Thanks Brian. The external groups are Universal groups and DCs are also GCs. I will check out the S.DS.Account Management stuff and see if we can help him out.
Much appreciated! Don ________________________________ From: Brian Desmond <[email protected]> To: NT System Admin Issues <[email protected]> Sent: Saturday, March 16, 2013 11:54 AM Subject: RE: Cross Domain authentication - brain freeze Don- You might refactor this code to use S.DS.AccountManagement. It abstracts all this stuff for you. You’re going to start needing to think about global catalogs also with multiple domains, universal groups, etc. Thanks, Brian Desmond [email protected] w – 312.625.1438 | c – 312.731.3132 From:Don Kuhlman [mailto:[email protected]] Sent: Friday, March 15, 2013 4:07 PM To: NT System Admin Issues Subject: Cross Domain authentication - brain freeze Hi guys. It's getting near quitting time here, and they just announced that the bar is open for some St Patti's libations - :) Anyway, our corp team deployed a new domain in our forest - like dom2.co.com We have service accounts and groups for an app in dom1.co.com Users in dom2.co.com can't get into the app by being in universal groups in dom1.co.com Users in dom1.co.com can get into app by being in universal groups in dom1.co.com Here is a snip from the dev about how he is doing the lookup - "Yes, I can authenticate the user on the dom2 domain, but no groups are returned from my GetGroups() function. When I debug the process: The DirectorySearch object in the GetGroups() function uses the following path: "LDAP://dom2.co.com/CN=username,OU=Users,OU=Business,OU=Customers,DC=dom2,DC=co,DC=com". I set the PropertiesToLoad property to “memberOf”, then I get a create a result object using the FindOne() method. My result object is set to nothing. This works fine in the DOM1 domain, but dies in the DOM2 domain. When I try to get the number of results, it throws an error, because it’s not even zero, it’s nothing." I found a few links, but they don't seem to apply. Cross domain security group lookups - http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/96a697df-2d00-4edd-993f-632d7e8e1043 Group enum between trusted domains does not perform as expected - http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Group%20Enumeration%20between%20Trusted%20Domains%25 Any thoughts appreciated! Thanks Don K ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
