locked
Cross Forest Group Authentication Not Working RRS feed

  • Question

  • Currently doing a Windows Forest migration and all is going well ie. SharePoint access, Exchange, File access etc. However having an authentication issue with SQL 2005.

    Scenario: 2 - way trust established and using Windows authentication. SQLServer1 is in original forest (ForestA) and can authenticate users and groups in own forest fine. SQLserver1 can also authenticate users in ForestB just fine. The issue is it can't do group authentication for ForestB groups. So if I create a new group in ForestB, add ForestBuser1 in that group and grant group access to SQLServer1 it can't authenticate.

     

     


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Thursday, September 8, 2011 4:54 PM

All replies

  • The issue was nested groups; ForestB Group2 is nested into ForestB Group1. ForestB user1 is in ForestB Group2 and can't authenticate. If I put the user in Group1 or remove the nesting it works. I saw a thread "Are nested Windows groups supported as SQL Server 2008 logins?" and other people are having issues with nested authentication. Is this supported?

     

    Are nested Windows groups supported as SQL Server 2008 logins?

     http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/480c2a71-a875-42e2-a1e4-b6b5107eb017/


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Thursday, September 8, 2011 6:20 PM