We have embarked on an exercise to create a new domain say newdom which is gradually replacing olddom.

Some users using windows authentication were moved from olddom to newdom, but our wf client and servers are remaining on olddom until the switch over is completed.

The user has an account in newdom, and his account in olddom is locked.

The problem manifests itself when the user tries to log on to MRE only (server direct is ok) using the full credentials of the new domain eg

newdomain\Xxx.Xxxx

This log in fails on Server authentication.

05/13/2008 16:03:57 request by cmrpip000784 to authenticate user
05/13/2008 16:03:57 rejected   cmrpip000784 u=Xxx.Xxxx (expired account)

What MRE seems to do is disregard the explicit request to log into newdomain and then

1. It tries the default domain of the wfclient and server which is still set to olddom. If this fails it then tries

2. The newdom domain which is linked in windows as being an associated domain and the next to try.

This process works fine unless you have previously accidentally attempt to log in to olddom via windows machine login. (eg at startup you accidentally enter the wrong domain) This seems to change the status of the dormant olddom account.

If you have changed the status of the olddom account then you will fail to log into MRE and
the message shown above is shown in the SERVER log.

Things we have tried are:

1. Checking for all explicit mention of olddom in any of the MRE data. We cant find any.

Does anyone have any ideas? Help. Anyone out there good on Windows active directory and domain searching?

This message has been edited. Last edited by: hammo1j,

hammo1j,

I'm not an active directory expert by any measure, but I think that the fact that the user exists in the old domain but is locked/expired probably means that the Reporting Server is running down the list of domains and checks the old domain first. I assume that Windows API finds the user in olddom, but then fails to authenticate because it is locked. It doesn't bother to continue checking because it gets a "negative" response from olddom rather than a "I don't know them" response.

Try turning on traces on the reporting server and you will see the order it attempts to find the user. On my system it tries local machine and if the user doesn't exist goes off to check and domains that are available.

Cheers

Stu

Thanks Stu

That's what's happening, however it is sporadic, which may be due to ad server replication and load balancing.

In the end we created users in MRE like newdom\userfirst.userlast and that solved the problem.

Regards

John