Active Directory Membership Provider across multiple domains RRS feed

  • Question

  • Hi,

    I have a WCF authentication service that uses active directory membership provider and provides AD login function and we have this working for one domain A. There is another domain B which is behind the firewall and there is a one way trust relationship between domain A and B. Users from domain B can log onto the domain controller of domain A but not vice versa. The WCF service is on Domain A. I tried to authenticate users from domain B using the service and I received the unknown username or bad password error.

    I am wondering if anyone know if the active directory membership provider works across multiple domain with one way trust relationship? I have tried changing the LDAP connection string to point to domain A's domain controller but specify the DC parameter to Domain B and set the connectionUser to DomainB\Username but I received the same error. If I have everything pointing to DomainA I receives the same error too. The domain controllers for A and B can see each other. Does anyone know a solution?

    (We can't point the LDAP string to domain B as its behind firewalls)

    Thanks in advance

    Monday, July 30, 2012 5:48 AM


  • Hi Jerry,

    For this scenario to work, those domains must trust each other.

    If this is not already setup, you need to contact your IT to establish trust relationship between the two domains.

    If your IT doesn’t know how to configure trust, they can refer to http://technet.microsoft.com/en-us/library/cc771568.

    If they still have problems to configure trust, they can post their question on http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads.

    Hope helpful.

    Wednesday, August 1, 2012 6:13 AM
  • Hi Otomii,

    I ended up writing my own membership provider which authenticates users against AD directly using .NET directory services library.

    The out of the box membership provider doesn't support referral chasing across forests or GC querying. It can only be used for a single domain scenario.


    • Marked as answer by Jerry_Hsi Tuesday, September 11, 2012 4:19 AM
    Tuesday, September 11, 2012 4:19 AM

All replies