After switching to the Infranet Controllers I see that some users don't send a domain name with their username. The ICs then try to authenticate against the Forest Root using Active Directory but the users are in a child domain and the login fails. Hardcoding a domain\username solves the problem but is for obvious reasons not practical.
Has anyone else come across this problem?
Solution-1(simple and strainght forward): Use Kerberos SSO(this works only using OAC and if end-point is joined to domain):-
if the users are logging into IC(using OAC) from an end-point which is joined to domain and user logged into PC as a domain user:
Solution-2(not that easy, requires too much of configuration):-
configure domain controller of each child domain in as a seperate auth server in IC and configure seperate realms one for each child domain and make the realm use respective child domain's domain controller as auth server.
please reply if this not you are looking for.