| Author |
 Topic  |
|
|
MadCow
Honorable But Hopeless Addict
Canada
1834 Posts
Status: offline |
 Posted - 08/25/2011 : 08:50:11 AM
|
Hi All,
Domain A in the Extranet.
Domain B in the Coporanet/Intranet
Both Domains trust 2 way each other, all works fine.
Able to add users in Domain A from Domain B. That’s how we want it.
All the ports are wide open both ways for now because we are in testing phase, once all is fixed we will shut down the ports not needed.
Issue:
One Sharepoint 2010 server in the Internet DMZ, member of Domain A.
I can add users to Windows 2008R2 SP1 Server where Sharepoint 2010 is hosted from Domain A and Domain B, no issues.
But, when I open up my Sharepoint Admin Console via IE and try to add users from Domain B, it does not see them but I am able to
Add users from Domain A.
Advise Please.
Thanks Much.
|
Sunny
__________________________________________________________________________
"Everyone is susceptible to the notion that when you begin to do well, you begin to see no boundary lines and forget the rules apply" - Eliot Spitzer
|
|
|
Curt
Moderator
USA
6659 Posts
Status: offline |
Posted - 08/25/2011 : 2:40:35 PM
|
Could be classic protocol issue.
What kind of forest are between the shares?
Can the machines pass the SETSPN test between domains?
|
Curt Spanburgh
Microsoft Certified Business Solution Specialist.
Dynamics CRM MVP
Contributing Editor, Windows IT Pro
He that is walking with wise persons will become wise, but he that is having dealings with the stupid ones will fare badly.
Proverbs 13:20
|
 |
|
|
lady_mcse
Old Timer
637 Posts
Status: offline |
Posted - 08/25/2011 : 3:31:53 PM
|
| Sorry, I have to sit by and read on this one ... not doing anything like like this scenario YET, but it's in my future. Only thing I can think of is whether you've tried specifying domainb\username when you do the add. |
Anne O'Day
MCITP: SharePoint 2010 |
|
|
|
Curt
Moderator
USA
6659 Posts
Status: offline |
Posted - 08/25/2011 : 4:20:08 PM
|
I had failures like this because of several issues.
Each one was authentication and each time the reasons were different.
I had the Share Point admin site go totally crazy where even the site administrator could not log in.
The problem was AD and DNS.
But if forest levels are different between the forest then you may not have kerberos authentication passing between them.
Have you ever noticed that if you have the wrong DNS address on a machine that you are joining to a Win2003 forest it works any how, but if you can't resolve dns to a Win2008 domain and your running windows 7 you can never join the domain?
Why is that?
Ah Ha. It needs to "Really" see the domain.
|
Curt Spanburgh
Microsoft Certified Business Solution Specialist.
Dynamics CRM MVP
Contributing Editor, Windows IT Pro
He that is walking with wise persons will become wise, but he that is having dealings with the stupid ones will fare badly.
Proverbs 13:20
|
|
|
|
MadCow
Honorable But Hopeless Addict
Canada
1834 Posts
Status: offline |
Posted - 08/29/2011 : 1:07:25 PM
|
Thanks All.
Curt, Can the machines pass the SETSPN test between domains?
How do I perform this test?
Advise Please.
Thanks |
Sunny
__________________________________________________________________________
"Everyone is susceptible to the notion that when you begin to do well, you begin to see no boundary lines and forget the rules apply" - Eliot Spitzer
|
|
|
|
Curt
Moderator
USA
6659 Posts
Status: offline |
Posted - 08/29/2011 : 1:29:47 PM
|
Yes then can.
Here is what I experienced when I hit a problem.
It was an international Printer company. They have forest in three continents.
The european forest was a windows 2000 forest.
They had a trust to the north American forest Which was Windows 2003.
I based my article "Twelve Angry Techs" on my experiences there.
NTLM authentication could work between the trust.
A user in Europe could use their browser to see the Dynamics CRM server in the U.S. but when they attempted to run a report through the interface there was an error between the SSRS service and the SQL server.
It was not happening on the Windows 2003 forest.
At the time the IT folks all pointed to the CRM server and the SQL server and the folks in other forest said "It's your fault.".
A long patient look at the logs and tables showed me a pattern.
I did a sniff on traffic between the forest.
There was absolutly no Kerberos traffic between the forest.
Not too much was written about forest trust and Kerberos. Especially with Windows 2000 forest.
I had used the SETSPN tool in other environments.
I took a laptop and joined it to the Windows 2000 domain.
Then I checked if I could "See" the CRM server in the conventional ways, and that worked but when I attempted to run SETSPN <Server Name > -L there was no response.
With a laptop in the Windows 2003 domain Setspn (servername) -l revealed the Services of the server I was hitting.
Research finally revealed that for Windows 2000 Forest trust there was no Kerberos traffic available.
When CRM was deployed the person deploying it and the IT team just figured it would work.
Anyone who has spent a good deal of time with Windows Networking knows that machines communicate on different levels and protocols.
You can download the tool from the Microsoft site.
Some times the attributes are not created and are missing.
That would also be a problem.
Start at this level and look at how the traffic is working and if you see failures then I'm pretty sure you'll get your answer from a command prompt utility that is very valuble in solving problems.
quote:
Originally posted by MadCow
Thanks All.
Curt, Can the machines pass the SETSPN test between domains?
How do I perform this test?
Advise Please.
Thanks
|
Curt Spanburgh
Microsoft Certified Business Solution Specialist.
Dynamics CRM MVP
Contributing Editor, Windows IT Pro
He that is walking with wise persons will become wise, but he that is having dealings with the stupid ones will fare badly.
Proverbs 13:20
|
|
|
|
MadCow
Honorable But Hopeless Addict
Canada
1834 Posts
Status: offline |
Posted - 08/30/2011 : 10:20:29 AM
|
Curt,
Form within my SP2010 Admin Console when I try add a user from my internal/corporate domain I see this in the event viewer of my sharepoint server.
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 14:8:42.0000 8/30/2011 Z
Error Code: 0x29 KRB_AP_ERR_MODIFIED
Extended Error:
Client Realm:
Client Name:
Server Realm: EXTernal.LOCAL
Server Name: TestSharePoint
Target Name:
Error Text:
File: 3
Line: 576
Error Data is in record data.
I am looking around.
Any !deas?
Thank you |
Sunny
__________________________________________________________________________
"Everyone is susceptible to the notion that when you begin to do well, you begin to see no boundary lines and forget the rules apply" - Eliot Spitzer
|
|
|
|
Curt
Moderator
USA
6659 Posts
Status: offline |
Posted - 08/30/2011 : 10:40:33 AM
|
The term "realm" is associated with a Kerberos "Realm" and I see it's "External.local".
That gives me more of a belief that the trust are not communicating on that level.
When you run SETSPN -L accross the trust do you see the Service Principle names?
|
Curt Spanburgh
Microsoft Certified Business Solution Specialist.
Dynamics CRM MVP
Contributing Editor, Windows IT Pro
He that is walking with wise persons will become wise, but he that is having dealings with the stupid ones will fare badly.
Proverbs 13:20
|
Edited by - Curt on 08/30/2011 11:35:42 AM |
|
|
|
MadCow
Honorable But Hopeless Addict
Canada
1834 Posts
Status: offline |
Posted - 08/30/2011 : 10:58:49 AM
|
Thanks Curt.
Yes, you are right I am also seeing warnings where it says the trust between domains are in error state. The specified domain either does not exist or could not be contacted.
|
Sunny
__________________________________________________________________________
"Everyone is susceptible to the notion that when you begin to do well, you begin to see no boundary lines and forget the rules apply" - Eliot Spitzer
|
|
|
|
Curt
Moderator
USA
6659 Posts
Status: offline |
Posted - 08/30/2011 : 11:34:40 AM
|
There is a type of trust called a "Realm" trust.
I would look into that. I really don't know your array of Forest, but it would seem we are on the right track.
Once again, we see an application cannot run on a bad road.
"How Kerberos errors affect Share Point administration".
Good reader to reader article.
|
Curt Spanburgh
Microsoft Certified Business Solution Specialist.
Dynamics CRM MVP
Contributing Editor, Windows IT Pro
He that is walking with wise persons will become wise, but he that is having dealings with the stupid ones will fare badly.
Proverbs 13:20
|
|
|
|
MadCow
Honorable But Hopeless Addict
Canada
1834 Posts
Status: offline |
Posted - 08/30/2011 : 11:56:06 AM
|
Curt Thanks.
I heard the kerberos authentication is not passed between forests? |
Sunny
__________________________________________________________________________
"Everyone is susceptible to the notion that when you begin to do well, you begin to see no boundary lines and forget the rules apply" - Eliot Spitzer
|
|
|
|
Curt
Moderator
USA
6659 Posts
Status: offline |
Posted - 08/30/2011 : 12:47:18 PM
|
Well, that would be between Windows 2000 type forest to the best of my knowledge.
But in Windows 2003 you can even setup a "realm" trust to a non windows "Domain", that authenticates on Kerberos.
Yet these are all just symtoms. My understanding is that Windows 2003 with upgraded forest functionality can pass kerberos on trust but I would be glad to be enlighted by someone else with additional information.
quote:
Originally posted by MadCow
Curt Thanks.
I heard the kerberos authentication is not passed between forests?
|
Curt Spanburgh
Microsoft Certified Business Solution Specialist.
Dynamics CRM MVP
Contributing Editor, Windows IT Pro
He that is walking with wise persons will become wise, but he that is having dealings with the stupid ones will fare badly.
Proverbs 13:20
|
|
|
| |
Topic |
|
SharePoint 2010 in Inet DMZ
