Fix Selective Authentication in a Trusted Domain

When you turn on selective authentication for a trusted domain, AD Bridge can fail to look up users in the trusted domain because the machine account is not allowed to authenticate with the domain controllers in the trusted domain. Here is how to grant the machine account access to the trusted domain:

  1. In the domain the computer is joined to, create a global group and add the computer's machine account to the group.
  2. In the trusted domain, in Active Directory Users and Computers, select the Domain Controllers container and open Properties.
  3. On the Security tab, click Advanced, click Add, enter the global group, and then click OK.
  4. In the Permission Entry box, under Apply onto, check Computer objects. Under Permissions, find Allowed to Authenticate and check it. Click OK and then click Apply in the Advanced Security Settings box.
  5. If you have already joined the AD Bridge client computer to the domain, restart the AD Bridge authentication service:
    /opt/pbis/bin/lwsm restart lsass

For more information, see Configuring Selective Authentication Settings.