Cross Forest authentication issue Event ID 4625 and Netlogon logs

-

i have 3 forests, forest forest b , forest c.

forest c new, users in forest have never been able authenticate.

forest c has 1 way non transitive trust domain in forest b

forest c has 1 way transitive forest trust forest a.

time sync'd between forests, trusts have been validated, sids enumerating on objects can viewed in domain local groups , foreign security principals.

users in forest have been permissioned on devices in forest c

users in forest b have been permissioned on devices in forest c


users in forest b can authenticate resources in forest c, users in forest generate below error when attempting access same resources. in case rdp session attempting initialized.

an account failed log on.

subject:
    security id:        system
    account name:        computer.in.forest.c$
    account domain:        domain.in.forest.c
    logon id:        0x3e7

logon type:            10

account logon failed:
    security id:        null sid
    account name:        userinforesta
    account domain:        domain.in.forest.a

failure information:
    failure reason:        an error occured during logon.
    status:            0xc000018b
    sub status:        0x0

process information:
    caller process id:    0xb0
    caller process name:    c:\windows\system32\winlogon.exe

network information:
    workstation name:    serverinforestcwhereresourcesarepermissioned
    source network address:    10.10.10.10
    source port:        0

detailed authentication information:
    logon process:        user32
    authentication package:    negotiate
    transited services:    -
    package name (ntlm only):    -
    key length:        0

net logon logging turned up, results log below. didn't see glaring in there.

07/17 13:16:50 [logon] [544] samlogon: network logon of domaininforesta\userinforesta computerinforesta entered
07/17 13:16:50 [logon] [544] samlogon: network logon of domaininforesta\userinforesta computerinforesta returns 0x0
07/17 13:16:52 [logon] [544] samlogon: network logon of domaininforesta\userinforesta computerinforesta entered
07/17 13:16:52 [logon] [544] samlogon: network logon of domaininforesta\userinforesta computerinforesta returns 0x0
07/17 13:16:54 [misc] [544] dsgetdcname function called: client pid=1576, dom:domaininforesta acct:(null) flags: ret_dns
07/17 13:16:54 [misc] [544] netpdcinitializecontext: dsgetdc_valid_flags c03ffff1
07/17 13:16:54 [misc] [544] netpdcgetname: domaininforesta using cached information ( nldccacheentry = 0x000000ab4aa546f0 )
07/17 13:16:54 [misc] [544] dsgetdcname: results follows: dcname:\\dcinforesta.domaininforesta dcaddress:\\ipv6addressdcaddrtype:0x1 domainname:domaininforesta dnsforestname:foresta flags:0xe00031fc dcsitename:nameofdcsite clientsitename:nameofclientsite
07/17 13:16:54 [misc] [544] dsgetdcname function returns 0 (client pid=1576): dom:domaininforesta acct:(null) flags: ret_dns
07/17 13:16:54 [misc] [2556] dsgetdcname function called: client pid=4, dom:domaininforestc.some.domain.path acct:(null) flags: ip kdc
07/17 13:16:54 [misc] [2556] netpdcinitializecontext: dsgetdc_valid_flags c03ffff1
07/17 13:16:54 [misc] [2556] netpdcgetname: domaininforestc.some.domain.path cache old. 8224062
07/17 13:16:54 [mailslot] [2556] netpdcpinglistip: domaininforestc.some.domain.path: sent udp ping ipv6address
07/17 13:16:54 [misc] [2556] nlpingdcnamewithcontext: sent 1/1 ldap pings dcinforestc.domaininforestc..some.domain.path
07/17 13:16:54 [misc] [2556] netpdcallocatecacheentry: new entry 0x000000ab4ab36260 -> dc:dcinforestc dnsdomname:domaininforestc..some.domain.path flags:0x73fd
07/17 13:16:54 [misc] [2556] nlpingdcnamewithcontext: dcinforestc.domaininforestc..some.domain.path responded on ip.
07/17 13:16:54 [misc] [2556] netpdcgetname: domaininforestc..some.domain.path using cached information ( nldccacheentry = 0x000000ab4ab36260 )
07/17 13:16:54 [misc] [2556] netpdcderefcacheentry: destroying entry 0x000000ab4ab426a0
07/17 13:16:54 [misc] [2556] dsgetdcname: results follows: dcname:\\dcinforestc.domaininforestc..some.domain.path dcaddress:\\ipv6address dcaddrtype:0x1 domainname:domaininforestc.some.domain.path dnsforestname:domaininforestc.some.domain.path flags:0xe00073fd dcsitename:default-first-site-name clientsitename:default-first-site-name
07/17 13:16:54 [misc] [2556] dsgetdcname function returns 0 (client pid=4): dom:domaininforestc.some.domain.path acct:(null) flags: ip kdc
07/17 13:16:54 [session] [1200] i_netlogongetauthdata called: (null) domaininforestc (flags 0x1)  

hi,

thanks response.

please have @ this:

accessing resources across forests

http://technet.microsoft.com/en-us/library/cc772808(v=ws.10).aspx

cross-forest kerberos authentication delegation of client credentials

http://social.technet.microsoft.com/forums/windowsserver/en-us/f47b10c6-f546-49b4-9bff-4ef534297675/crossforest-kerberos-authentication-delegation-of-client-credentials

similar thread has been discussed:

cross-forest authentication failure

http://social.technet.microsoft.com/forums/windowsserver/en-us/7447c6ae-d4d2-4ea7-8bce-b060e21523ee/crossforest-authentication-failure

regards.

if have feedback on our support, please click here

vivian wang
technet community support



Windows Server  >  Directory Services



Comments

Post a Comment

Popular posts from this blog

Cannot access Anywhere Access using domain name?

-
after installing anywhere access in windows server 2012 essentials r2, cannot use anywhere access using setup domain name in wizard such remote.mydomain.com? if enter public ip address, example, 72.2.34.5 works. before set anywhere access, created a record pointing public address...pinged , worked...so not sure doing wrong?  is wizard supposed create record etc , make remote.mydomain.com work? if enter public ip address while on lan, takes me router webpage.  shouldn't work on lan if accessed via public ip? thank you, tim. the wizard can configure remote.microsoft_names.com  remote.remotewebaccess.com but cannot configure domains purchased outside wizard.  depends on how domain configured if wildcard.yourdomain.com should work  if try ping remote.your_domain.com afar , not give proper  public ip, need add record mariette said. much have record domain.com www.domain.com , if have website somewhere else www.domain.com , need re...
Read more

server manager error: ADAM.events.xml could not be enumerated.

-
firewall off isnt it. rerun ldap wizard:?  why?  will screw exchange server running on machine?  ldap wizard asks questions don't understand. please dont send generic links to: http://social.technet.microsoft.com/wiki/contents/articles/13444.windows-server-2012-server-manager-troubleshooting-guide-part-ii-troubleshoot-manageability-status-errors-in-server-manager.aspx thanks, john hi john, >> ok. server manager app. these questions refer this. nothing else 2.  do need create app dir or not?  this server manager, shouldnt done? (why did break in first place?) how check if app dir exists server manager or not. 3.  if "lightweight" implementation of anything, sure hate see "heavyweight" version. the waring events can't enumerated. , cause not completing configuration of ad lds. ad lds not related server manager. used provide flexible support directory-enabled applications. if not implementing such application...
Read more

send messages to users

-
i have domain server windows 2000 sp4. my clients using win xp , win 98. when send messages computer management-shared folders-rightclick-all task-send message connected users, message received clients using winxp but not in  win 98 .how send them without winpopup  , net meeting. this forum windows server 2008.   check messenger service running on win98-clients. (haven't seen win 98 in while might not available...) Windows Server  >  Directory Services
Read more