VMware Horizon Community
Najtsob
Enthusiast
Enthusiast
‎02-22-2018 05:25 AM

2-way forest trust - domain status error detected

I have established 2-way forest trust between existing forest containing view servers and everything and a second forest which hold some of the users.

However it seems to not be working.

pastedImage_0.png 

In the logs I see the following error:

<WSWinAuthDomainTimerThread> [ws_winauth] OpenObject could not bind to LDAP://<my domain>/rootDSE (0x000000008007203B (A local error has occurred.))

The trust itself seems to work fine since I can login into Windows servers in either forest using credentials from another forest.

Tags (1)
4 Replies
adhussain79
VMware Employee
VMware Employee
‎02-22-2018 06:09 AM

Hi,

as of my understanding, your two-way forest trust is partially configured or working. Please, try two things

1. Using Active Directory Domains and Trusts snap-in Test the connection in between the forests, if it is successful then its good and if its not the remove the trust and re-establish it.

OR

Even if trust connectivity is good but sometimes we need to remove the trust and re-establish it using credentials those are the member of Enterprise Domain Admins and or Global security groups. Then recheck your rest of the object access and communication. because this is the base-line.

Regards!

Najtsob
Enthusiast
Enthusiast
‎02-22-2018 06:29 AM

I think the culprit was selective authentication, after changing it to Forest-wide authentication the domain became green.

My question here is what needs to be done if you want to have selective authentication enabled ?

Probably you need to give computer objects of view connection servers a permission to read another domain and maybe allow to authenticate on DCs from another domain ?

adhussain79
VMware Employee
VMware Employee
‎02-22-2018 07:10 AM

That's Great bro Smiley Happy. Ok now we can look at the other problem (i.e. to secure cross domain env.). but please, mark this query as answered Smiley Happy

usually, we require a user that must have cross domain access and in this case the only thing we may have is the membership to a security group that holds the scope of Enterprise Admins or Enterprise Domain Admins (Global Level). for security purpose, we can encrypt its cross forest communication by enable AES Auth and with complex password. but "Delegation of Authority" would be difficult and may result in partial Two-way Trust once again.

let me re-check it on my side and then i'll be able to answer it more confidently. but this is for sure that you have to compromise on above settings, still we can look for more secure way mentioned earlier in-case of password complexity and AES encryption (default behave you can find it to enable in user's property pages).

Hope this would be helpful for your further.

0 Kudos
Najtsob
Enthusiast
Enthusiast
‎02-26-2018 06:39 AM

OK, I have tested this and you must grant "allow to authenticate" permission on the domain controllers from another domain for your view server computer objects. After that it starts working normally.