web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics AX (Archived) / Multiple domain EP sec...
Microsoft Dynamics AX (Archived)

Multiple domain EP security issues

(0) ShareShare
ReportReport
Posted on by ford_sopris 1,229

I currently have an AX 2012 R3 CU9 environment on Azure and have a site to site VPN setup between the customers AD and my Azure AD with a 2 way trust (External Trust Type -- Not Transitive).  We are able to import users into AX now but I need to tell SharePoint to allow users from the new domain to have access to the Enterprise Portal.  I am running SharePoint 2013 Foundation and I am trying to add the domain users from the new domain and I cannot.  It looks like it recognizes it but when I click Full and then OK, it says it cannot find an exact match.  Anyone have a way to add this group from the new domain to the SharePoint site permissions in EP?  Does my 2 way trust need to be transitive?  I am able to add individual users from the new domain but not a group.  It is not an option to add all the individual users.

When I add a specific user from the new domain to the Site Permissions and then try to log into the Enterprise Portal, I get a "Message: An unhandled error has occurred. To view details about this error, enable debugging in the web.config file or view the Windows event logs." error and when I look in the Event Viewer on the EP server, I see a Microsoft Dynamics AX Enterprise Portal Event ID 1000:

An unhandled error has occurred. To view details about this error, enable debugging in the web.config file or view the Windows event logs.

Access is denied.

mscorlib

 

Server stack trace:

at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)

at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)

at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:

at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)

at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)

at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity()

*This post is locked for comments

I have the same question (0)
  • Suggested answer
    Community Member Profile Picture
    Community Member on at

    Have faced the same issue  on AX 2012 r3 CU10 . Following solution worked. Resstart IIS service using command prompt Admin. Hope this helps others like me.

  • ford_sopris Profile Picture
    ford_sopris 1,229 on at

    After talking with MS Support, I had to run the following commands:

    stsadm -o setproperty -propertyname “HideInactiveProfiles” -propertyvalue “true”

    stsadm -o setproperty -pn peoplepicker-searchadforests -pv forest:remotedomain.com;forest:localdomain.local -url http://WebAppAddress:portnumber

  • PaulDevey Profile Picture
    PaulDevey 50 on at

    Hello and thank you for posting your solution

    I have the same problem and my trying to implement the solution.

    The first command seems to have worked well and I can see the value has loaded using getproperty:

    stsadm -o getproperty -propertyname “HideInactiveProfiles”

    <Property Exist="Yes" Value=""true"" />

    The second command reported it had worked, but has not loaded anything

    setspn.JPG

    From your experience could you please provide any tips on what I may have done wrong here?

    Many thanks

  • PaulDevey Profile Picture
    PaulDevey 50 on at

    I finally worked out how to make the peoplepicker-searchadforests setting load correctly and thought I'd share how.

    You must put a single space after the semi-colon between forests and domains, e.g.

    -pv forest:remotedomain.com; forest:localdomain.local -url... etc.

    Unfortunately loading the setting did not solve the cross domain error in our environment, so the search continues.

  • Verified answer
    Uzair Saleem Profile Picture
    Uzair Saleem 131 on at

    I was facing same issue.. I just follow below link and issue has been resolved.

    community.dynamics.com/.../cannot-see-all-users-on-the-domain-in-active-directory-import-wizard

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics AX (Archived)

#1
Priya_K Profile Picture

Priya_K 4

#1
Martin Dráb Profile Picture

Martin Dráb 4 Most Valuable Professional

#3
Sukrut Parab Profile Picture

Sukrut Parab 2 Moderator

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans