Cant Access SharePoint page from Trusted domain PC RRS feed

  • Question

  • Hey Guys,

     I can't seem to figure out what I'm missing. First off.

    I originally had a 2008 R2 Domain a forest functional level. Along with SharePoint Server 2010, running on SQL 2012.
    We ran split DNS for our public facing domain, while the internal domain consisted of an old company name with the local suffix.
    The plan was to create a new domain, that of new company name while removing the old .local suffix.
    Old Domain (2008 R2):  consto.local
    New Domain (2016):     Cons.ca 

    I created a Test enviro of this and began working on a cutover plan.
    I created 2 Core 2016 DC's and thus created a whole new forest and domain (Cons.ca)

    Spun up and created a new 2016 Core SQL server, and setup the required instances.
    Manually migrated and updated service accounts, using gMSAs where applicable.
    I created a staging 2013 SQL instance and Front End server to upgrade the content database accordingly.

    After a good while stripping put 3rd party solutions that were either deprecated or not supported by SP 2016, I managed to setup a working version of our 2010 SP site on a whole new SP 2016 (Even managed to find a supported matching theme) :D
    This required me to change from classic authentication to claims authentication which I converted in 2013 before importing the content database to the 2016 SharePoint Farm.

    So, originally the plan was to do a full manual cut-over of all the other content databases and internal users (I also setup and configured the latest exchange server and manually migrated user mailbox databases :D). After more consideration of how long that would take and sadly how near impossible it be to actually implement. I decided to go with a trusted forest/domain route. I basically followed this, and managed to take the controlled zone that the consto.local DNS had for the cons.ca zone, and granted the new 2016 DC's (cons.ca) to be authoritative for the domain (cons.ca)

    Amazing I was able to be users in SP 2016 People Picker, and it even showed up with the claims token under the pages permission listing. However here's what I've noticed.

    Much like the users in the listed blog post, when I navigate to the SharePoint 2016 site from a computer that's joined to the consoto.local domain (With all integrated Windows settings enabled for both domains) it will prompt me for a username and password, and no matter how I enter the username and password FQUPN (consto.local\user) or (user@consto.local), it will just constantly pop-up the credentials box. however, if I enter the credentials of the site collection admin of the cons.ca domain (without specifying the domain, just the username) it will indeed finally load the page.

    What am I missing?!?! It seems liek the SharePoint page is only authenticating people from it's local domain and not from any trusted domains, even though the trust is 100% validated (forest Transient 2 way).

    *NOTE* I created the same users in cons.ca that were in consto.local BEFORE creating the trust, and no migration of users has taken place. so AFAIK I have two distinct users consto.local\user and cons.ca\user

    Not sure if this is maybe causing a problem?
    • Edited by Zewwy Tuesday, October 24, 2017 2:42 PM
    Tuesday, October 24, 2017 2:35 PM


  • Funny how I note a particular caveat in my particular case and it appears to be the root cause.

    Further test I found the following. I created a clone of my standard account in the consoto.local domain and gave it a unique name I know I didn't create in the cons.ca domain.

    I log into a system with no GPOs defined on a newly domain join system. So sure enough without the intranet sites defined, when I navigate to my SharePoint 2010 (hosted on consoto.local domain) site via this newly created account. I get a Credential pop up (as expected), I enter the username and password WITHOUT defining the domain (E.G. nuser) and enter the password. Site loads without issue.

    I then did as I did before and on my SharePoint 2016 site as a collection admin I grant (or as SP 2016 loves to state it; shared) the site with the newly created consoto.local\nuser and gave it contribute permissions.

    Sure enough when I navigate to the SharePoint 2016 site (cons.ca domain) I get a credentials pop up (again cause internal site auth pass is not configured). Again I enter the user name WITHOUT specifying the domain (E.G. nuser), and the site loaded!!! Finally!!!

    Why is it that a claims based SharePoint site can not differentiate accounts of the same name from two different domains, when you specify the unique user to use in the forms auth of the credential pop up, when you have the same username on two different domains?? 

    • Marked as answer by Zewwy Wednesday, July 4, 2018 2:08 PM
    Tuesday, October 24, 2017 6:02 PM