Freigeben über


[SCOM] Cross Forest Authentication for Reporting Services

Hello all,

I`m sure a lot of enterprise customers have hit this, where basically you are unable to access SCOM Reporting from across a forest trust. So for example you have User A in a forest in domain A and User B in a separate forest in domain B. Between the domains is a one way trust. Now if the SCOM servers and reporting servers are part of domain B you will be unable to authentication with users from domain A in order to access SCOM reporting services.

This is currently by design, so if you have this issue please cast an upvote for this in connect: https://connect.microsoft.com/WindowsServer/Feedback/Details/1266165

The issue is when using an account from a trusted domain that uses a one way trust, the DAS is unable to access the accounts group info and receives an ACCESS DENIED.

This is by design because this is a restriction from AzMan - details here: https://msdn.microsoft.com/en-us/library/aa377364(VS.85).aspx 

More details to be found also here:

https://blogs.technet.com/b/operationsmgr/archive/2009/01/27/opsmgr-2007-error-running-report-message-loading-reporting-hierarchy-failed-access-is-denied.aspx

As a further and easier workaround I would suggest to configure an account (from the domain where SCOM and the SQL server is part of) for the sql server where reporting is installed in credential manager on all the management servers that hold a console where you want to access reporting from.

This way you will authenticate with a user from the same domain as the SQL server.

Another workaround are the ones below:

https://blogs.technet.com/b/operationsmgr/archive/2009/01/27/opsmgr-2007-error-running-report-message-loading-reporting-hierarchy-failed-access-is-denied.aspx

https://social.technet.microsoft.com/Forums/en-US/77d54ad4-8287-4138-bae2-b91cce07b217/cross-forest-scom-reporting-deployment-with-one-way-external-trust?forum=operationsmanagerdeployment

Comments

  • Anonymous
    April 05, 2016
    Aside from a broken link to vote for this to be fixed, this has been a problem for several major versions of SCOM now. It would be great if MS would fix this - if it is a restriction of the authentication method currently used then please consider updating the method!