Question Status

Unanswered
André Arnaud de Calavon asked a question on 14 Mar 2014 2:50 AM

Hi all,

I'm encountering an issue where a company has more than one domain.

Let's say we have domain "DomainA" and "DomainB". AX 2012 R2 (+CU7) is installed on DomainA.

All users are setup with their own domain. They can use the system, e.g. writing timesheets regarless if they are in DomainA or DomainB.

The problem is when the workflow tries to assign a user from DomainB as approver for the timesheet. The workflow stops with the error: "Failed to create a session; confirm that the user has proper privileges to log on to Microsoft Dynamics."

The user has also an email account for DomainA which is the one they should use. Now if I setup this user as DomainA the workflow continues.

Problem is that he cannot login hiself with the DomainA account on the network. He should use DomainB.

Another funny thing is that, when I change the SID in the user info table for this user to the SID belongs to DomainA, the workflow also continues, but he then also cannot log on within AX client himself.

Did anyone encountered this problem before or knows a workaround? It is not possible to convert the user to DomainA yet...

Can we consider this as a bug in AX 2012?

kind regards,

André Arnaud de Calavon  |  Microsoft Dynamics AX Solution architect  |  My blog  |  My company

This post is my own opinion and does not necessarily reflect the opinion or view of my company, Microsoft, both its employees, or other MVPs.

Reply
Denis Macchinetti responded on 14 Mar 2014 12:16 PM

Hi André

Interesting scenario.

I never faced this issue, but in my opinion is a Bug.

What do you mean with "Problem is that he cannot login hiself with the DomainA account on the network. He should use DomainB"

Thanks & Regards

Denis Macchinetti

Senior Technical Architect

Reply
André Arnaud de Calavon responded on 14 Mar 2014 12:37 PM

Hi Denis,

Thanks for your interest. I would like to make it the problem for someone else :-(.

The people did get an email account in AccountA. This happens to be the same network alias, only within DomainA. So the same alias is known in Active Directory with DomainA and DomainB for people coming from DomainB.

Strange is that the import wizard only can show the people listed in DomainA and not DomainB. By manual creation of the users we can enter these people with the DomainB network domain.

kind regards,

André Arnaud de Calavon  |  Microsoft Dynamics AX Solution architect  |  My blog  |  My company

This post is my own opinion and does not necessarily reflect the opinion or view of my company, Microsoft, both its employees, or other MVPs.

Reply
Denis Macchinetti responded on 15 Mar 2014 11:30 AM

Hi André

After reading well, could be a trust domain problem.

The domains are "two-way" trusted?

From domain B you are able to ping the AX Server, installed on Domain A?

If no, add host entry of the AX Servers in domain B

Thanks & Regards

Denis Macchinetti

Senior Technical Architect

Reply
André Arnaud de Calavon responded on 19 Mar 2014 4:04 AM

Hi Denis,

Sorry for the late answer. Due to illness from several people including myself, we were not able to verify your last question.

I was thinking it could be related to having the same network alias in both network domains where some AX logic will assume this alias should bbe unique across the network.

I will come back later.

kind regards,

André Arnaud de Calavon  |  Microsoft Dynamics AX Solution architect  |  My blog  |  My company

This post is my own opinion and does not necessarily reflect the opinion or view of my company, Microsoft, both its employees, or other MVPs.

Reply
André Arnaud de Calavon responded on 20 Mar 2014 5:45 AM

Hi Denis,

I have more details now. There is a domainA and a domainB.

DomainB is divided into other sub domains per region.

There are no users in DomainB

The users with the problems are in the sub domains.

There is a two-way trust between domainA and DomainB.

Also there are two-way trusts between DomainB and the sub domains.

There is NO direct two-way trust between DomainA and the sub(region) domains.

It is strange that the user is able to run AX (client and EP) while the RunAs command raises an error.

What are your thoughts?

kind regards,

André Arnaud de Calavon  |  Microsoft Dynamics AX Solution architect  |  My blog  |  My company

This post is my own opinion and does not necessarily reflect the opinion or view of my company, Microsoft, both its employees, or other MVPs.

Reply
Denis Macchinetti responded on 23 Mar 2014 6:19 AM

Hi André

A interesting test, could be create a simply class where try if RunAs work fine for a Sub Domain user.

Just to understand if the problem is on RunAs command.

If doesn't work, mean that RunAs have some issue with the Sub Domains and you can open a MS case with more details.

Thanks & Regards

Denis Macchinetti

Senior Technical Architect

Reply