When selective authentication is enabled on a two-way trust QAS is not able to cache accounts from domains across the trust.
RESOLUTION 1:
The host objects that get created when a machine is joined need to be given permission to authenticate to the domain controllers in the other domain.
RESOLUTION 2:
When selective authentication is enabled we can treat it the same way that we treat a one-way trust. By creating a separate computer object in the cross-forest domain we can assure that this object will be able to access all of the account information that we require in the domain.
Details on how to set QAS up to access domains across trusts see KB 65747 article on setting up QAS across one-way trusts:
https://support.oneidentity.com/kb/65747/
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center