Hi All,
I am helping a customer with an implementation and we have a setup where they have a rather large forest with many domains which we want to query using CPPM for MSCHAP authentication.
Assuming the root of the tree is root.domain, we have the CPPM joined to xxx.root.domain and can lookup users but not query any from yyy.root.domain.
I have tried setting up the AD source to use the global catalog for the domain (not sure if this is right but i'm just trying different things) and this lets me see the users in yyy.root.domain but when i try authentication it fails.
Looking at the debug logs i can see that the search of the UPN in the remote domain is correct and returns a user however it then progresses to authentication but uses the sAMAccountName attribute as the authenticator (withour a domain prefix) and this fails authentication presumably because it doesn't contain the domain name of the user.
I recall in early Amigopod days there was a setting "with_ntdomain_hack" that did something to manipulate how the username was formatted.
Is this still relevant in CPPM or am i off on the wrong path.
What i'd like to achieve is AD authentication across the whole forest using MSCHAP without having to join the root / parent domain (we can't do this for political reasons as the root domain comes under the admin of another area who aren't flexible).
Our service account in the xxx.root.domain is apparently allowed to query all domains (we can browse the yyy.root.domain using clearpass) and we are able to join the subdomain no problems.
I'm feeling that the answer may simply be to join the root domain however my AD knowledge isn't what i'd like it to be...
Scott