Dear CA community,
I’m stumped by a requirement thrown at me this week and was hoping to get some confirmation here.
Domain A and Domain B are in different AD forests with a ONE-WAY forest trust relationship configured.
Domain A is the trusting (outgoing trust) – testad1a.childcomp.com
Domain B is the trusted (incoming trust) – testad2b.parentcomp.com
CA SSO Policy server is residing in Domain A and the Siteminder services are ran with (Log on as) using an account from Domain B (thanks to the trust relationship)
As all the user accounts are located in Domain B, I tried to ”Create User Directory” using the following
Namespace: LDAP <Domain A IP>:389
Use authenticated security context: checked
Require credentials: checked
Username: <Domain A admin> (e.g. CN=Administrator,CN=Users,DC=testad1a,DC=childcomp,DC=com)
Password: <Domain A admin password>
LDAP Search
Root: <Domain B search root> (e.g. CN=Users,DC=testad2b,DC=parentcomp,DC=com)
Scope: Sub-Tree
LDAP User DN Lookup
Start: (sAMAccountName=
End: )
Effective Lookup: (sAMAccountName=ID-From-Login)
Save then revisit the config and pressed “View Contents” I see an empty table and the following is seen in smps.log
[15337/139853505218304][Sun Dec 02 2018 17:27:11][SmDsLdapConnMgr.cpp:1207][ERROR][sm-Ldap-02230] Error# ’10’ during search: ‘error: Referral received extended error: 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
ref 1: ‘testad2b.parentcomp.com’
‘ Search Query = ‘(objectclass=organization)’
[15337/139853505218304][Sun Dec 02 2018 17:27:11][SmDsLdapConnMgr.cpp:1207][ERROR][sm-Ldap-02230] Error# ’10’ during search: ‘error: Referral received extended error: 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
ref 1: ‘testad2b.parentcomp.com’
‘ Search Query = ‘(objectclass=groupOfNames)’
[15337/139853505218304][Sun Dec 02 2018 17:27:11][SmDsLdapConnMgr.cpp:1207][ERROR][sm-Ldap-02230] Error# ’10’ during search: ‘error: Referral received extended error: 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
ref 1: ‘testad2b.parentcomp.com’
‘ Search Query = ‘(objectclass=group)’
[15337/139853505218304][Sun Dec 02 2018 17:27:11][SmDsLdapConnMgr.cpp:1207][ERROR][sm-Ldap-02230] Error# ’10’ during search: ‘error: Referral received extended error: 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
ref 1: ‘testad2b.parentcomp.com’
‘ Search Query = ‘(objectclass=groupOfUniqueNames)’
[15337/139853505218304][Sun Dec 02 2018 17:27:11][SmDsLdapConnMgr.cpp:1207][ERROR][sm-Ldap-02230] Error# ’10’ during search: ‘error: Referral received extended error: 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
ref 1: ‘testad2b.parentcomp.com’
‘ Search Query = ‘(objectclass=organizationalUnit)’
[15337/139853505218304][Sun Dec 02 2018 17:27:11][SmDsLdapConnMgr.cpp:1207][ERROR][sm-Ldap-02230] Error# ’10’ during search: ‘error: Referral received extended error: 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
ref 1: ‘testad2b.parentcomp.com’
‘ Search Query = ‘(objectclass=eTGlobalGroup)’
Then I tried to search for a user which exists in Domain B. I see the following appear in smps.log
[15337/139853530396416][Sun Dec 02 2018 17:29:03][SmDsLdapConnMgr.cpp:1207][ERROR][sm-Ldap-02230] Error# ’10’ during search: ‘error: Referral received extended error: 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
ref 1: ‘testad2b.parentcomp.com’
‘ Search Query = ‘(&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=groupOfNames)(objectclass=group)(objectclass=imUser)(objectclass=groupOfUniqueNames)(objectclass=organizationalUnit)(objectclass=eTGlobalUser)(objectclass=eTGlobalGroup))(samaccountname=zen.leow))’
I’m assuming what happened was the connection was bound using Domain A’s account which is not trusted in Domain B. and that resulted in the failed query.
But if I try configuring the bind account to use Domain B’s user, I will get “Invalid credentials” type of errors stating unable to connect to Domain A.
It seems to me that the only way this can work is to configure two way trust. But that’s not allowed for this scenario and our policy server residing in Domain A is not allowed to connect directly to Domain B.
I’m under the impression that if I cannot query those Domain B users, I cannot authenticate them as user disambiguation will fail. And I won’t be able to configure SSO policies surrounding those users as well.
Does anyone have any thoughts / workaround about this matter or have I just answered my own question that this is not possible with CA SSO?
Any help is appreciated.
Thanks!
Best regards,
Zen
Source: New feed
{pubDate}