User profile service causing authentication failed at one way trust domain

SinPeow 86 Reputation points
2021-06-15T03:21:43.643+00:00

user profile behavior :

  • The users and groups listed as Administrators of the User Profile Service Application (UPA) are cached.
  • That cache expires every 5 minutes.
  • When the next web service call comes into the UPA, those accounts must be resolved again and re-cached.

Current environment :

  • SharePoint server hosted at M domain and have one way trust for S domain , all user access is from S domain and SharePoint service account is from M domain.
  • we need to add few S domain user at UPA Admin group , for end user able edit user profile function.

Issues :

  • every time the SharePoint service account call the web service will go to UPA to resolve all the user inside admin group , service account at M domain don't have permission to authenticate over S domain and causing authentication failed log entry.
  • this activity trigger the S domain security team and mentioned that this is Account harvesting activity

any idea how do we resolve this "issues" ? below is the idea i can think off :

  • Create M domain service account for S domain user manually login to central admin for user profile update
  • request S domain security team white list the service account ( will less secure )

any idea please help to share , can we escalate to Microsoft consider as bug ? should have the way to authenticate the S domain at UPA with S service account (using people picker setting - have assign S account for this )?

thanks

SharePoint Server Management
SharePoint Server Management
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Management: The act or process of organizing, handling, directing or controlling something.
2,934 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.