locked
master data services 2012 domain trust issues RRS feed

  • Question

  • hi,

    we have a Master Data Services 2012 installation within one domain and the users exist within another domain.  This has a selective trust both ways.

    the behaviour that we are seeing in MDS 2012 when adding users to the master data services from the other domain we are getting no exact match found for the users that exists when adding users in;  these users are from the domain that MDS does not reside in but there is a trust in place.

    we have given authentication permissions to all users requiring access to the server that MDS resides on.

    the question is what steps are necessary to allow MDS to operate in two domain environment.   We have other applications that function in this manner but MDS is causing issues.

    any help would be appreciated..

    thanks

    Wednesday, October 29, 2014 12:46 PM

Answers

  • I don't have the exact multi domains environment to try it on. But I tried on mutil forest domains. It seems working fine.

    When add the user, the format is like [DomainName\]UserName

    When add the user for another domain, the domain name is required.

    Wednesday, November 19, 2014 2:54 AM

All replies

  • Any ideas for RFoley?

    Thanks!


    Ed Price, Azure & Power BI Customer Program Manager (Blog, Small Basic, Wiki Ninjas, Wiki)

    Answer an interesting question? Create a wiki article about it!

    Saturday, November 15, 2014 7:24 AM
  • I don't have the exact multi domains environment to try it on. But I tried on mutil forest domains. It seems working fine.

    When add the user, the format is like [DomainName\]UserName

    When add the user for another domain, the domain name is required.

    Wednesday, November 19, 2014 2:54 AM
  • I don't have the exact multi domains environment to try it on. But I tried on mutil forest domains. It seems working fine.

    When add the user, the format is like [DomainName\]UserName

    When add the user for another domain, the domain name is required.

    There is a trust between our two domains (which works because I can log into SQL Server effortlessly with SSMS). However, when I try to add a user from the other domain, I get the error

    "No exact match was found for domain\user"

    It seems that MDS really doesn't like trusts.


    MCSE SQL Server 2012 - Please mark posts as answered where appropriate.

    Wednesday, January 28, 2015 10:13 AM
  • Hi I was wondering if you ever got an answer to this? 

    We have managed to get the MDS portal working remotely accross the domains with a 2-way AD trust but we keep getting an "Access is denied" when we revert to the preferred 1-way AD Trust mode between the domain controllers.  Our observations seem to be that under the hood in MDS it creates the user in the MDS database if doesn't exist inside it's own mdm.tlbuser table.  It seems when the trust is set up as 1-way the handshake for the AD user authenication (figuring out group permissions) can't happen and MDS doesn't create the user and instead throws up an error bubbled back to the MDS portal as "Access is denied" to the remote user who is accessing the MDS portal via IE on a different Domain.  Once we switch 2-way trust it simply starts working.  The under the hood AD authenication handshake between domains invoked from the MDS portal code behind is something we don't have access to troubleshoot much further.  We have went as far as running SQL profiler to trace what is happening/not happening in the backend MDS database.

    We are not sure if there is a certain 1-way AD trust configuration which would allow this to work or if it is simply not a supported scenario.  This link is the closest I have found online so I though I would reach out in case you had any thoughts or insights which could help here.  Thanks in advance for any help you could give us.

    Thursday, May 19, 2016 11:28 AM
  • What I remember from this issue - which was solved after a while at the client - was that the user specified in the MDS application pool (I think it was that) had to have some special type of permission to be able to lookup domain users from the other domain.

    MCSE SQL Server 2012 - Please mark posts as answered where appropriate.
    My blog

    Thursday, May 19, 2016 11:35 AM