none
SharePoint 2013, cross domain security groups not authenticating users

    Question

  • Hi,

    We've got a SharePoint 2013 farm hosted in a top level domain, users are located in the same top level domain and in a sub domain.

    To sketch the environment:
    Domain A, company.com - SharePoint servers are part of this domain.
    Domain B, sub.company.com

    Within SharePoint we're able to find and resolve users and security groups from domains A & B, however security groups added from Domain B don't actually provide permissions to the users in those groups.

    We've got:
    - Users from Domain A in security groups from Domain B and vice versa.
    - Users from Domain A in secruity groups from Domain A, same for domain B.
    - Security groups from Domain B embedded in security groups from Domain A.
     - *Note, there are NO groups from Domain A in groups from Domain B.

    The situation:
    - Providing users from Domain A with direct permissions (read/contribute/etc) in SharePoint works.
    - Providing users from Domain B with direct permissions (read/contribute/etc) in SharePoint works.
    - Providing groups from Domain A with direct permissions (read/contribute/etc) in SharePoint works.
    - Providing groups from Domain B with direct permissions (read/contribute/etc) in SharePoint *does not* work. Groups can be added and resolved in SharePoint, however a 'check permissions' on users from this group results in 'No permissions'.
    - Adding a group from Domain B as a member of a group in Domain A, within active directory, and providing the group from Domain A with permissions in SharePoint, results in members from the Domain B group having permissions in SharePoint!

    The sub domain has a full trust with the top level domain, which is within the same forrest.

    To emphasize this, the security groups from both domains can be found and resolved using people picker in SharePoint, they can be added with permissions without any errors. Users contained in groups from Domain B simply do not receive permissions *unless* the group is wrapped in a group from Domain A.

    This has been tested with various users from both domains, with various groups from both domains. All security groups are universal, however tests were conducted with local and global groups as well, no situation leads to the desired result.

    Thanks in advance for any guidance!

    Regards,
    Mike

    Thursday, November 5, 2015 10:04 AM

All replies

  • Hi,

    Check if below article helps you fix the issue.

    https://swapnilkh.wordpress.com/access-denied-for-users-given-permission-through-ad-security-group-sharepoint-2013/

    Mark as "Answered" if above is helpful.

    Thursday, November 5, 2015 10:59 AM
  • Hi Sunny,

    Tried the steps provided, alas the issue is not fixed.

    Rgds,

    Mike

    Thursday, November 5, 2015 2:43 PM
  • SharePoint isn't able to crack nested groups open. You need to add the AD groups directly to SharePoint.


    Trevor Seward

            

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, November 5, 2015 4:46 PM
    Moderator
  • Please read following article:

    https://technet.microsoft.com/en-us/library/cc261972.aspx


    sachin

    Thursday, November 5, 2015 6:21 PM
  • Hey Trevor,

    Mike and I are working on this issue together and we have mainly experience situation bullet #4. That is, adding the AD group from Domain B directly to a SharePoint group. Users from Domain A added to this AD group from Domain B do NOT get permissions in SharePoint at all. Very weird.

    grtz,

    Octavie


    w: http://blog.octavie.nl | t: @eivatco | c: http://mavention.codeplex.com | c: http://www.mavention.nl

    Friday, November 6, 2015 11:18 AM
  • Hi!

    Does your user profile synchronization service sync all the users and groups involved in your SP-environment from both domain A and domain B?

    Try that, and wait a while after sync so SP could push the new settings and group memberships to the site collection.

    Wednesday, June 15, 2016 4:43 PM
  • UPSA is not involved in Site Permissions.

    Trevor Seward

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, June 15, 2016 4:44 PM
    Moderator
  • Correct, SharePoint does not understand foreign security principals, which is what you get when you add users to a group from a different domain. You must add the group from the domain the users reside in. This is expected behavior.

    Trevor Seward

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, June 15, 2016 4:48 PM
    Moderator