May 3, 2011 at 10:06 am
A user on the domain A is a member of SG(Security Group) on domain B. This SG needs access to the SQL Server on domain C. I tried to create the login with SSMS but could not find it with search but I could create the login with script. Now the problem is even if the login ( SG ) has access to the SQL Server they could not access it and were getting the error. Login Failed with error. What might had happend. Another thing is the guy on domain A if given direct access and not with SG could access the server
May 9, 2011 at 11:08 am
Without knowing your AD domain and trust setup, it's nearly impossible to troubleshoot this. That's not something you want out in the public domain, so at this point, I'm going to refer you back to your own internal people.
You need to check with your AD administrators about the trust relationships. You cannot assume that since Domain A works from Domain B and Domain B works from Domain C that Domain A works from Domain C. That's possible if a transitive trust is in place, but there are certain conditions for that to happen with an AD forest. They probably need to understand what you're trying to do and then can advise you on how to set up security.
Another issue could be if you're using a domain local group across domains. If that's the case, then the group (and its members) won't be seen properly. Again, to find out whether this is the case, you need to check with your AD admins.
K. Brian Kelley
@kbriankelley
May 9, 2011 at 11:22 am
Thanks Brian for the reply. I would check with the Admin. But the thing I did not understand was if there was no trust in between A and C, then why did it work when providing access to that particular login in SQL Server directly and not with Group(which is in domain B). I can tell you there is certainly a trust in between B and C too..
Thanks,
May 9, 2011 at 11:29 am
Depends on the type of group as well as the trust relationship between B and C. For instance, for a group in Domain B to able to take users from Domain A, it either has to be a universal group or a domain local group. If it's the latter, it can't be seen outside of Domain B. That would be the simplest case where you would see this kind of failure.
K. Brian Kelley
@kbriankelley
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply