none
Server 2012 R2 no longer able to query objects in a trusted domain over a Forest Trust using Selective Authentication RRS feed

  • Question

  • I have a scenario in which our enterprise activation servers exist in a domain that is in a separate forest than our offices.  Currently all our domain controllers are 2008 R2 with domain and forest functional levels at 2008 R2.  We have set up two-way forest trusts with our office domains using selective authentication.  We then give the domain controllers from our licensing domain the "Allowed to Authenticate" right to the domain controllers in the office domain.  On the server 2008 R2 domain controllers in the office domain, we can browse to the appropriate objects in the licensing domain after being presented with an authentication window that allows us to enter credentials for the licensing domain.  However, after installing a 2012 R2 domain controller in an office domain, we can not use the 2012 domain controller to browse to the objects in the licensing domain.  It never asks for credentials for the licensing domain when we specify the objects we want to add from the licensing domain.  I simply states that the object can not be found.  When I look at the domain controller in the licensing domain, I see that the domain controller in the office domain is attempting to pass the credentials of the user that is logged on and this is failing since this user has no rights in the licensing domain.  I can still use a 2008 R2 domain controller in the office domain to add the rights and it works like it always has.  Can somebody tell me why this is happening and how to correct it?
    Thursday, December 5, 2013 8:08 PM

Answers

  • Hi,

    Based on my research, this is a known issue in Windows Server 2012 R2.

    According to the article below: “The Selective Authentication feature of selective trusts is not functional. Access to resources enabled by “Allowed to Authenticate” will fail. There is no workaround at this time”.

    Release Notes: Important Issues in Windows Server 2012 R2

    http://technet.microsoft.com/en-us/library/dn387077.aspx

    Best Regards,

    Amy Wang

    • Marked as answer by Smurph67 Friday, December 6, 2013 2:40 PM
    Friday, December 6, 2013 10:01 AM
    Moderator
  • Amy, thank you for the response.  My reaction is OUCH!  This is a very important feature for domain infrastructures for Microsoft to simply say, "By the way, this is not working...".  I hope that they get this problem resolved soon.  In the mean time, I have discovered a workaround for my particular situation.  In my licensing domain, in the security settings of my domain controller objects, I can TEMPORARILY grant the Everyone group the "Allowed to Authenticate" right.  I can then add the necessary user and group objects from the licensing domain to the domain controller objects security settings in the office domain.  Once the objects have been added and the "Allowed to Authenticate" right granted, the activation function works as expected.  I can then remove the "Allowed to Authenticate" right from the Everyone group on the domain controller objects in the licensing domain.  This is less than ideal, but it is a functional workaround.
    Friday, December 6, 2013 2:39 PM

All replies

  • Hi,

    Based on my research, this is a known issue in Windows Server 2012 R2.

    According to the article below: “The Selective Authentication feature of selective trusts is not functional. Access to resources enabled by “Allowed to Authenticate” will fail. There is no workaround at this time”.

    Release Notes: Important Issues in Windows Server 2012 R2

    http://technet.microsoft.com/en-us/library/dn387077.aspx

    Best Regards,

    Amy Wang

    • Marked as answer by Smurph67 Friday, December 6, 2013 2:40 PM
    Friday, December 6, 2013 10:01 AM
    Moderator
  • Amy, thank you for the response.  My reaction is OUCH!  This is a very important feature for domain infrastructures for Microsoft to simply say, "By the way, this is not working...".  I hope that they get this problem resolved soon.  In the mean time, I have discovered a workaround for my particular situation.  In my licensing domain, in the security settings of my domain controller objects, I can TEMPORARILY grant the Everyone group the "Allowed to Authenticate" right.  I can then add the necessary user and group objects from the licensing domain to the domain controller objects security settings in the office domain.  Once the objects have been added and the "Allowed to Authenticate" right granted, the activation function works as expected.  I can then remove the "Allowed to Authenticate" right from the Everyone group on the domain controller objects in the licensing domain.  This is less than ideal, but it is a functional workaround.
    Friday, December 6, 2013 2:39 PM
  • Hi,

    You are very welcome.

    Yes, I agree with you that it is a huge flaw in Windows Server 2012 R2. Since this issue has been released already, let’s hope that it will be resolved soon.

    Thank you so much for your sharing. This workaround is very helpful to us and all the people who are dealing with this issue.

    Please feel free to ask us if there are any issues in the future.

    Have a nice day!

    Amy Wang

    Monday, December 9, 2013 2:06 AM
    Moderator
  • Amy,

    I see that the flaw has been removed from the Release Notes: Important Issues in Windows Server 2012 R2 site... does that mean there is a fix?

    Mike


    To err is human, to really screw things up takes a computer.

    Thursday, May 15, 2014 7:56 PM
  • Indeed, it's not mentioned anymore.

    See https://support.microsoft.com/en-us/kb/2959395 for a workaround (method 2).

    Kr,
    David.

    Monday, June 8, 2015 9:02 AM