Windows Authentication - Different Domain

Similar Messages

• How to resolve a windows authenticated orphaned user in Sql Server 2008 R2?

  Hi,
   We have some orphaned windows authenticated  users(domain) in the database while it had been
  migrated from Sql Server 2005 to Sql Server 2008 R2, because there are no corresponding
  logins for the users. Will just adding the logins would be sufficient or after adding the
  logins should we also run sp_change_users_login @Action='update_one' to resolve any sid
  conflict. Thanking you in advance,
  With regards
  Binny Mathew

  Binny
  You have issue with orphaned users if you use Mixed Authentication.  If you use Windows and move the db to the new server the Windows Login should be exist on the new server already.
  Best Regards,Uri Dimant SQL Server MVP,
  http://sqlblog.com/blogs/uri_dimant/
  MS SQL optimization: MS SQL Development and Optimization
  MS SQL Consulting:
  Large scale of database and data cleansing
  Remote DBA Services:
  Improves MS SQL Database Performance
  SQL Server Integration Services:
  Business Intelligence

• Windows Authentication and Zenworks Problem

  I have Zenworks 6.5.1.0 on my desktop. I make my computer part of our
  win2k3 domain. When I try to connect to sql server through the client
  tools using windows authentication the domain name doesn't show up
  correctly. It will show up as the computer_name/username instead of
  domain/username. This is also a problem for trying to setup applications to
  use windows authentication instead of sql server authentication.
  If I uninstall zenworks the problem goes away. Nevertheless, this isn't a
  solution. I would appreciate any info you can give.

  OK, here is what I would do pending more input from you..........
  1)Setup IDM (Identity Mgr) to synch all E-Dir IDs into the Domain.
  You should have this product for free if you have Maint on ZEN or NetWare)
  2)On all PCs in the Domain, push this key to block the use of DLU.
  Now every user will be able to use any PC.
  If the PC is in the Domain, they will use domain authentication.
  If the PC is not in the Domain, they will use DLU to logging automatically.
  craig wilson wrote:
  > There is not reason they can't authenticate afterwards to the domain.
  > The user's would just need provide their ID/Pwd.
  >
  > Do all of your NDS Users have AD Accounts?
  > Are the Passwords Synched?
  > How big is this network? How far along is the Domain deployment?
  >
  >
  > [email protected] wrote:
  >> Is there an option to setup the users to have dynamic local user so they
  >> can login to any workstation, but also be able to use windows
  >> authentication? I think the solution might work below since right now
  >> I am
  >> only wanting to do this for one workstation in particular, but it would
  >> really be great to be able to use windows authentication through out all
  >> custom built apps.
  >>> Somebody has defined a "DynamicLocalUser" policy with Zenworks.
  >>> This causes any attempt to logon to the domain to be over-ridden an a
  >>> local account is created and used on your PC.
  >>>
  >>> In general these "DLU" policies are used in non-domain environments.
  >>>
  >>> If you want to disabled "DLU" on your workstation.....
  >>> See http://support.novell.com/docs/Tids/.../10071463.html
  >>>
  >>>
  >>>
  >>> [email protected] wrote:
  >>>> I have Zenworks 6.5.1.0 on my desktop. I make my computer part of our
  >>>> win2k3 domain. When I try to connect to sql server through the client
  >>>> tools using windows authentication the domain name doesn't show up
  >>>> correctly. It will show up as the computer_name/username instead of
  >>>> domain/username. This is also a problem for trying to setup
  >>>> applications to
  >>>> use windows authentication instead of sql server authentication.
  >>>> If I uninstall zenworks the problem goes away. Nevertheless, this
  >>>> isn't a
  >>>> solution. I would appreciate any info you can give.
  >>>
  >>> --
  >>> Craig Wilson
  >>> Novell Product Support Forum Sysop
  >>> Master CNE, MCSE 2003, CCN
  >>
  >
  >
  Craig Wilson
  Novell Product Support Forum Sysop
  Master CNE, MCSE 2003, CCN

• SQL Windows Authentication with Login of AD Group 'Domain Admins'

  Having a bit of a difficulty with Microsoft SQL Server 2012 windows authentication integration...
  The server is setup to have Windows authentication used as its means of login authentication. No issues with this other than a strange error that occurs on multiple SQL servers in our domain: 
  When a login is created for domain group "[domain]\Domain Admins", users within this AD group cannot connect to the SQL server through the Management Studio. The error that SQL server gives is Error 18456, Sate 11, i.e. "Valid login but server
  access failure"
  However when a different AD group is added as a login (like [domain]\[group]), users from this group can successfully log into SQL server. It seems that adding any other group, even groups from a different domain, grants successful authentication as I would
  expect EXCEPT the AD group 'Domain Admins".
  Is there some restriction/security feature at play here on this AD group that makes using the 'Domain Admins' group as a login not possible? 
  Andrew

  Yes, this group was removed and readded just yesterday to try to fix the issue.
  Here is the output of the command:
  class
  class_desc
  major_id
  minor_id
  grantee_principal_id
  grantor_principal_id
  type
  permission_name
  state
  state_desc
  105
  ENDPOINT
  2
  0
  2
  1
  CO  
  CONNECT
  G
  GRANT
  105
  ENDPOINT
  3
  0
  2
  1
  CO  
  CONNECT
  G
  GRANT
  105
  ENDPOINT
  4
  0
  2
  1
  CO  
  CONNECT
  G
  GRANT
  105
  ENDPOINT
  5
  0
  2
  1
  CO  
  CONNECT
  G
  GRANT

• Error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication" on SQL Server 2008 R2 Enterprise Edition 64-bit SP2 clustered instance

  Hi there,
  I have a Windows 2008 R2 Enterprise x64 SP2 cluster which has 2 SQL Server 2008 R2 Enterprise Edition x64 SP2
  instances.
  A domain account "Domain\Login" is administrator on both physcial nodes and "sysadmin" on both SQL Server instances.
  Currently both instances are running on same node.
  While logging on to SQL Server instance 2 thru "Domain\Login" using "IP2,port2", I get error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication". This happened in the past
  as well but issue resolved post insatllation of SQL Server 2008R2 SP2. This has re-occurred now. But it connects using 'SQLVirtual2\Instance2' without issue.
  Same login with same rights is able to access Instance 1 on both 'SQLVirtual1\Instance1' and "IP1,port1" without any issue.
  Please help resolve the issue.
  Thanks,
  AY

  Hello,
  I Confirm that I encountred the same problem when the first domain controller was dow !!
  During a restarting of the first domain controller, i tried to failover my SQL Server instance to a second node, after that I will be able to authenticate SQL Server Login but Windows Login returns Error 18452 !
  When the firts DC restart finishied restarting every thing was Ok !
  The Question here : Why the cluster instance does'nt used the second DC ???
  Best Regards     
  J.K

• "Windows Authentication Mode" when SQL Server 200 and CF on different machines?

  Hi All,
  I am playing for two days with following problem. And still I
  did not able to get rid of it.
  I have installed SQL Server 2000 on machine which is my
  server (windows 2003 server) and this machine is my domain
  controller. I have user “ABC” user and I have added
  this user in administrator group.
  I have another machine where OS is Windows XP and CF 7 is
  installed. I create an ODBC Connection from Administrative Tool to
  my Database (windows 2003 server) successfully.
  Now when I create Data Socket in Coldfusion Administrator and
  when I select the my ODBC that I had created and when I Submit it
  then CF admin throughs the following message.
  Connection verification failed for data source: myTest
  java.sql.SQLException: [Macromedia][SequeLink JDBC
  Driver][ODBC Socket][Microsoft][ODBC SQL Server Driver][SQL
  Server]Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
  Please Brother, I don’t have any Clue to solve it,
  Please help.
  One Important thing, All this working fine if my CF, and SQL
  Server are on same machine.
  Best regards,
  Shahid

  Hi Phil Thanks,
  Finally i able to configure it out..... following are the
  steps...
  I assume domain controller is properly configure.
  Following are the steps for the machine where SQL SERVER 2000
  is installed
  1- We need to create Login account for your domain account in
  SQL Server 2000 using Enterprise Manager.
  • Right Click -> New Login
  • Click to load the domain users, select any user from
  your domain that will connect to your SQL Server from LAN.
  Following are the steps for the machine where ColdFusion and
  IIS are installed.
  Step No. 1
  Stop ColdFusion MX.
  Backup your existing macromedia_drivers.jar file.
  Unzip macromedia_drivers.zip into the same directory,
  overwriting the previous
  macromedia_drivers.jar.
  You can download “macromedia_drivers.zip” from
  following URL
  http://kb.adobe.com/support/coldfusion/ts/documents/1a3c2ad0/macromedia_drivers.zip
  A new file, DDJDBCAuth03.dll, which is required for Windows
  Authentication, is also included in the zip file replacing the
  older DDJDBCAuth.DLL.
  Restart ColdFusion MX.
  ColdFusion MX loads the JDBC drivers inmacromedia_drivers.jar
  in the directory cf_root/lib. For example, with ColdFusion MX 7
  Server Configuration on Windows installed on drive C:, this would
  beC:\CFusionMX7\lib\macromedia_drivers.jar.
  Then restart Machine
  Step No. 2
  Configure all the ColdFusion Services to “Log On
  As” using the Domain User Account configured in SQL Server in
  the above mentioned step.
  Change the “Log On As” similar for the all other
  Cold fusion services (ColdFusion MX 7 ODBC Agent, ColdFusion MX 7
  ODBC Server, ColdFusion MX 7 Search Server).
  Step No. 3
  Restart the services; for the safe side reboot the system.
  Step No. 4
  Create ODBC (Control Panel -> Administrative Tool ->
  Data Sources (ODBC)) using the windows NT Authentication option to
  connect to database.
  Step No. 5
  Create Data Socket and Select the created ODBC connection in
  the Drop down (ColdFusion-> Admin)
  Thanks to all who participated in this discussion...
  With lots of Thanks to All particular to Phil who guided me
  in right direction,
  Shahid

• The kerberos PAC verification failure when all users of only one RODC Site, trying to get access iis webpage of different site using Integrated Windows Authentication

  The kerberos PAC verification failure when all users of only one Site which having only one RODC server(A), trying to get access iis webpage of different site which having WDC server(B) using Integrated Windows Authentication. But when they accessing the
  website using IP address, it is not asking for credentials as I think it is using NTLM Authentication at that time which is less secure than Kerberos.
  Note that:- All user accounts and Computers of the RODC has been allowed cache password on the RODC. Nearest WDC for the RODC (A) is the WDC (B).
  The website is hosted on a windows server 2003 R2 and generating below system event log for those users of the RODC site :-
  Event Type: Error
  Event Source: Kerberos
  Event Category: None
  Event ID: 7
  Date:
  <var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">date</var>
  Time:
  <var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">time</var>
  User: N/A
  Computer:
  <var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">computer_name (the 2003 server)</var>
  Description: The kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the client<var style="color:#333333;font-family:'Segoe
  UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">computer_name</var> in realm <var
  style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">realm_name</var> had
  a PAC which failed to verify or was modified. Contact your system administrator.
  This issue has been raised for last one week. Before that everything was fine. No Group Policy changed, Time also same.
  In this situation do I need to do Demotion of the RODC and re-promote it as RODC again  or is there any other troubleshooting to resolve it.
  Thanks in Advanced
  Souvik

   Hi Amy,
  Thanks for your response
  I noticed that Logon server could become incorrect again after user re-login or restart of a workstation.
  It seems root cause is different.  Need a permanent solution.
  The Workstations of the RODC site are getting IP from a DHCP server by automatic distribution of IP from a specific subnet for the site only.  The RODC is
  the Primary DNS server for the site.
  I have checked the subnet and it is properly bound with only with that AD site. The group of users and workstations are in the same site AD organisational Unit.
  Sometime I restarted the NET LOGON service and DNS server service on ther RODC server and sometime rebooted the server. But the Logon server issue has not fixed permanently.
  The internal network bandwidth of the site is better than the bandwidth to communicate with other site.  
  The server is Windows server 2008 R2 standard and hosting the below roles
  RODC
  DNS
  File server
  The server performance is Healthy in core times when maximum users usually logins. 
  Any further support would be much appreciated Amy
  Thanks
  Souvik

• Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

  Hello,
  I have gone through couple of posts regarding this issue but couldn't get the right solution. Could you please help what exactly we are missing here.
  Details:
  1) we have two SQL instances on one standalone machine (Default Instance (2008 SP3) + Named Instance (SQL 2012 SP1))
  2) Both instances are configured to accept SQL+ Windows authentication.
  3) when we give access to our users they are getting following exception if they connect with 'windows authentication'. (For both instances)
  Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
  Note: (Being a sys + windows admin I'm able to connect both the instances from same client machine without
  any issues)
  4) Also, we observed following error in windows application event log,
   SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.
  The logon attempt failed   [CLIENT: 192.168.xxx.xyx]
  5) If we create SQL login it is working fine without any issues.
  Could someone guide/help  me identifying and fixing this issue.
  Thank you

  Hello,
  Are those Windows Logins associated to domain Windows accounts? Windows Logins work for domain accounts and local Windows account created on the server where the SQL Server instance is installed (and used to login locally to the server).
  Could you try to delete one of the Windows logins that fail to login , and try to recreate them?
  The following resources may help:
  http://blogs.msdn.com/b/dataaccesstechnologies/archive/2012/12/19/error-message-quot-login-failed-the-login-is-from-an-untrusted-domain-and-cannot-be-used-with-windows-authentication-quot.aspx
  http://support.microsoft.com/kb/555332
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• Authentication needed after doing trust between two different domains.

  Hi There,
  I have a problem when i did the trust relationship between two different domains in two different forests ,,in the trust relationship steps all working two ways trust,with external trust,stub zone created on both domains and they are validated in both sides
  ,,my problem is with the objects it can't be retrieved from side and it can be from the other side . For instance :
  NY domain can get the users and computers of 2012DC1 
  but 2012DC1 can't get the users and computers of NY
  Date and time are the same,i am always getting this error 
  The session setup from computer '2012DC1' failed because the security database does not contain a trust account 'test.com.' referenced by the specified computer.  
  USER ACTION  
  If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and 'test.com.' is a legitimate machine account
  for the computer '2012DC1' then '2012DC1' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).  Otherwise,
  the following steps may be taken to resolve this problem:  
  If 'test.com.' is a legitimate machine account for the computer '2012DC1', then '2012DC1' should be rejoined to the domain.  
  If 'test.com.' is a legitimate interdomain trust account, then the trust should be recreated.  
  Otherwise, assuming that 'test.com.' is not a legitimate account, the following action should be taken on '2012DC1':  
  If '2012DC1' is a Domain Controller, then the trust associated with 'test.com.' should be deleted.  
  If '2012DC1' is not a Domain Controller, it should be disjoined from the domain.
  Can you please help me in this error.
  Thank You in advance.

  Hello,
  "The session setup from computer '2012DC1' failed because the security database does not contain a trust account 'test.com.' referenced by the specified computer. "
  This belongs to the machine 2012Dc1 in test.com and not to the other domain from your trust. Seems for me that you mix the trust with the problems of the machine 2012DC1 in test.com.
  In this error message 2012DC1 has lost the trust to its OWN domain and therefore you have to find the reason. How exactly was this machine installed?
  Or was there a restore on that machine from not supported type of backup like image/clone/snapshot?
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Windows Authentication Kerberos - Logon with different windows user

  I've successfully set up Windows Integrated Authentication/SPNego/Kerberos logon on my portal.  Now when I launch the portal from a workstation I am logged on automatically with my Windows userid without needed to provided userid and password again - very happy!
  When I press logoff the portal returns to the logon screen, sees that I've got a kerberos ticket, and logs me straight back on!  Not happy!
  As an administrator or as a super user, it is sometimes necessary to log on with an administrative userid or to visit an end user and log on as myself on their workstation.  Therefore, I need a mechanism to override the automatic logon and force a basic password prompt screen.
  As I understand it I can achieve this by creating a special iView with its own authscheme which does not use SPNego.  I could either point the logoff redirect url setting to this iView or I could simply enter the quicklink for the iView in the browser.  Will this circumvent the automatic logon and, if so, is there anything special I need to do to achieve this?
  I had hoped to use the standard logon screen as the iView.  I've got that stored in a par file (along with my corporate icons and a link to local help files).  I uploaded the par file through system administration - support - portal runtime - administration console and thought I might be able to see that when I created a portal component iView but it's not visible.  Should it be?

  When I need to logon as a test user, I find it easier to disable the integrated Windows authentication in the browser. You can do that in the menus, but I change the registry. Create two text files (e.g., DisableKerb.reg and EnableKerb.reg)
  Disable.reg:
  Windows Registry Editor Version 5.00
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
  "EnableNegotiate"=dword:00000000
  Enable.reg:
  Windows Registry Editor Version 5.00
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
  "EnableNegotiate"=dword:00000001
  Then just double-click to change your authentication mechanism.
  Regards,
  Sean

• Slowness Issues with Windows Authentication in SharePoint Foundation 2010 sites

  All, 
  We are having a strange issue with SharePoint Foundation 2010 sites where sites are very slowly loading when accessed via windows based authentication where as the extended sites in  forms authentication are loading normally.
  There were no error logs or even SharePoint logs also except the images load time is showing with different load times.
  Attached are the patches that were updated to the server that may be issue but not sure. Can some one please share your thoughts.
  SQL connectivity b/w the server is good.there are no n/w issues except that the users are using the sites with a different domain other than the domain in which the servers were hosted.
  There is a trust b/w the two domains.This was never changed and there were no issues in the last 2 years.
  Thanks keshav,Share point Developer

  we do have trusted domains
  Inder : It would be better if you run that command again now.
  Inder: How many AD server do you have
  Inder: Do you notice the login request go to nearest AD server. 
  and https sites. Please share your thoughts.
  Inder: All the certificate have intermedite certificates. You need to logon to each SP server, and install
  these certificates on trusted root authority 
  If this helped you resolve your issue, please mark it Answered

• Run commands on remote Hyper-V host in different domain/network with powershell

  Hi experts,
  My Setup: Windows Server 2012 R2 / SCVMM 2012 managing localhost and other Hyper-V hosts
  I need to run a script on the remote Hyper-V Host which is in different domain/workgroup using powershell.
  I have tried
  Invoke-SCScriptcommand cmdlet. But I am getting the below error
  Error (2917)
  Virtual Machine Manager cannot process the request because an error occurred while authenticating MY-PC-15.mydomain.local. Possible causes are:
  1) The specified user name or password are not valid.
  2) The Service Principal Name (SPN) for the remote computer name and port does not exist.
  3) The client and remote computers are in different domains and there is not a two-way full trust between the two domains.
  The network path was not found (0x80070035)
  I tried the 'Run Script Command' option in the Host tab in VMM. But getting the same error.
  Checked that it uses the 'Invoke-ScScriptcommand' PS cmdlet.
  Could someone explain how to run scripts on remote Hyper-V host in different Domain/Perimeter network ?
  Regards,
  Saleem

  Hi Saleem,
  Please try to follow the article below to regarding using command "enter-pssession" across domains :
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/f60a29ef-925e-4712-9788-1f95e12c8cfc/forum-faq-introduce-windows-powershell-remoting?forum=winserverpowershell
  (I tested it in my lab )
  Best Regards,
  Elton Ji
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] .

• PEAP authentication for domain & non-domain computers

  Hello Everyone,
  Some of our users have laptops that are not in the domain and are unable to connect to the wireless network. Although their computers aren't in the domain, the users do have an AD account and are currently a part of the security group attached to the Wireless NPS policy. The only remedy I have for this problem is to manually add the SSID to their computer which defeats the purpose of this wireless network. The ultimate goal is to allow the user to connect to the wireless network by entering their domain credentials and moving on.
  We have a WLC 2504 running 7.4.110.0 with 15 1602i APs. The SSID is configured to pass 802.1x EAP authentication to NPS running on windows 2008 R2. With mobile phones and tablets, the authentication is successful without a hitch so I don't understand why a non-domain computer is unable to connect without manually entering the SSID. In the WLC log, I will see entries such as:
  "AAA Authentication Failure for UserName:host/LastNameFirstInitial-LT.mydomain.Local User Type: WLAN USER".
  By examining this log entry, to me it says the domain profile on the computer is being sent to the NPS for authentication instead of the username and password. We have a  3rd party SSL certificate installed on the NPS server. 
  Taking it one step further - We have a second SSID for guest users that is configured with the same setup except that the NPS is configured to accept authentication attempts from a single AD user called "mydomain\guest". We decided on this approach for the guest wireless network so that we can rotate the password automatically every week with a vbscript that manipulates the password via LDAP. Users with laptops in different domains are unable to connect to the guest wireless network and I'm starting to think the machine authentication is a problem. 
  Any suggestions would be greatly appreciated.
  Thanks,
  Ali.

  Hi Ali,
  That’s all part of the wonderful world of wireless on Windows.
  When a connection to a WLAN is made on a windows machine, by selecting it from available Wireless Networks list (Passive RF Scan), and Windows as parsed the 802.11 AP Beacon to contain the WPA2, 802.1X element, by default it will attempt to connect with known or active session credentials.
  Typically it will be Machine account (they all have them whether on a Domain or not) and then /Or User. This order and preference may change depending on version of Windows (Vista to Windows 8) and service pack level.
  Regardless the only thing you can count of for sure is that the first authentication attempt from a windows client will not involve the user entering information. Once the first attempt fails the Windows supplicant will prompt the user for login information via a notification in the system tray, which may or may be noticed by the user. May or may not stay for more than 5 seconds.
  Windows XP and Vista were the worst for this. Windows 7 and Windows 8 this process and recovery and user prompt mechanism is greatly improved but not infallible.
  The only way to avoid this would be to manually configure the WLAN profile on the windows machine as you are currently doing.
  Mobile phones and tablets don’t have this issue as they don’t have issue because software coding in their supplicants. Besides the only “system” credentials on iOS or Android phone are typically your Play Store and App Store accounts, and both vendors know those won’t be accepted for network access by default anywhere.
  There isn’t an easy way to support non-domain windows systems on a domain integrated one.
  You might want to try adding another SSID.
  You could have a corporate SSID, Guest Portal and a third that is PSK + Guest Portal. ON NPS you could filter for RADIUS attribute called-station-id (includes SSID) to allow all domain ID’s access instead of the just that WLAN.
  Or you could look at swapping out NPS for a Cisco ISE VM/appliance with the new Plus licenses add lower cost for onboarding devices and Windows XP and up are supported for supplicant configuration via ISE.

• Transactional Replication configure into different domains

  Hi team,
  We have two domain, we need actual data immediate from domain one to domain two.
  In this scenario we are paling to configure the transactional replication from domain one to domain two.
  How to configure the transactional replication for different domains.

  Replication across non-trusted domains or workgroups can be done using SQL Authentication end to end or you can use Windows Authentication by configuring
  pass-through authentication.
  Pass-through authentication can be configured by creating a local Windows account on both the Publisher and Subscriber that has
  the same username and password.  Use this account for the replication agent process account and have the connections to the publisher, distributor, and/or subscriber impersonate this account. Ensure the account
  has the permissions required in
  Replication Agent Security Model.
  This approach is covered in the section Use Windows Authentication to Set Up Replication Between Two Computers Running SQL Server in Non-Trusted Domains in
  HOW TO: Replicate Between Computers Running SQL Server in Non-Trusted Domains or Across the Internet.
  Brandon Williams (blog |
  linkedin)

• Mapping users coming from different domain in AD

  HI,
  We have configured vintela SSO which is working.Now we are trying  to add another domain but it has been unsuccessful.
  We have imported the users coming from other domain in CMC->AD, and UseFDQNDirectoryForServers parameter in registry.
  The issue is our complex krb5.ini errors as "cannot find kdc for realm" for the user account coming from the other domain.The existing domain kinit is successful.
  Please help in resolving this issue!!! We need to have users coming from different domain to use vintela SSO.
  Thank you.

  well you're mixing things up a bit.
  The usefqdnfordirectoryservers is used to map in groups. If the groups show up as well as the users that piece should be complete.
  the krb5.ini is for logging in users manually, it must conatin the KDC for every domain that may contain users that need to log into BO. It also must have a KDC or capath entry to define all the parent domains as well (even if they do not have members that need to login. This is how the krb5 is used to verify transitive trusts. Then all users that are not in the default domain must logon as username@ DNSDOMAIN.COM where the DNS domain is entered in all caps aqnd represents the FQDN of theidomain the users bewlong to. Now if not logging in manually this should be a big problem.
  So for SSO (vintela anyway) this process is automatic, although you may want to configure vintela with site information so it doesn't randomly use all your DC's Site can be set following the steps at the end of business objects note 1261835 (complete and vintela only editions).
  In order for vintela to work properly the value entered in CMC > Authentication > Windows AD > service principal name must = an SPN thet was created on the account that is running the SIA/CMS
  Regards,
  Tim