locked
Sharepoint site access: failed to authenticate using trusted domain credential RRS feed

  • Question

  • Hi All,

    We have two way trust between our SharePoint domain (domain A) and an external domain (domain B). Since it is two way trust, we can find domain B's user from peoplepicker and add them to the SharePoint site. However, when we try to access the SP site using domain B user account, it cannot authenticate the user and keep prompting for authentication. The only event log that client sent me is shown as below.

    Is there any configuration I missed out to allow SP access from trusted domain? Any help is greatly appreciated

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          25/07/2011 10:40:07
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      KBAC05.abc.com
    Description:
    An account failed to log on.

    Subject:
            Security ID:                NULL SID
            Account Name:                -
            Account Domain:                -
            Logon ID:                0x0

    Logon Type:                        3

    Account For Which Logon Failed:
            Security ID:                NULL SID
            Account Name:                itsscsp
            Account Domain:                xyz_con

    Failure Information:
            Failure Reason:                The user has not been granted the requested logon type at this machine.
            Status:                        0xc000015b
            Sub Status:                0x0

    Process Information:
            Caller Process ID:        0x0
            Caller Process Name:        -

    Network Information:
            Workstation Name:        KBC05 
            Source Network Address:        ::1
            Source Port:                61812

    Detailed Authentication Information:
            Logon Process:                NtLmSsp
            Authentication Package:        NTLM
            Transited Services:        -
            Package Name (NTLM only):        -
            Key Length:                0

    Thursday, August 4, 2011 10:44 AM

Answers

  • If you are using Windows auth in Sharepoint (NTLM or Kerberos), I would check if users have the "access this computer from the network" policy in Sharepoint servers.
    • Marked as answer by JPOlas Friday, September 2, 2011 5:10 AM
    Thursday, August 4, 2011 6:55 PM
  • Hi,

     

    Is KBAC05.abc.com the DC of domain abc.com?

     

    If a user or application is authenticated by one domain, its authentication is accepted by all other domains that trust the authenticating domain. Users in a trusted domain have access to resources in the trusting domain, subject to the access controls that are applied in the trusting domain.

     

    Access control allows authenticated users to use the resources (files, folders, and virtual containers) that they are authorized to use and prohibits them from using (or even seeing) resources that they are not authorized to use.

     

    Please double check if you allow trusted domain user access your SharePoint server.

     

    Thanks,

    Rock Wang


    Regards, Rock Wang Microsoft Online Community Support
    Wednesday, August 10, 2011 9:09 AM

All replies

  • If you are using Windows auth in Sharepoint (NTLM or Kerberos), I would check if users have the "access this computer from the network" policy in Sharepoint servers.
    • Marked as answer by JPOlas Friday, September 2, 2011 5:10 AM
    Thursday, August 4, 2011 6:55 PM
  • On the site collection level, try to add "NT authority\Authenticated users" to the correct SharePoint Group. this basically allows all users who are authenticated (to any domain) to have access to SharePoint.

     

    In another scenario, I had to explicitly add the trusted domain users (via a group) to the information policy of the web app from Central administration.


    Joseph Saad - SharePoint 2010 MCITP, MCSE, CCIE RS 20243
    Thursday, August 4, 2011 7:02 PM
  • Hi Andresm53,

    I will check this and update the result later. Thank you.


    Wednesday, August 10, 2011 6:12 AM
  • Hi Joseph,

    Let say I have a SharePoint group called "Visitor" that given read only permisssion. Adding "NT authority\Authenticated users" to the "Visitor" group will allow all autheticated user to have read access to the site but what if I want to allow certain trusted domain users only for access?

    I can't find the information policy of web app, can you be more specific where to configure it? I wonder why I need do this while I only want to allow trusted domain users access certain site collection or subsite.

    Wednesday, August 10, 2011 6:33 AM
  • Hi,

     

    Is KBAC05.abc.com the DC of domain abc.com?

     

    If a user or application is authenticated by one domain, its authentication is accepted by all other domains that trust the authenticating domain. Users in a trusted domain have access to resources in the trusting domain, subject to the access controls that are applied in the trusting domain.

     

    Access control allows authenticated users to use the resources (files, folders, and virtual containers) that they are authorized to use and prohibits them from using (or even seeing) resources that they are not authorized to use.

     

    Please double check if you allow trusted domain user access your SharePoint server.

     

    Thanks,

    Rock Wang


    Regards, Rock Wang Microsoft Online Community Support
    Wednesday, August 10, 2011 9:09 AM