Concept about one way trust domain

%3CLINGO-SUB%20id%3D%22lingo-sub-2367091%22%20slang%3D%22en-US%22%3EConcept%20about%20one%20way%20trust%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2367091%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3ECurrent%20SharePoint%202019%20server%20is%20hosted%20at%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bdomain%3CSTRONG%3E%20A%3C%2FSTRONG%3E%20and%20environment%20have%20one%20way%20trust%20with%20Domain%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ES.%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EDomain%20S%26nbsp%3B%20admin%20currently%26nbsp%3B%26nbsp%3Breceived%26nbsp%3Bmultiple%20login%20failed%20from%20Domain%20A%20service%20account%20%2C%20those%20service%20account%20is%20for%20SharePoint%20application%20pool%20%2C%20SharePoint%20Timer%20service%20.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EMy%20question%20is%20why%20these%20service%20account%20go%20to%20domain%20S%20for%20authentication%20%3F%20not%20only%20go%20for%20domain%20A%20authenticate%26nbsp%3Bonly%20%3F%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E*we%20are%20unable%20to%20get%20more%20information%20from%20Domain%20S%20%2C%20only%20have%20simple%20alert%20which%20is%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThreat%20Name%3A%20An%20account%20failed%20to%20log%20on%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Echecked%20on%20the%20windows%20event%20log%20%2C%20SharePoint%26nbsp%3Busl%20log%2C%20IIS%20log%20not%20see%20any%20related%20activity%26nbsp%3Bfor%20the%20service%20account.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E*noticed%20have%20warning%20about%20event%20id%2040961%20%3A%26nbsp%3B%20(not%20sure%20this%20have%20related%26nbsp%3Bor%20not%3F%20)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThe%20Warning%20Event%20details%20as%20follows%3B%3C%2FP%3E%3CP%3EDetails%20%3A%20The%20security%20System%20could%20not%20establish%20a%20secured%20connection%20with%20the%20server%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22mailto%3Aldap%2Fserver.mydomain.net%2Fmydomain.net%40MYDOMAIN.NET%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eldap%2Fserver.mydomain.net%2Fmydomain.net%40MYDOMAIN.NET%3C%2FA%3E.%20No%20authentication%20protocol%20was%20available%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*our%20SharePoint%20page%20have%20using%20Claims%20to%20Windows%20Token%20service%20for%20Domain%20S%20%2C%20normally%20the%20sharepoint%20page%20is%20login%20for%20Domain%20S%20user%20%2C%20Domain%20A%20service%20account%20only%20use%20for%20services.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHope%20someone%20can%20share%20about%20the%20authentication%26nbsp%3Bof%20this%20logic%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Ethanks%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2367091%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2787070%22%20slang%3D%22en-US%22%3ERe%3A%20Concept%20about%20one%20way%20trust%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2787070%22%20slang%3D%22en-US%22%3Ehi%20all%2C%20updated%20some%20found%20out%20for%20it%20incase%20have%20other%20user%20facing%20same%20issues%20here.%20We%20have%20encounter%20we%20added%20user%20from%20Domain%20S%20to%20the%20UPS%20service%20application%20administrator%20group%20will%20causing%20this%20issues%20because%20the%20UPS%20%3A%3CBR%20%2F%3E-The%20users%20and%20groups%20listed%20as%20Administrators%20of%20the%20User%20Profile%20Service%20Application%20(UPA)%20are%20cached.%3CBR%20%2F%3E-That%20cache%20expires%20every%205%20minutes.%3CBR%20%2F%3E-When%20the%20next%20web%20service%20call%20comes%20into%20the%20UPA%2C%20those%20accounts%20must%20be%20resolved%20again%20and%20re-cached.%3CBR%20%2F%3E%3CBR%20%2F%3Einside%20the%20admin%20group%20have%20domain%20S%20account%20but%20the%20service%20account%20running%20for%20UPS%20is%20Domain%20A%20service%20account%20then%20causing%20above%20incident.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
New Contributor

Current SharePoint 2019 server is hosted at  domain A and environment have one way trust with Domain S. 

Domain S  admin currently  received multiple login failed from Domain A service account , those service account is for SharePoint application pool , SharePoint Timer service . 

 

My question is why these service account go to domain S for authentication ? not only go for domain A authenticate only ?  

 

*we are unable to get more information from Domain S , only have simple alert which is 

Threat Name: An account failed to log on

 

checked on the windows event log , SharePoint usl log, IIS log not see any related activity for the service account.

 

*noticed have warning about event id 40961 :  (not sure this have related or not? )

The Warning Event details as follows;

Details : The security System could not establish a secured connection with the server ldap/server.mydomain.net/mydomain.net@MYDOMAIN.NET. No authentication protocol was available

 

*our SharePoint page have using Claims to Windows Token service for Domain S , normally the sharepoint page is login for Domain S user , Domain A service account only use for services. 

 

Hope someone can share about the authentication of this logic ?

 

thanks 

1 Reply
hi all, updated some found out for it incase have other user facing same issues here. We have encounter we added user from Domain S to the UPS service application administrator group will causing this issues because the UPS :
-The users and groups listed as Administrators of the User Profile Service Application (UPA) are cached.
-That cache expires every 5 minutes.
-When the next web service call comes into the UPA, those accounts must be resolved again and re-cached.

inside the admin group have domain S account but the service account running for UPS is Domain A service account then causing above incident.