Does ServiceDesk support Active Directory child domains in parent domains?

book

Article ID: 179912

calendar_today

Updated On:

Products

ServiceDesk

Issue/Introduction

 

Resolution

Question: Does ServiceDesk support using Active Directory (AD) child domains that are part of parent domains? Specifically, can these be synced, used to log users in when referring to the child and/or the parent domain, or with automatic passthrough authentication?

Answer: No, ServiceDesk does not support having child domains part of parent domains. Trying to use ServiceDesk in this manner will result in the lack of functionality for child domain users as described below.

  • Logging into ServiceDesk will fail if the user specifies the parent domain. This is because ServiceDesk does not cross-reference the child domain during its user authentication.
  • Automatic passthrough authentication, which refers to starting ServiceDesk and having it automatically log the user in based on their NT ID, which is matched up to their user information in ServiceDesk and in AD, will fail. Manual authentication will still work.

Technical Information

Review the user table to see how this is failing to work. For example:

USE Ensemble
SELECT * FROM [user]

Review the two fields PrimaryEmail and ADLoginName. The listed AD domain is where the user is attempted to be authenticated from. For a child in "child_domain", such as [email protected]_domain.com, if they try to log in as [email protected]_domain.com, the authentication will fail because they are not direct members of "parent_domain". Note: If the user exists in both domains, this presents other issues. Specifically, the user is then duplicated in ServiceDesk, which treats this as two separate accounts. Tickets assigned to [email protected]_domain.com would not cross-reference those from [email protected]_domain.com, they would be completely separate.

Workaround

More than one AD Server can be set up in ServiceDesk. One can be set to go to the parent domain, a second to the child domain. This will then enable users to be imported, synced, log in, and automatic passthrough authentication to work, for either domain. However, the users would need to specifically log into ServiceDesk as that account. This would not enable use[email protected]_domain.com to log in as [email protected]_domain.com.  

Related Resources

Users that are members of a group membership are not synced into ServiceDesk
http://www.symantec.com/business/support/index?page=content&id=TECH122202