Share via

SCVMM implementation in cross-domains topology

  • Article

My team were trying to implement VMM R2 in multiple domains topology. They installed VMM R2 on windows 2008 R2. We start by implementing VMM 2008 R2 and SSP (Self Service Portal)on Domain A.

We have users from domain A and B. Ans one way trust relationship between those domain from domain A to B.  i.e Domain A trust users from domain B.

This scenario was designed so that users from Domain A, B would have the capability to deploy new VMs using Web interface (SSP).

The installation went fine with local admin account (Domain user from domain A with local admin privilege) and I am able to see all users from Domain A and B and add them to Self Service portal users role.

The problem that users from domain B can’t log in to SSP while users from domain A can.

As per Microsoft Technet

Does VMM support cross-domain authentication?

Yes. Kerberos authentication is a prerequisite for VMM. To configure your environment to allow users in one Active Directory Domain Services (AD DS) domain to access VMM resources in another domain, you can either ensure that both domains are in the same forest or configure a forest-level trust relationship and use Kerberos authentication. To set up a forest-level trust relationship, both domains must be in Windows Server 2003 forest mode. Windows 2000 Server does not support forest-level trusts.

So this was the first problem.. VMM should use Kerberos authentication while my one way trust was External ( NTLM ).. My domain are above 2003 so I delete my old trust and create new forest one way trust again.

Now VMM should work but Opsssss it did not ?!!!!!!

As per Microsoft technet it should work fine but nothing worked at all. After some digging with the trust we found it. it has to be 2-way forest level trust between the two domains. :S

And we got confirmation from Microsoft:

Based on this finding, I fully analyze all internal Kerberos traffic again and the two trust is required from SSP.

1. if we only configure one-way trust from SCVMM server domain to user domain, the DC in SCVMM domain will be able to establish secure channel with user domain and get the trust TGT ticket. Thus we can configure SSP and choose user from trusted domain.

2. However, when user accesses SCVMM portal from trusted domain, because it is one way and there is no trusted account for user domain in SCVMM domain, the user cannot get trusted TGT ticket and thus the user cannot get session ticket to access SSP.  The accessing will fail back to NTLM by SCVMM DC contacts DC in user domain for NTLM authentication.

According to authentication requirement for SCVMM, we need configure two-way trust so that user can get session ticket to access SSP in other domain.

So… to have users from different domain we need configure two-way trust so that user can get session ticket to access SSP in other domain.