none
Reset password at next login not working for users, when using a computer from a Trusted Forest

    Question

  • Hi All,

    Not sure if this is even the right place to ask this but I shall give it a go and see what happens. - Also I don't know if what I am asking is even possible.

    As part of a user migration project I am moving users from Forest A to a Child Domain in Forest B. A 2 way transitive forest trust has been configured between forest A & B. New accounts have been created, SIDhistory is being used for file access and users are able to login to the Forest A Workstation using their Child Domain of Forest B username and password.

    However when a user forgets their password and rings the helpdesk the service desk are setting the user must reset password at next login option on the user object in AD (nothing wrong with this). When the user attempts to login to the computer on Forest A using their Child Domain of Forest B username and the password given to them by the service desk an error is given and the login fails. (error message from the workstation is "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you")

    Removing the tick on the AD object for the user for change password at next login and asking the users to reset their passwords using the Alt Ctrl & Del then selecting change password works as expected no problem.

    Should this be working as expected in that the user should be able to change their password or is what I am seeing correct and users cant change their passwords at first login using a trusted forests computer objects?

    Thanks in advance!



    Wednesday, November 23, 2016 6:12 PM

All replies

  • Hi,
    When a user in one forest needs access to a resource in a remote trusting domain is this:
    • The client contacts a KDC in its own domain
    • The KDC supplies the client with a what is known as a referral ticket for the remote domain
    • The client sends the referral ticket to a KDC in the trusting forest
    • The trusting KDC recognizes the validity and authenticity of the referral ticket
    A service ticket is granted to the user for the service in the remote domain
    If the remote server is trying to validate the authenticity of the trusted user on its own domain. If the server in the trusting domain cannot contact any Domain Controllers in the trusted domain on tcp/88, the validation process will fail and you might see error message "The system detected a possible attempt to compromise security", in this case, please check firewalls between the two domains and see if any traffic towards port 88 is getting dropped. Please refer to:
    You receive a "The system has detected a possible attempt to compromise security" error message when you try to include security settings for a user from different domain in a local domain folder
    https://support.microsoft.com/en-sg/kb/938457
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Friday, November 25, 2016 6:17 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, November 29, 2016 4:44 AM
    Moderator