A helpdesk user is a member of a scoped helpdesk group. But the helpdesk group and the helpdesk user are in two different domains in the same forest. In this scenario the helpdesk users will not be able to logon to the helpdesk site. The following error message will be reported.
"Access is Denied. You might not have permission to use this HelpDesk site. Contact your Administrator."
Scenario:
PM is installed in DomainA
DomainA also contains HelpdeskUserA.
DomainB contains the HelpdeskGroup and HelpdeskUserB.
DomainA \HelpdeskUserA is also a member of this group.
DomainB is domain connections for helpdesk
DomainB \HelpdeskUserB is able to successfully logon to the helpdesk
DomainA \HelpdeskUserA is not able to logon to the helpdesk.
Both domains are in the same forest and therefore have a two-way transitive trust in place.
For a helpdesk user PM searches their domain first to see if the user is a member of that domain and then the PM looks into the group to see if the user is a member of the group. The problem is that PM expects the group to be in the same domain as the user which in this scenario it's not.
This is a product defect and a fix is expected to be included in a future release of the product.
Workaround:
Helpdesk groups must be members of the same domain as helpdesk users.
If some helpdesk users are members of different domains then each domain must have a separate helpdesk group scoped.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center