Active Directory Membership Provider across multiple domains

Question

Hi,

I have a WCF authentication service that uses active directory membership provider and provides AD login function and we have this working for one domain A. There is another domain B which is behind the firewall and there is a one way trust relationship between domain A and B. Users from domain B can log onto the domain controller of domain A but not vice versa. The WCF service is on Domain A. I tried to authenticate users from domain B using the service and I received the unknown username or bad password error.

I am wondering if anyone know if the active directory membership provider works across multiple domain with one way trust relationship? I have tried changing the LDAP connection string to point to domain A's domain controller but specify the DC parameter to Domain B and set the connectionUser to DomainB\Username but I received the same error. If I have everything pointing to DomainA I receives the same error too. The domain controllers for A and B can see each other. Does anyone know a solution?

(We can't point the LDAP string to domain B as its behind firewalls)

Thanks in advance

Answer 1

Hi Jerry,

For this scenario to work, those domains must trust each other.

If this is not already setup, you need to contact your IT to establish trust relationship between the two domains.

If your IT doesn’t know how to configure trust, they can refer to http://technet.microsoft.com/en-us/library/cc771568.

If they still have problems to configure trust, they can post their question on http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads.

Hope helpful.

Answer 2

Hi Otomii,

Thanks very much for the reply. Does this scenario requires a particular type of trust or trust relationship?

I think we are using one way forest trust.

Regards,

Answer 3

Yes,

it needs more trust relationship,

You can post your question on http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads.

More experts on this issue will help you.

Answer 4

Thanks I have made a post in the other forum:

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/3e2876bd-7257-400b-af1a-57af7abcec3f

Answer 5

Hi Otomii,

I ended up writing my own membership provider which authenticates users against AD directly using .NET directory services library.

The out of the box membership provider doesn't support referral chasing across forests or GC querying. It can only be used for a single domain scenario.

Thanks