Active Directory autentication and multiple domains

PaulDPaulD Posts: 10 New member
We have multiple domains but they all belong to the same root.
Can I use an universal domain group that has members in other domains?
Or am I limited to one domain and all groups\users need to be in that domain?
Tagged:

Answers

  • Eddie DEddie D Posts: 1,636 Rose Gold 5
    Hi, thank you for your forum post.

    If not already configured, the domains require a two way trust between any domains, root leaf or otherwise.

    By default, the tool will use the account given to the SQL Monitor Base Monitor service to connect to the servers you wish to monitor.  You can edit these credentials, see paragraph 6 of this help document.

    Many thanks
    Eddie




    Eddie Davis
    Product Support Engineer
    Redgate Software Ltd
    Email: [email protected]
  • PaulDPaulD Posts: 10 New member
    Eddie,
    Thanks for the reply. I don't think I was clear enough. I'm not talking about SQL Monitor authenticating to remote SQL Servers. We don't seem to have a problem with that (yet :) ).
    I'm asking about using AD authentication for user access to SQL Monitor.

    I have a universal AD group which is in domain A (for example). Members of that group are in domains B,C,D & E. 
    We use this AD group (A) to get our DBA's access to all the SQL Servers that they support. They don't have any issue authenticating to the remote SQL Servers. However they cannot authenticate to SQL Monitor. 
    SQL Monitor authentication only seems to work if (using my example) I use a AD group in domain A and all members of that group are also in domain A.

    Does that example make sense?
  • Eddie DEddie D Posts: 1,636 Rose Gold 5
    Hi, Thank You for your patience.

    Ahh.  I now understand.  The problem you have reported will require further investigation by colleagues in the development team.  Therefore a Bug Report has been submitted which has an internal reference of SRP-12577.  I will update this post when I receive further information to pass on.

    Many Thanks
    Eddie
    Eddie Davis
    Product Support Engineer
    Redgate Software Ltd
    Email: [email protected]
  • NQ9GNQ9G Posts: 2 New member
    Eddie D said:
    Hi, Thank You for your patience.

    Ahh.  I now understand.  The problem you have reported will require further investigation by colleagues in the development team.  Therefore a Bug Report has been submitted which has an internal reference of SRP-12577.  I will update this post when I receive further information to pass on.

    Many Thanks
    Eddie
    I am currently experiencing this same issue, and was wondering whether there is any update on the status of this Bug Report.
  • PaulDPaulD Posts: 10 New member
    Was\is this in anyway related to SRP-12541which was pushed out with  9.2.10?

  • PaulDPaulD Posts: 10 New member
    never got a response here folks... I also have a support ticket open for this that hasn't been touched (ever) ...
  • NQ9GNQ9G Posts: 2 New member
    That's kind of a shame. Seems they're locking themselves out of implementation in larger estates that span multiple domains. Not a particular fan of having to use sql monitor authentication and sharing a single password instead of just being able to use LDAP.
  • Russell DRussell D Posts: 1,295 Diamond 5
    edited March 24, 2020 8:09AM
    We're in the process of working on this right now, apologies that the thread hasn't been updated sooner. Currently you're restricted to domains that have two way trust between them, but we are aware there is a need to support more than just this, it unfortunately isn't an easy architectural change.

    @PaulD SRP-12541 fixed a few issues but unfortunately without the underlying changes to the AD code it still probably isn't sufficient. We need to overhaul things properly.

    We're adding a way to add multiple AD service accounts, so that you can authenticate separately with accounts from separate domains, regardless of trust. There will be a way to do this in the database shortly, with UI to follow.
    Have you visited our Help Centre?
  • PaulDPaulD Posts: 10 New member
    thanks for the response Russell
  • PaulDPaulD Posts: 10 New member
    just in case anyone else has this "issue", it was resolved by 10.1.16 (or maybe a little earlier). Authentication against multiple AD domains is now working fine - for us.
Sign In or Register to comment.