Troubleshooting steps for accessing the web console in multiple domain environments
1. Verify that the Active Directory trusts are set up correctly by doing the following:
a. On the Domain Controller, open Active Directory Domains and Trusts.
In the console tree, right-click the domain that contains the trust you want to verify, and then click Properties.
On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the trust to be verified, and then click Properties.
Do one of the following, and then click OK:
Click No, do not validate the incoming trust.
If you choose this option, it is recommended that you repeat this procedure for the reciprocal domain.
Click Yes, validate the incoming trust.
If you choose this option, you must type a user account and password with administrative credentials for the reciprocal domain.
To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated an assignment of administrative responsibility to a user, computer, group, or organization.
For Active Directory: An assignment of responsibility that allows users without administrative credentials to complete specific administrative tasks or to manage specific directory objects. Responsibility is assigned through membership in a security group, the Delegation of Control Wizard, or Group Policy settings.
For DNS: An assignment of responsibility for a DNS zone. Delegation occurs when a name server (NS) resource record in a parent zone lists the DNS server that is authoritative for a child zone.
the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
To open Active Directory Domains and Trusts, click Start | Control Panel | Performance and Maintenance | Administrative Tools | then double-click Active Directory Domains and Trusts.
You can verify trusts for shortcut, external, and forest trusts but not realm trusts.
2. Verify that the Web Server is trusted for delegation:
a. Go to Active Directory Users and Computers
b. Locate the web server - Right click and go to properties
c. Check Trust Computer for delegation.
d. Replication Domain Controllers to be affective immediately.
3. Set up Global Cataloging on all Domain Controllers. Go to Active Directory Sites and Services and select Global Catalog Replication for all domain controllers (By default, only the parent DC has this set up). Go to the following link for MS best practices on Global Catalog Replication.
You can read more about this procedure by reading:
4. Do the following to verify that the user is authenticating to the web server:
a. Verify that a test user is in the local LDMS group on the web server.
b. Verify that the user is in the �console user� table in the database
c. Manually deleted user from that table.
d. If the authentication process works correctly, the test user will populate back into the console user table.
5. Use this tool to verify credentials. Authentication and authorization failures are common on Internet Information Services (IIS) platforms. AuthDiag is a tool designed to aid customers in effectively troubleshooting and determining the root cause of the problem. Authentication and Access Control Diagnostics 1.0
You can read more abou this procedure by reading: