User authentification fails - implemented ESAE (cross-forest-trust)

[mascr]

Describe the bug
User authentications fails with error

if user is member of EASE / Admin forest.

Access Manager installation

• OS: Windows Server 2019
• Version: 1.0.7925.0

Additional context
Details about trust:

Logs
2021-07-14 17:39:48.3133|ERROR|Lithnet.AccessManager.Service.Controllers.ComputerController|The request failed because the information about the authenticated user could not be found
Lithnet.AccessManager.DirectoryException: DsBind failed
---> System.ComponentModel.Win32Exception (1355): The specified domain either does not exist or could not be contacted.
--- End of inner exception stack trace ---
at Lithnet.AccessManager.DiscoveryServices.FindDcAndExecuteWithRetry[T](String server, String domain, DsGetDcNameFlags flags, DcLocatorMode mode, Func2 action) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\ActiveDirectory\DiscoveryServices.cs:line 133 at Lithnet.AccessManager.DiscoveryServices.FindDcAndExecuteWithRetry[T](String domain, DsGetDcNameFlags flags, Func2 action) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\ActiveDirectory\DiscoveryServices.cs:line 70
at Lithnet.AccessManager.DiscoveryServices.FindDcAndExecuteWithRetry[T](Func`2 action) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\ActiveDirectory\DiscoveryServices.cs:line 45
at Lithnet.AccessManager.ActiveDirectory.GetDirectoryEntry(String nameToFind, DsNameFormat nameFormat) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\ActiveDirectory\ActiveDirectory.cs:line 642
at Lithnet.AccessManager.ActiveDirectory.GetDirectoryEntry(SecurityIdentifier nameToFind) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\ActiveDirectory\ActiveDirectory.cs:line 657
at Lithnet.AccessManager.ActiveDirectory.FindUserInGc(String objectName) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\ActiveDirectory\ActiveDirectory.cs:line 490
at Lithnet.AccessManager.ActiveDirectory.GetUser(String name) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager\ActiveDirectory\ActiveDirectory.cs:line 54
at Lithnet.AccessManager.Service.AppSettings.HttpContextAuthenticationProvider.GetLoggedInUser() in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Service\Authentication\HttpContextAuthenticationProvider.cs:line 44
at Lithnet.AccessManager.Service.Controllers.ComputerController.TryGetUser(IUser& user, IActionResult& failure) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Service\Controllers\ComputerController.cs:line 592

[ryannewington]

@mascr

Just confirming that I have recieve this and can reproduce it. The underlying issue is that AMS is trying to call DsCrackNames to convert the logged on users SID, to a directory DN, so it can look up the users details. DsCrackNames returns a referral to the red forest, which AMS follows, but subsequently fails, because the AMS server is unable to authenticate to the DC in the red forest to obtain information about the user, due to the one-way trust.

I'll need some time to work through this one, as it's a very complex case.

[red-erik]

Hello,
I have same situation, if I can help in any way with some tests, let me know.
Regards,
Red.

[red-erik]

Hello,
any news on that ?

Regards,
Red.

[ryannewington]

Unfortunately, no progress on this. There hasn't been enough demand from our customers to prioritize ESAE at this stage.