Saturday, November 07, 2009 1:34 PM
VMM tricks:VMM implementation in cross-domains topology
My team were trying to implement VMM R2 in multiple domains
topology. They installed VMM R2 on windows 2008 R2. We start by
implementing VMM 2008 R2 and SSP (Self Service Portal)on Domain A.
We have users from domain A and B. Ans one way trust relationship
between those domain from domain A to B. i.e Domain A trust users from
This scenario was designed so that users from Domain A, B would have the capability to deploy new VMs using Web interface (SSP).
The installation went fine with local admin account (Domain user
from domain A with local admin privilege) and I am able to see all
users from Domain A and B and add them to Self Service portal users
The problem that users from domain B can't log in to SSP while users from domain A can.
As per Microsoft Technet
Does VMM support cross-domain authentication?
Yes. Kerberos authentication is a prerequisite for VMM. To configure
your environment to allow users in one Active Directory Domain Services
(AD DS) domain to access VMM resources in another domain, you can
either ensure that both domains are in the same forest or configure a
forest-level trust relationship and use Kerberos authentication. To set
up a forest-level trust relationship, both domains must be in Windows
Server 2003 forest mode. Windows 2000 Server does not support
So this was the first problem.. VMM should use Kerberos
authentication while my one way trust was External ( NTLM ).. My domain
are above 2003 so I delete my old trust and create new forest one way
Now VMM should work but Opsssss it did not ?!!!!!!
As per Microsoft technet it should work fine but nothing worked at
all. After some digging with the trust we found it. it has to be 2-way forest level trust between the two domains. :S
And we got confirmation from Microsoft:
Based on this finding, I fully analyze all internal Kerberos traffic again and the two trust is required from SSP.
1. if we only configure one-way trust from SCVMM server domain to
user domain, the DC in SCVMM domain will be able to establish secure
channel with user domain and get the trust TGT ticket. Thus we can
configure SSP and choose user from trusted domain.
2. However, when user accesses SCVMM portal from trusted domain,
because it is one way and there is no trusted account for user domain
in SCVMM domain, the user cannot get trusted TGT ticket and thus the
user cannot get session ticket to access SSP. The accessing will fail
back to NTLM by SCVMM DC contacts DC in user domain for NTLM
According to authentication requirement for SCVMM, we need configure
two-way trust so that user can get session ticket to access SSP in
So... to have users from different domain we need configure two-way trust so that user can get session ticket to access SSP in other domain.