Cross-forest (or cross domain) authentication issues when accessing the Altiris Console
Last Updated July 17, 2010
After installing the Symantec Management Platform using a cross forest or cross domain user you are unable to fully navigate the NS console. Key pages (Like Database Settings and Security Roles) are not accessible when logging in as the Service account ("Access Denied" messages).
In addition, when navigating Manage -> Organizational Views and Groups, the "Network resources" group does not appear under Default -> All Resources
Note: There are no errors during installation.
When SMP Core attempts to determine the windows groups that the cross-forest Altiris Service Account user is a member of, windows does not return the complete list of Group SIDS. This is due to a windows-side authentication issue pertaining to cross-forest (or cross domain) trusts.
Sequence of Events:
NS Core calls GetCurrentUserMemberships() to get the Windows Group memberships for the logged in user
Windows does not return the SID for the Symantec Administrators group when the logged-in user is from a remote domain.
When the user attempts to access a page that is restricted to the Symantec Administrators group, an "access denied" message is returned in the console window.
There are 2 ways to work-around the authenication issue:
Add the local and remote domains to the Local Intranet Sites list on the Notification Server
Be sure to add them in the form of *.domain.com
For example, if we have 2 domains localDomain.Company.com and remoteDomain.Company.com (and there is a trust between them), we would add the following to entries to the Local Intranet Sites list: