Have you tried changing your client approval method to automatically approve all computers so that the untrusted client could talk to the trusted MP?
From: [email protected] [mailto:[email protected]] On Behalf Of Spinelli, Robert J Sent: Tuesday, June 25, 2013 4:07 PM To: [email protected] Subject: [mssms] SCCM 2012 - MP Forest Affinity If you have the following: 001 site which is in the trust.com domain 2 MP's MP1 is part of trust.com domain MP2 is part of untrusted.com domain (so no trust exists between trust.com and untrusted.com) When a client called Client1.Untrusted.com does an MP Lookup it will use forest affinity and use MP2.Untrusted.com as its MP. The issue I'm trying to figure out is when you look at IIS there are 4 directories: CCM_System CCM_System_WindowsAuth SMS_MP SMS_MP_WindowsAuth [cid:[email protected]] CCM_System and SMS_MP have anonymous authentication enabled and CCM_System_WindowsAuth and SMS_MP_WindowsAuth have anonymous authentication disabled. It looks like when you're targeting any user based policy, the client uses Windows Authentication to get the policy info from CCM_System_WindowsAuth. If client1.untrusted.com is using MP2.untrusted.com, no issue getting the user policy to the client1, but if MP2.untrusted.com is down and client1 is using MP1.trust.com, it can't authenticate to CCM_System_WindowsAuth virtual directory since there is no trust between MP1 and Client1, so the user based policy won't make it to Cleint1. I did try to enable anonymous authentication on both CCM_System_WindowsAuth and SMS_MP_WindowsAuth and that totally broke my MP, and I had to change it back so my client could communicate with it again. Am I doing something wrong, or do you need to ensure that an MP that is trusted with the client is always up for user based deployments / polices to succeed? Thank you. Robert Spinelli | CTS | GTI | 575 Washington Boulevard, Jersey City, NJ, 07310, United States| T: +1.201.595.6820 | C: +1.917.538.6192 | [email protected]<mailto:[email protected]> This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase & Co., its subsidiaries and affiliates. This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. Please refer to http://www.jpmorgan.com/pages/disclosures for disclosures relating to European legal entities. ________________________________ DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of this email address. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
<<inline: image001.jpg>>
