User profile service causing authentication failed at one way trust domain
SinPeow
86
Reputation points
user profile behavior :
- The users and groups listed as Administrators of the User Profile Service Application (UPA) are cached.
- That cache expires every 5 minutes.
- When the next web service call comes into the UPA, those accounts must be resolved again and re-cached.
Current environment :
- SharePoint server hosted at M domain and have one way trust for S domain , all user access is from S domain and SharePoint service account is from M domain.
- we need to add few S domain user at UPA Admin group , for end user able edit user profile function.
Issues :
- every time the SharePoint service account call the web service will go to UPA to resolve all the user inside admin group , service account at M domain don't have permission to authenticate over S domain and causing authentication failed log entry.
- this activity trigger the S domain security team and mentioned that this is Account harvesting activity
any idea how do we resolve this "issues" ? below is the idea i can think off :
- Create M domain service account for S domain user manually login to central admin for user profile update
- request S domain security team white list the service account ( will less secure )
any idea please help to share , can we escalate to Microsoft consider as bug ? should have the way to authenticate the S domain at UPA with S service account (using people picker setting - have assign S account for this )?
thanks
Sign in to answer