1 Reply Latest reply on May 7, 2015 6:48 AM by Yanick Girouard

    BSA authentication to Windows Domain Controller with trust relationship

    Bo Vial

      Currently having an issue with BSA authenticating to a Windows Domain Controller. We normally have no issues with DC's but I believe the trust relationship in the scenario is causing an issue.


      Scenario is as follows:


      Server is a DC for EXAMPLE domain.


      We administer this server logging in as TEST\adminuser


      There is a trust relationship between EXAMPLE domain and TEST domain.


      The EXAMPLE\adminuser account does not exist.


      In our BSA security files, we want to map to the Authentication Principle TEST\adminuser.


      Looking at the rscd.log files, I see this error:

      User Impersonation Failed ; Error Location: RSCD_WinUser::initFromUsernameDomainW:LookupAccountNameW ; Error Message: No mapping between account names and security IDs was done. ; Auxiliary Error Message: Account: EXAMPLE\adminuser


      So, I can BSA is trying to map to the EXAMPLE/adminuser account which does not exist.

      User Impersonation Failed ; Error Location: lookup_impersonation_user ; Error Message: The data is invalid. ; Auxiliary Error Message: Domain accounts may not be used for privilege mapping user impersonation. Account: adminuser@TEST


      Is there anyway I can get this to work? Other than creating an adminuser in the TEST domain.

        • 1. Re: BSA authentication to Windows Domain Controller with trust relationship
          Yanick Girouard

          You can't impersonate domain accounts, you need to use automation principals for this to work. Impersonation only works with local accounts, which an account is when it's on the domain controller (all users are local accounts for the DC itself).


          Automation Principals let the agent actually login using a specific user and password, including domain users, which means it would act just as if an admin logged in using the trusted domain account.

          1 of 1 people found this helpful