0x06D4)         0x12AC SharePoint Foundation          Database                     
     8u1d High     Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15' 
    11/30/2011 12:14:53.79  WebAnalyticsService.exe (0x06D4)         0x12AC SharePoint Foundation          Topology                     
     2myf Medium   Enabling the configuration filesystem and memory caches. 
    11/30/2011 12:14:55.54  mssearch.exe (0x0864)                    0x2B24 SharePoint Server Search       Propagation Manager          
     fo2s Medium   [3b3-c-0 An] aborting all propagation tasks and propagation-owned transactions after waiting 300 seconds (0 indexes)  [indexpropagator.cxx:1607]  d:\office\source\search\native\ytrip\tripoli\propagation\indexpropagator.cxx 
    11/30/2011 12:14:55.99  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
     75dz High     The SPPersistedObject with
    Name User Profile Service Application, Id 9577a6aa-33ec-498e-b198-56651b53bf27, Parent 13e1ef7d-40c2-4bcb-906c-a080866ca9bd failed to initialize with the following error: System.SystemException: The trust relationship between the primary domain and the trusted
    domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection
    sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()    
    at Microsoft.SharePoint.Administration.SPAcl`1.Add(String princip... 
    11/30/2011 12:14:55.99* OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
     75dz High     ...alName, String displayName, Byte[] securityIdentifier, T grantRightsMask, T denyRightsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)    
    at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider
    persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state) 
    11/30/2011 12:14:56.00  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
     8xqx High     Exception in RefreshCache. Exception message :The trust relationship between the primary domain and the trusted domain failed.   
    11/30/2011 12:14:56.00  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Timer                        
     2n2p Monitorable The following error occured while trying to initialize the timer: System.SystemException: The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection
    sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type
    targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, Byte[] securityIdentifier, T grantRightsMask,
    T denyRightsMask)     at Microsoft.SharePoint.Administrati... 
    11/30/2011 12:14:56.00* OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Timer                        
     2n2p Monitorable ...on.SPAcl`1..ctor(String persistedAcl)     at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()    
    at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(Guid
    id, Guid parentId, Guid type, String name, SPObjectStatus status, Byte[] versionBuffer, String xml)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(SqlDataReader dr)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.RefreshCache(Int64
    currentVe...
    Please guide me on the above issue ,this will be of great help
    Thanks.

    I have same error. Verified for trust , ports , cleaned up cache.. nothing has helped. 
    The problem is caused by User profile Synch Service:
    UserProfileProperty_WCFLogging :: ProfilePropertyService.GetProfileProperties Exception: System.SystemException:
    The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids,
    Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type
    targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, SPIdentifierType identifierType, Byte[]
    identifier, T grantRightsMask, T denyRigh...        
    08/23/2014 13:00:20.96*        w3wp.exe (0x2204)                      
            0x293C        SharePoint Portal Server              User Profiles                
            eh0u        Unexpected        ...tsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)    
    at Microsoft.Office.Server.Administration.UserProfileApplication.get_SerializedAdministratorAcl()     at Microsoft.Office.Server.Administration.UserProfileApplication.GetProperties()     at Microsoft.Office.Server.UserProfiles.ProfilePropertyService.GetProfileProperties()
    Please let me know if you any solution found for this?
    Regards,
    Kunal  

  • SQLServer Reporting Services 2005 Prompts for Credentials for a trusted domain user

    Currently the report is running in the domain AAA. Users in the domain AAA are using the report.
    Another new domain BBB and an user XXX is now created and  BBB\XXX has been given Browser access. Domain AAA and BBB are trusted domains.
    After this when the user BBB\XXX logs in and access the report, before loading the report, credentials dialog is prompted, once credentials of BBB\XXX is entered, the report is loaded.
    Why the report prompts for this additional credential dialog for the trusted domain user?

    Hello,
    Did you have get two textboxes in the report parameter panel (in the left side of the "View Report" button)? The issue is occurred when the credential of the datasource is configured with “Prompt for credentials”. Please check if you configured the credential
    with "Stored Credential" of the datasource.
    Please refer to the following thread to configure the credential.
    http://social.msdn.microsoft.com/Forums/sqlserver/en-US/1564cd7a-6b7a-40f1-9f98-5c766ebfc63e/datasource-userid-and-password-being-asked-eachtime-when-report-is-generated?forum=sqlreportingservices
    Regards,
    Alisa Tang
    Alisa Tang
    TechNet Community Support

  • Rd web showing all remoteapps when logging in with an account of a trusted domain

    we have a dmz with a separate domain. there is a one way trust to our local domain
    In the dmz domain there is a rdweb and rd gateway. When logging in with an account from the dmz domain in the rdweb it's all fine but when logging in with an account from the trusted domain all remoteapp's are shown
    all servers are 2012r2

    Hi sir,
    Please make sure your account has already added into your Pay-As-You-Go subscription as co-administrator role . If the account was not in your subscription please add it and try to login on from your VS again.
    If you always occurred this issue, you can try to download the publish file and import it into you VS, please follow this steps:
    http://azure.microsoft.com/en-us/documentation/articles/mobile-services-windows-how-to-import-publishsettings/
    Regards,
    Will 
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • Cannot share documents with few users in one way trusted domain

    Hello
    I am running in a wiered issue. I setup people picker in SP 2013 foundation version to lookup the user from one way trusted domains after which I started getting all the users from that domain in my intranet. I can also share or modify the permission of
    users being administrator. However when I try to add 2 specific users as site collection administrator or try sharing a document, I get error.
    I can lookup their name but when I try changing their permission or share document with them, I get error. It's wiered because it is only with this two users. there is no difference from Active Directory point of view between these and other users. Please
    help or suggest some trouble shooting steps.
    Regards,
    Hardik Bhilota.

    Hi Hardik,
    What was the error message when sharing documents with the two users?
    Please also check the ULS log for detailed error message which is located at C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS.
    What is the permission of the two users in SharePoint site? Can they access the site?
    Please also run the two commands below to see if the issue still occurs:
    First, on every front-end Web server on a farm run this command:
    STSADM.exe -o setapppassword -password key
    Second, on a front-end Web server run this command:
    STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv domain:DnsName,user,password -url http:// webapp
    Best regards.
    Thanks
    Victoria Xia
    TechNet Community Support

  • Documentation on settings up DP, MP in non trusted domain USING HTTPS

    Is there any documentation that specifically talks about setting up a site system in a non trusted domain with management point and distribution point and communication using HTTPS.
    I see some examples but none of them talk about the certificates that are required on the DP and MP in the non trusted site server.
    Thanks Lance

    Hi Jason,
    I am stumped (and not a certificate guru) and not sure how to get certs based on the Config Manager Web Server template and Config Manager Distribution Client Template into the machine (Secondary MP/DP) that is in the untrusted domain.   I hear
    you about the untrusted domain part not making a difference.   Our secondary MP/DP in the untrusted domain does have the root certificate in the trust root store.
    I have tried MMC certificates, certreq and have tried to go directly to the CA (https://caserver/certsrv) but in neither case do the Config Manager Distribution Client nor Config Manager Web Server templates show up.
    Conversely in the domain that the CA Server resides,  I can request both of these certs in the MMC certificate plugin.
    I am certain I am missing something.
    We used this technet document to setup the certificate templates, etc.
    http://technet.microsoft.com/en-us/library/gg682023.aspx
    Thanks Lance

  • By default, which right has a user on a "external trusted" domain ?

    Hi,
    I would like to know what are the rights for users in DomA when a bidirectionnal external trust is in place with DomB ?
    By default, the user in DomA is member of "DomB\Domain User" (otherwise, how can the user in DomA can list the users in DomB for example ?)
    Is there any specifics things to know if DomB is in Win2000 compatibility domain/forest level ?
    I know this ressource
    https://technet.microsoft.com/en-us/library/cc755321%28v=ws.10%29.aspx and this
    https://technet.microsoft.com/en-us/library/cc757352(v=ws.10).aspx but didn't find my answer.
    Thank you ! :)

    I've created many trusts in my day and they can get confusing... quickly...
    #1 Who is the "trusting Domain" (who is saying "yeah I, domA, will let DomB in the door")
    #2 Who is the "trusted domain" (who is "walking through the door (DomB)")
    *** I know you said "bidirectional" but it helps you visualize the "security trust" for what is actually required. **
    #3 Is that "Domain User" part of a Group? Is the Group Domain or Universal? Only certain types of groups can work across a trust.
    #4 Are you doing a domain level trust or a forest level trust? External trusts are "domain to domain". However the domains can exist in separate, non-related forests.
    If you do a two-way domain External trust -- Domain Users from DomA can access all the resources on DomB, if explicitly provided they have access to those resources. What I mean by that is if Domain User Doesn't have domain admin privileges in DomA, it won't
    get domain admin privileges to DomB and vice versa.
    This is where the trick is though. In a two-way domain External Trust -- All domain / enterprise admins in DomA will have domain /enterprise admin access in DomB and vice versa. They can grant themselves privileges to any servers and resources.
    This is why one way trusts are popular...because you only want to let one domain into the other domain. "big brother" type of trust.
    Kind of make sense?
    Entrepreneur, Strategic Technical Advisor, and Sr. Consulting Engineer - Strategic Services and Solutions Check out my book - Powershell 3.0 - WMI: http://amzn.to/1BnjOmo | Mastering PowerShell Coming in April 2015!

  • Distribution/management point in non trusted domain

    Hoping somebody can clarify a stituation for us on distribution points on a machine in a non trusted domain.
    We are assuming that this distribution point uses the same certicate that the primary distribution point uses.
    Is this correct?   When we try this it says that certicate is already in use and do we want to continue.
    Thanks in advance.
    Thanks Lance

    Hi,
    Please configuring CEP/CES web service and the following blog is for your reference.
    https://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
    Best Regards,
    Joyce Li
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • WDS doest not start - 0x6fc Error Trusted Domain

    Hey guys,
    first of all, i am not a native Speaker but hope that you could understand my english.
    In our Environment we have two 2 Deploymentserver and since yesterday we can not install Clients because we can not start the WDS Service. Here are some Informations about our Environment: Both Servers are virtual Machines which have Windows Server
    2008 R2 Standard running. The Computers got the WDSServer Role and the MDT 2013. We installed hundreds of Clients with them but since yesterday the WDSServer Service is not running. In the past we had the Problems with the Trusted Domain error sometimes, but
    the only Thing I had to do was to rejoin the Servers to our Domain, but this Solution does not work yet.
    I found many Solutions here in the Forum or in other Forums. The folowing Solutions i already tried:
    - Rejoined the Domain. Did not work
    - Checked all Trusted Domains for Problems. Deleted two Trusted Domains which are offline.
    - run dcdiag on our DC. Everythin seems to be fine.
    - Added the WDSServer Role on another Server. Same Problem here.
    In the eventlog i could find the following entrys:
    Event ID 768: An error occurred while trying to initialize the Auto Add Policy.
    Event ID 261: An error occurred while trying to initialize provider BINLSVC loaded from C:\WINDOWS\system32\binlsvc.dll. If the provider is marked as critical the Windows Deployment Services server will be shutdown.
    Event ID 265: An error occurred while trying to initialize provider BINLSVC. Since the provider is marked as critical, the Windows Deployment Services server will be shutdown
    Event ID 513: An error occurred while trying to initialize provider WDSPXE from C:\WINDOWS\system32\wdspxe.dll. Windows Deployment Services server will be shutdown
    Event ID 257: An error occurred while trying to start the Windows Deployment Services server.
    Event ID 7024: The "Windows Deployment Server" service terminated with service-specific error:
    The Error Number is everytime 0x6fc.
    We did not Change anything in our Domain or something else. The only thing i have done was to add new Drivers to our Image on Monday but the everything was fine with the Deployment. We installed Clients an on Thursday morning both Deployment Servers crashed.
    I really dont know what i can do now. Did anybody have a solution for my Problem or some ideas which could help me?

    Hi,
    This article provided a good troubleshooting guide:
    Enable WinLogon debug log, then refresh the policy, then find out the problem account name and policy.
    For more information you can refer to:
    Troubleshooting SCECLI 1202 Events
    http://support.microsoft.com/kb/324383
    Hope this helps.

  • SQl engine service account in different trusted domain from server?

    Is it possible to use an SQL service account from a different, but still trusted, domain than the one to which the server is joined?  If so, are there any nonstandard configuration settings I need to use?
    I've got this setup running, but when I try to connect with an account from any domain other than the one to which the server is joined, I get the following error:
    Login failed for user 'SERVICEACCOUNTDOMAIN\account'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.
    I've created the SPN in the service account's domain, and verified there is both connectivity and a valid trust relationship.  The users I'm testing also have logon permissions for the server.

    Hi AccuMegalith,
    Firstly, it is possible to use an SQL Server service account from a different, trusted domain. We need to note the following configuration.
     For more details, please review this article:
    Security Account Delegation.
    1. The service account must be trusted for delegation on the domain controller.
    The following options in Active Directory Users and Computers must be specified in order for delegation to work:
    •The Account is sensitive and cannot be delegated check box must not be selected for the user requesting delegation.
    •The Account is trusted for delegation check box must be selected for the service account of SQL Server.•The
    Computer is trusted for delegation check box must be selected for the server running an instance of Microsoft SQL Server
    2. The service account must have SPNs registered on the domain controller. If the service account is a domain user account, the domain administrator must register the SPNs.
    Login failed for user 'SERVICEACCOUNTDOMAIN\account'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.
    Secondly, regarding to above error message, it means that SQL Server was able to authenticate you, but weren't able to validate with the underlying Windows permissions. 
    It could be caused by that the Windows login has no profile or that permissions could not be checked due to UAC. Please perform the following steps to troubleshoot this issue. For more details, please review this
    blog.
    1. Run SQL Server Management Studio (SSMS) as administrator and disable UAC.
    2. Check if that login is directly mapped to one of the SQL Server logins by looking into the output of sys.server_principals.
    3. If the login is directly mapped to the list of available logins in the SQL instance, then check if the SID of the login matches the SID of the Windows Login.
    Thanks,
    Lydia Zhang
    If you have any feedback on our support, please click
    here.
    Lydia Zhang
    TechNet Community Support

  • Full mailbox access from trusted domain

    I have an issue with users unable to login to OWA or ActiveSync using trusted domain credentials. I have two forests, FOREST A and FOREST B. I have a 2-way forest trust between them. I have migrated users from FOREST A to FOREST B, but their mailboxes need
    to stay in FOREST A for the time being.
    I have added Full Mailbox access for their FOREST B accounts, as well as Send As permission.
    Outlook accesses their mailboxes no problem, with no security credential prompts. Sending is also fine. However, OWA and ActiveSync will not accept their FOREST B login credentials, I get the following error:
    The Active Directory resource couldn't be accessed. This may be because the Active Directory object doesn't exist or the object has become corrupted,
    or because you don't have the correct permissions.
    I have a single Exchange 2010 SP2 server in FOREST A. All roles are on this server.
    Why would Outlook clients work but OWA and ActiveSync are failing? Things I have checked:
    DNS suffixes for trusted and trusting domain are set on the Exchange Server
    Trust is in place and functional
    Outlook clients work fine using FOREST B accounts
    Changed OWA authentication options between UPN / Domain\User / logon name only - no options worked
    Checked time sync between DC's and Exchange
    Any ideas?? Thanks.

    HiBobby4300,
    Great checklist from Martin.
    Please try following links to set the msExchMasterAccountSID attribute in the Active Directory Account Forest, for your reference:
    http://www.msexchange.org/articles-tutorials/exchange-server-2003/management-administration/Understanding-External-Associated-Account-Windows-Server-2003-Exchange-2003.html
    Additional, the best way is to configure linked mailboxes. This is a mailbox associated with an external account. More details about
    Create a Linked Mailbox, please refer to:
    http://technet.microsoft.com/en-us/library/bb123524(v=exchg.141).aspx
    Best regards,
    Allen Wang

  • Authenticate users from a trusted domain

    Greetings,
    I have two domains, A & B.  Domain A hosts all our user accounts; A\domain users.  In Domain B we host our applications, ie, exchange, IIS, SharePoint.
    I would like to have the default authentication into sharepoint be from users in Domain A using standard claims NTLM.
    Domain B trusts Domain A (1 way)
    Is this possible? How?
    Thank you

    Hello Trevor,
    Thank you for your help.
    I have run the People Picker Tester and found that I am able to connect to the following ports:
    CONNECTED
    tcp/389
    tcp/686
    tcp/135
    tcp/139
    tcp/3268
    tcp/445
    and FAILED to connect to
    tcp/137
    tcp/138
    tcp/3269
    tcp/53
    tcp/749
    tcp/750
    The LDAP test does show a list of all my users from Domain A.  Are all of the failed ports required?  I'm wondering since I did get results from the LDAP test.
    With my new web application and site collection I cannot see any domain A users, although I have not run the two stsadm commands yet, should I be able to or do I need to run the two stsadm commands you previously mentioned?
    My next question is around the two stsadm commands.
    The first command:
    stsadm -o setapppassword -password "SomeValue"
    1) What am I actually doing here? 
    2) Where will this password be used?
    3) Is the password arbitrary or does it need to be a password for the user I will be using in the second stsadm command?
    The second command:
    stsadm -o setproperty -pn peoplepicker-searchadforests -pv "domain:domainb.com;domain:domaina.com,domainauser,password" -Url
    http://webAppUrl
    1) is this command setting my default people picker domain search to Domain A accounts?
    2) for testing I'm going to use my domain a account in the command, is that acceptable?  It just needs to be an account in domain A, correct?

Maybe you are looking for

  • Store wont open  with xp

    Have windows xp and windows 7 down loaded itunes 10.4 and all computers. When you  open itunes store  it opens as a blank page.

  • WM - Two Step Picking

    Hi experts, I have a problem with a program I'm creating. In this program I'm doing a call transaction to LT03 for an outbound delivery. When I do that, the message number L3 720 "2-step picking relevance will be removed since no relevant group" whic

  • Status is stuck in Running(Provisioning) stage when I use my custom Linux image to create a VM

    I used the following link to create a vhd via Hyper-V. I basically installed my iso on a VM and backed it up as vhdx, then converted it to vhd. I uploaded it onto azure and tried to built a VM using "My Images" folder but the installation keep gettin

  • Disabling VIew source property in IE

    hi I am working on an ADF application. There is a requirement to disable the view source property of the IE browser so that the users cannot view the source. Is it possible to do it? Please reply Thanks

  • Stroking a Path

    I've got a drawing that is currently composed entirely of paths. It's a pretty detailed outline drawing, so lots of closed and open paths, some quite small in size. My next step is to stroke the paths to create a vector image for printing. And now he