[SCOM] Cross Forest Authentication for Reporting Services
Hello all,
I`m sure a lot of enterprise customers have hit this, where basically you are unable to access SCOM Reporting from across a forest trust. So for example you have User A in a forest in domain A and User B in a separate forest in domain B. Between the domains is a one way trust. Now if the SCOM servers and reporting servers are part of domain B you will be unable to authentication with users from domain A in order to access SCOM reporting services.
This is currently by design, so if you have this issue please cast an upvote for this in connect: https://connect.microsoft.com/WindowsServer/Feedback/Details/1266165
The issue is when using an account from a trusted domain that uses a one way trust, the DAS is unable to access the accounts group info and receives an ACCESS DENIED.
This is by design because this is a restriction from AzMan - details here: https://msdn.microsoft.com/en-us/library/aa377364(VS.85).aspx
More details to be found also here:
As a further and easier workaround I would suggest to configure an account (from the domain where SCOM and the SQL server is part of) for the sql server where reporting is installed in credential manager on all the management servers that hold a console where you want to access reporting from.
This way you will authenticate with a user from the same domain as the SQL server.
Another workaround are the ones below:
Comments
- Anonymous
April 05, 2016
Aside from a broken link to vote for this to be fixed, this has been a problem for several major versions of SCOM now. It would be great if MS would fix this - if it is a restriction of the authentication method currently used then please consider updating the method!