Fix Selective Authentication in a Trusted Domain

When you turn on selective authentication for a trusted domain, AD Bridge can fail to look up users in the trusted domain because the machine account is not allowed to authenticate with the domain controllers in the trusted domain. Here is how to grant the machine account access to the trusted domain:

  1. In the domain the computer is joined to, create a global group and add the computer's machine account to the group.
  2. In the trusted domain, in Active Directory Users and Computers, select the Domain Controllers container and open Properties.
  3. On the Security tab, click Advanced, click Add, enter the global group, and then click OK.
  4. In the Permission Entry box, under Apply onto, check Computer objects. Under Permissions, find Allowed to Authenticate and check it. Click OK and then click Apply in the Advanced Security Settings box.
  5. If you have already joined the AD Bridge Enterprise client computer to the domain, restart the AD Bridge Enterprise authentication service:
    /opt/pbis/bin/lwsm restart lsass

For more information, please see Configuring Selective Authentication Settings.