User authentification fails - implemented ESAE (cross-forest-trust)

[mascr]

trafficstars

Describe the bug User authentications fails with error if user is member of EASE / Admin forest.

Access Manager installation

• OS: Windows Server 2019
• Version: 1.0.7925.0

Additional context Details about trust:

Logs 2021-07-14 17:39:48.3133|ERROR|Lithnet.AccessManager.Service.Controllers.ComputerController|The request failed because the information about the authenticated user could not be found Lithnet.AccessManager.DirectoryException: DsBind failed ---> System.ComponentModel.Win32Exception (1355): The specified domain either does not exist or could not be contacted. --- End of inner exception stack trace --- at Lithnet.AccessManager.DiscoveryServices.FindDcAndExecuteWithRetry[T](String server, String domain, DsGetDcNameFlags flags, DcLocatorMode mode, Func2 action) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\ActiveDirectory\DiscoveryServices.cs:line 133 at Lithnet.AccessManager.DiscoveryServices.FindDcAndExecuteWithRetry[T](String domain, DsGetDcNameFlags flags, Func2 action) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\ActiveDirectory\DiscoveryServices.cs:line 70 at Lithnet.AccessManager.DiscoveryServices.FindDcAndExecuteWithRetry[T](Func`2 action) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\ActiveDirectory\DiscoveryServices.cs:line 45 at Lithnet.AccessManager.ActiveDirectory.GetDirectoryEntry(String nameToFind, DsNameFormat nameFormat) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\ActiveDirectory\ActiveDirectory.cs:line 642 at Lithnet.AccessManager.ActiveDirectory.GetDirectoryEntry(SecurityIdentifier nameToFind) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\ActiveDirectory\ActiveDirectory.cs:line 657 at Lithnet.AccessManager.ActiveDirectory.FindUserInGc(String objectName) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\ActiveDirectory\ActiveDirectory.cs:line 490 at Lithnet.AccessManager.ActiveDirectory.GetUser(String name) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\ActiveDirectory\ActiveDirectory.cs:line 54 at Lithnet.AccessManager.Service.AppSettings.HttpContextAuthenticationProvider.GetLoggedInUser() in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Service\Authentication\HttpContextAuthenticationProvider.cs:line 44 at Lithnet.AccessManager.Service.Controllers.ComputerController.TryGetUser(IUser& user, IActionResult& failure) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Service\Controllers\ComputerController.cs:line 592

[ryannewington]

@mascr

Just confirming that I have recieve this and can reproduce it. The underlying issue is that AMS is trying to call DsCrackNames to convert the logged on users SID, to a directory DN, so it can look up the users details. DsCrackNames returns a referral to the red forest, which AMS follows, but subsequently fails, because the AMS server is unable to authenticate to the DC in the red forest to obtain information about the user, due to the one-way trust.

I'll need some time to work through this one, as it's a very complex case.

[red-erik]

Hello, I have same situation, if I can help in any way with some tests, let me know. Regards, Red.

[red-erik]

Hello, any news on that ?

Regards, Red.

[ryannewington]

Unfortunately, no progress on this. There hasn't been enough demand from our customers to prioritize ESAE at this stage.