Active Directory autentication and multiple domains

PaulD

We have multiple domains but they all belong to the same root.
Can I use an universal domain group that has members in other domains?
Or am I limited to one domain and all groups\users need to be in that domain?

Eddie D

Hi, thank you for your forum post.

If not already configured, the domains require a two way trust between any domains, root leaf or otherwise.

By default, the tool will use the account given to the SQL Monitor Base Monitor service to connect to the servers you wish to monitor.  You can edit these credentials, see paragraph 6 of this help document.

Many thanks
Eddie

PaulD

Eddie,
Thanks for the reply. I don't think I was clear enough. I'm not talking about SQL Monitor authenticating to remote SQL Servers. We don't seem to have a problem with that (yet ).
I'm asking about using AD authentication for user access to SQL Monitor.

I have a universal AD group which is in domain A (for example). Members of that group are in domains B,C,D & E. 
We use this AD group (A) to get our DBA's access to all the SQL Servers that they support. They don't have any issue authenticating to the remote SQL Servers. However they cannot authenticate to SQL Monitor. 
SQL Monitor authentication only seems to work if (using my example) I use a AD group in domain A and all members of that group are also in domain A.

Does that example make sense?

Eddie D

Hi, Thank You for your patience.

Ahh.  I now understand.  The problem you have reported will require further investigation by colleagues in the development team.  Therefore a Bug Report has been submitted which has an internal reference of SRP-12577.  I will update this post when I receive further information to pass on.

Many Thanks
Eddie

NQ9G

Eddie D said:

Hi, Thank You for your patience.

Ahh.  I now understand.  The problem you have reported will require further investigation by colleagues in the development team.  Therefore a Bug Report has been submitted which has an internal reference of SRP-12577.  I will update this post when I receive further information to pass on.

Many Thanks
Eddie

I am currently experiencing this same issue, and was wondering whether there is any update on the status of this Bug Report.

PaulD

Was\is this in anyway related to SRP-12541which was pushed out with  9.2.10?

PaulD

never got a response here folks... I also have a support ticket open for this that hasn't been touched (ever) ...

NQ9G

That's kind of a shame. Seems they're locking themselves out of implementation in larger estates that span multiple domains. Not a particular fan of having to use sql monitor authentication and sharing a single password instead of just being able to use LDAP.

Russell D

We're in the process of working on this right now, apologies that the thread hasn't been updated sooner. Currently you're restricted to domains that have two way trust between them, but we are aware there is a need to support more than just this, it unfortunately isn't an easy architectural change.

@PaulD SRP-12541 fixed a few issues but unfortunately without the underlying changes to the AD code it still probably isn't sufficient. We need to overhaul things properly.

We're adding a way to add multiple AD service accounts, so that you can authenticate separately with accounts from separate domains, regardless of trust. There will be a way to do this in the database shortly, with UI to follow.

PaulD

thanks for the response Russell

PaulD

just in case anyone else has this "issue", it was resolved by 10.1.16 (or maybe a little earlier). Authentication against multiple AD domains is now working fine - for us.