01-18-2013 05:11 AM
We are unable to authenticate our devices with Active Sync.
Let me explain our setup:
2 AD forests:
Resource - Exchange 2010 and BES reside here
Account - All user accounts are here (masterlinkedaccount)
The problem here is that we only have a 1 way trust going from the resource forest to the account forest (due to security reasons) which is why the authentication is failing.
Could any AD / Exchange experts chime in here with their recommendations/workarounds? I was reading up about Kerberos Constrained Delegation which seems like an option but I'm no expert in that domain!
03-04-2013 08:24 AM
Hi I have the same issue.
also 2 forests,
1. Exchange + BDS
2. Enabled Active Directory accounts
I am unable to get the accounts from the resource forest configured on BDS. Information in the BA log file is below.
findLinkedUserByExchMasterAccountSID could not connect to Active Directory forest denoted by domainSID=xxxxx. please add the required login domain to the Microsoft Active Directory Integration.
Now I dont know what tab it wants me to Modify, also there is no documentation on Multiple Forest Setup.
If anyone can point me in the right direction I would so appreciate it.
03-04-2013 08:36 AM
03-04-2013 11:32 AM - edited 03-04-2013 11:32 AM
Sorry, ignore the previous response. Here is the answer to your question:
You don't need a 2 way trust in place if you are not using an OTP solution.
In order to allow access to your account forest, you need to configure an additional account which has permissions to access the trusted account forest, see this KB:
That got it working for me in a 1 way trust scenario.
03-06-2013 08:50 AM
It worked. The account the service account that was provided to me by the guys managing the users forest was incorrect.
So the solution works.
The steps are
1. Left Hand pane, go to Microsoft Active Directory Integration
2. Select Manage Microsoft Active Directory access
3. Edit the settings
4. Under the section Microsoft Active Directory login information, configure this section with the service account details of the user account forest