Answered by:
LDAP Authentication to an Active Directory Trust

Question
-
I'm having an issue with an application using LDAP authenticating a user through an AD Trust.
I have userA in domainA and userB in domainB. There is a two-way trust between domains thats validated and works. And I can add userB to Groups in domainA which creates a ForeignSecurityPrincipal for that user (S-1-5-21-...). Also userA can launch a jboss application tied to ldapA which is authenticated through domainA, userA gets validated properly with roles.
However, when userB launches the app tied to ldapA which authenticates through domainA which has the trust to domainB, userB is not seen.
How does LDAP query/see userB in domainB through the trust, ie see the samAccountName in the foreignSecurityPrincipal?
Note that userA and userB need to be authenticated against the groups in domainA. Also note that userB is part of "ABC Users", not "Users" on domainB.
JBOSS login module setting are shown below.
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
<module-option name="bindDN" value="ldapadmin@domainA.us" />
<module-option name="bindCredential" value="Password#1" />
<module-option name="baseCtxDN" value="DC=domainA,DC=us" />
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="CN=Users,DC=domainA,DC=us" />
<module-option name="roleAttributeID" value="memberOf" />
<module-option name="roleFilter" value="(cn={0})" />
<module-option name="roleNameAttributeID" value="cn" />
<module-option name="roleAttributeIsDN" value="true" />
<module-option name="roleRecursion" value="2" />
<module-option name="matchOnUserDN" value="false" />
<module-option name="uidAttributeID" value="samAccountName" />
<module-option name="Context.REFERRAL" value="follow" />
<module-option name="throwValidateError" value="true" />
<module-option name="searchTimeLimit" value="15000" />
<module-option name="searchScope" value="ONELEVEL_SCOPE" />
<module-option name="allowEmptyPasswords" value="false" />
<module-option name="criticalControls" value="false" />
<module-option name="debug" value="true" />
Tuesday, September 5, 2017 8:43 PM
Answers
-
I'd ask for help over here.
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows Server] Datacenter Management
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.- Proposed as answer by Richard MuellerMVP Wednesday, September 6, 2017 10:24 PM
- Marked as answer by Just Karl Wednesday, September 13, 2017 3:12 PM
Wednesday, September 6, 2017 2:26 PM
All replies
-
The TechNet Wiki Discussion Forum is a place for the TechNet Wiki Community to engage, question, organize, debate, help, influence and foster the TechNet Wiki content, platform and Community.
Please note that this forum exists to discuss TechNet Wiki as a technology/application.
As it's off-topic here, I am moving the question to the Where is the forum for... forum.
Karl
Wednesday, September 6, 2017 2:07 PM -
I'd ask for help over here.
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows Server] Datacenter Management
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.- Proposed as answer by Richard MuellerMVP Wednesday, September 6, 2017 10:24 PM
- Marked as answer by Just Karl Wednesday, September 13, 2017 3:12 PM
Wednesday, September 6, 2017 2:26 PM