I haven't done this in quite a while, but if I remember, you have to enabl it at the auth server level (a check box), and then require DOMAIN\account on the login page.

Still not having any joy with this.

stine: How do you mean you need to enable it at the auth server level?.

I have attached my setup. I have tried all sorts of combinations of Filters, Member Atttributes, and Query Attributes. No luck.

I have blanked out the DC values (sensitive!) but the rest is 'as is'.

Within this AD I have a Group 'AD1'. In that is group 'AD2' which exists on the second domain. I have created a user realm which looks for user 'X' in AD1. With the nesting I assume the AD1 will check it's group for user 'X', see it has a nested group and look there elsewhere. I have used an AD tool which runs the query and confirms that the user exists within AD1 by virtue of being in nested group AD2.

The thing with the Base DN is that its completely different on both the AD's. How do you write a base DN which will work for both AD1 and AD2?

It seems rather weird this doens't work. Is this from "the horses mouth" so to speak or is this just your experience? The thing is, the SA shouldn't need to search the other DN's as its the AD which has this nested group/recursion/transient trust?

If the little tool I run is able to determine that I exist in a nested group, why can't the SA!?

This is from the horse's mouth, so to speak (I'm part of the JTAC team).

The IVE needs to search the other DNs in order to receive the groups from those locations and check the user membership on those groups. It is true that the AD server holds that information; but the IVE needs to access that information to verify user details. If it can't access it the verification will fail. Using LDP.exe, or another LDAP browser, are you able to pull the groups from both domains for a user?

In the AD/NT server type, nested group lookups are not supported; you have to specify each level of the group as a potential membership (which defeats the purpose nesting).

In the LDAP server type, nested group lookups are supported; but you cannot cross the domain trust (as you noted previously there is no way to specify more than one DN to look).

One thing you can _try_ that may, or may not, work is to use the LDAP server type on the global catalog port (3268 or 3269 over SSL) and set the base DN as the top level. I have heard of some limitations being overcome using this traversal; but not consistently.

Universal groups in AD is a must.

cheers guys. Fer more questions!

zanyterp_: In terms of having multiple realms for each of the AD's, am I correct in assuming the best way of presenting this would be either a single URL with multiple user-selectable realms, or multiple URLS with each one pointing to a realm?

RexPGP_: Have you been able to get this working? I can get the AD guys to change a group to Universal if you think it will make a difference?

Just a thought, are there any other options by using some sort of intermediary device which is able to do the lookups across multiple domains. ie Radius?