locked
Windows 7 Authentication to Trusted Domain RRS feed

  • Question

  • Hey all,

     

    I have a trust set up between two Windows 2003 domains and the setup was pretty straight forward. After the setup I am able to share resources between the two domain. One problem that I am having though, is login in interactively from a computer that is joined to a domain A using an account in domain B. I am able to accomplish this on windows XP, but I am having a hard time figuring out why I can't not do the same on a Windows 7 machine. Yes, I am using the correct format to point to the domain I am trying to login into: domain\username. I have also tried using username@domain to no avail.

    One thing I did notice when login in to some Windows 7 machines is I get the message stating something like " I am not to allowed to login locally with my account user account" or something similar.

     

    I have also tested to see if the client is able to reach the domain for authentication and I can confirm that it does, because when I use a wrong password I get a message stating that the password was wrong.

     

    Please let me know if you know of any solution that could fix is this or if Windows 7 is unable to do a cross domain authentication on a Windows server 2003 domain.

     

    Smart

    Tuesday, April 26, 2011 4:56 PM

Answers

  • Based on your errors, i might try adding the TRUSTEDDOMAIN\Domain Users into the "Allowed to Log In Locally" Security Options in the Local Policy.

    Or you can add the TRUSTEDDOMAIN\Domain Users into the Local "Users" Group as this group already has "Allowed to Log In Locally"...Not sure if this will work with external trusts but if it does, then both methods should work ok...


    If these methods works, then i would investigate adding the TRUSTEDDOMAIN\Domain Users into the TRUSTINGDOMAIN\Domain Users Group...once again, im a little shady on whether this will work but the group is a Local Group so it should work but it will need to be tested...
    • Proposed as answer by MikeFi Tuesday, April 26, 2011 8:37 PM
    • Marked as answer by smartaem Friday, May 20, 2011 2:41 PM
    Tuesday, April 26, 2011 5:38 PM
  • You need to enable Allow Cross-Forest User Policy and Roaming User Profiles in group policy to allow authentication in other domain using kerberos/NTLM.Interactive logon & other settings are applied once you enable this option in GPO.

    http://www.boyce.us/gp/gpcontent.asp?ID=75

    I would like to point one more Hotfix apart from Arthur_Li has provided.

    http://support.microsoft.com/kb/941761/en-us

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, April 27, 2011 3:42 AM
  • Hi,

     

    You may place the Windows 7 clients to the same OU with Windows XP client. In this way, the same Group Policies “Allow log on locally” and “Allow Cross-Forest User Policy and Roaming User Profiles” will be applied to the new Windows 7 clients.

     

    If not, please create a new OU and link the new GPO to apply Group Policies “Allow log on locally” and “Allow Cross-Forest User Policy and Roaming User Profiles”.

     

    In addition, please also read the following Microsoft KB article:

     

    A user in a trusted external domain cannot log on to a Windows Server 2003-based domain even though the "Allow Cross-Forest User Policy and Roaming User Profiles" Group Policy setting is enabled

    http://support.microsoft.com/kb/896683

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, April 27, 2011 3:20 AM

All replies

  • Based on your errors, i might try adding the TRUSTEDDOMAIN\Domain Users into the "Allowed to Log In Locally" Security Options in the Local Policy.

    Or you can add the TRUSTEDDOMAIN\Domain Users into the Local "Users" Group as this group already has "Allowed to Log In Locally"...Not sure if this will work with external trusts but if it does, then both methods should work ok...


    If these methods works, then i would investigate adding the TRUSTEDDOMAIN\Domain Users into the TRUSTINGDOMAIN\Domain Users Group...once again, im a little shady on whether this will work but the group is a Local Group so it should work but it will need to be tested...
    • Proposed as answer by MikeFi Tuesday, April 26, 2011 8:37 PM
    • Marked as answer by smartaem Friday, May 20, 2011 2:41 PM
    Tuesday, April 26, 2011 5:38 PM
  • Hi,

     

    You may place the Windows 7 clients to the same OU with Windows XP client. In this way, the same Group Policies “Allow log on locally” and “Allow Cross-Forest User Policy and Roaming User Profiles” will be applied to the new Windows 7 clients.

     

    If not, please create a new OU and link the new GPO to apply Group Policies “Allow log on locally” and “Allow Cross-Forest User Policy and Roaming User Profiles”.

     

    In addition, please also read the following Microsoft KB article:

     

    A user in a trusted external domain cannot log on to a Windows Server 2003-based domain even though the "Allow Cross-Forest User Policy and Roaming User Profiles" Group Policy setting is enabled

    http://support.microsoft.com/kb/896683

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, April 27, 2011 3:20 AM
  • You need to enable Allow Cross-Forest User Policy and Roaming User Profiles in group policy to allow authentication in other domain using kerberos/NTLM.Interactive logon & other settings are applied once you enable this option in GPO.

    http://www.boyce.us/gp/gpcontent.asp?ID=75

    I would like to point one more Hotfix apart from Arthur_Li has provided.

    http://support.microsoft.com/kb/941761/en-us

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, April 27, 2011 3:42 AM