We are trying to set up a CentralAD (windows2012) for our service with Outgoing external, not transitive trust to a few customer domains. The client computers are members in the CentralAD domain.
According to documentation this should let customer user accounts authenticate to our CentralAD
Direction of trust: Outgoing: Users in the specified domain can authenticate in the local domain, but users in the local domain cannot authenticate in the specified domain.
Transitivity of trust: This trust is not transitive. Only users from the directly trusted domain may authenticate in the trusting domain.
This works really well, and users from the customers Active Directory can successfully authenticate from our device with username/password/domain login.
Now the customers need certificate login. The infrastructure in their AD works correctly for certificate to AD account mapping. Problem is when the customers enters smart card and pin on our device in CentralAD, the user cannot be autheticated.
When testing this in different scenarios it looks like certificate mapping to AD account needs the user to be in the the same domain as the computer ? When logging in with username/password they also specify domain and the Windows functions automatically sends the login request to the right domain controller. Anyone know of how to get the login request to go to the correct domaincontroller when logging in with smart card, or get the CentralAD to try the other trusted domains for certificate login ?