-
There are two Active directory domains in two different forests : forest1.DomainA.com and forest2.DomainB.com
-
DomainA users can have access to DomainB (through membership to a AD Group in DomainB
-
Now I need to show the DomainB group as an entitlement on the DomainA user account. and the DomainA user account need to show as the FSP on the DomainB AD group memberships
-
I tried adding the Membership Search DN on the DomainA connection details but its not aggregating and showing the DomainB groups as mentioned in the FAQs:
[ Issue: During aggregation cross domain group memberships of a user are not aggregated
Resolution: To fetch the cross domain group memberships information, the Group Membership Search DN field must have cross domain details.]
FAQ URL: Active Directory Connector - FAQ and troubleshooting - Compass -
Please let me know if any one has worked on this and has details about how to setup the FSPs in the above case…thank you.
Hi @vspatil2211
This won’t work out, as I’ve worked in a similar environment. Let’s see if anyone has achieved this.
Hi @vspatil2211 - You’re up against it for a couple of reasons.
- Your point 4 and FAQ refers to cross domain membership, not cross forest membership
- From what I know, FSPs can be aggregated when they represent Entitlements (Global Groups), not Accounts.
IMHO, your best bet would be for DomainB groups to be Local with equivalent Global DomainA groups created and added as members. The DomainA users would then be added to the DomainA groups which could then be aggregated as Entitlements. I appreciate you may not be able to go that way.
Again, FWIK, FSPs for accounts are created in the forest where the Group is, if the Group is Domain Local; FSPs for groups are created in the forest where the Account is, if the Group is Global.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.