Skip to Content
0
Apr 16, 2010 at 09:01 AM

MultiDomain Group Membership: WinAd group members discovery fails

27 Views

Hi,

Our platform is

BO XI 3.1 SP2 on Win2k3SP2

Hosted on Domain0 in Forest0

Users belong to DomainsN.X in ForestsN

Forest0 has

Forest level trust with some of the domains (root Forest level, full transitive)

External bi-directional domain trust with others belonging to different forests

Manual AD authentication works both for web applications and for heavy clients like Designer, etc.

SSO 2 DB works for users hosted on domains below a root forest trust but not for users connected through an external domain trust.

Till there, normal and documented.

Due to organisation/authorisation process we cannot let other other domains manage group membership....

Thus, we need to create on domain0 the AD groups (local Domain type) that will be mapped in the Cmc.

i.e. Domain0\GroupA will contain users from any other domain.

*The problem: When the groups are mapped in the WinAd plugin of the Cmc

None of the group members are detected

Any user from any domain can login, its user is created at logon time in the Cmc, but the membership to GroupA (local AD group in domain0) is not detected so the rights granted through the AD group are not propagated to users: they login with no rights at all...

Note: when mapping groups from any other domain, members are detected and rights propagated but we cannot use this option...

Any idea to solve the issue or workaround for this type of administration?

Thanks in advance and regards,

N.