I have three forests, Forest A Forest B and Forest C.
Forest C is new, Users in Forest A have never been able to authenticate.
Forest C has a one way non transitive trust with a domain in Forest B
Forest C has a one way transitive forest trust with Forest A.
Time is sync'd between all forests, trusts have been validated, sids are enumerating properly on all objects which can be viewed in Domain Local groups and the foreign security principals.
Users in Forest A have been permissioned on devices in Forest C
Users in Forest B have been permissioned on devices in Forest C
Users in Forest B can authenticate to resources in Forest C, users in forest A generate the below error when attempting to access the same resources. IN this case it is an RDP session that is attempting to be initialized.
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: Computer.In.Forest.C$
Account Domain: Domain.In.Forest.C
Logon ID: 0x3E7
Logon Type: 10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: UserInForestA
Account Domain: Domain.In.Forest.A
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000018B
Sub Status: 0x0
Process Information:
Caller Process ID: 0xb0
Caller Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: ServerInForestCwhereResourcesArePermissioned
Source Network Address: 10.10.10.10
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Net Logon logging is turned up, results for the log are below. I didn't see anything glaring in there.
07/17 13:16:50 [LOGON] [544] SamLogon: Network logon of DomainInForestA\UserInForestA from ComputerInForestA Entered
07/17 13:16:50 [LOGON] [544] SamLogon: Network logon of DomainInForestA\UserInForestA from ComputerInForestA Returns 0x0
07/17 13:16:52 [LOGON] [544] SamLogon: Network logon of DomainInForestA\UserInForestA from ComputerInForestA Entered
07/17 13:16:52 [LOGON] [544] SamLogon: Network logon of DomainInForestA\UserInForestA from ComputerInForestA Returns 0x0
07/17 13:16:54 [MISC] [544] DsGetDcName function called: client PID=1576, Dom:DomainInForestA Acct:(null) Flags: RET_DNS
07/17 13:16:54 [MISC] [544] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c03ffff1
07/17 13:16:54 [MISC] [544] NetpDcGetName: DomainInForestA using cached information ( NlDcCacheEntry = 0x000000AB4AA546F0 )
07/17 13:16:54 [MISC] [544] DsGetDcName: results as follows: DCName:\\DCinFOrestA.DomainInForestA DCAddress:\\IPV6AddressDCAddrType:0x1 DomainName:DomainInForestA DnsForestName:ForestA Flags:0xe00031fc DcSiteName:NameofDCsite ClientSiteName:NameOfClientSite
07/17 13:16:54 [MISC] [544] DsGetDcName function returns 0 (client PID=1576): Dom:DomainInForestA Acct:(null) Flags: RET_DNS
07/17 13:16:54 [MISC] [2556] DsGetDcName function called: client PID=4, Dom:DomainInForestC.Some.Domain.Path Acct:(null) Flags: IP KDC
07/17 13:16:54 [MISC] [2556] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c03ffff1
07/17 13:16:54 [MISC] [2556] NetpDcGetName: DomainInForestC.Some.Domain.Path cache is too old. 8224062
07/17 13:16:54 [MAILSLOT] [2556] NetpDcPingListIp: DomainInForestC.Some.Domain.Path: Sent UDP ping to IPV6Address
07/17 13:16:54 [MISC] [2556] NlPingDcNameWithContext: Sent 1/1 ldap pings to DCinForestC.DomainInForestC..Some.Domain.Path
07/17 13:16:54 [MISC] [2556] NetpDcAllocateCacheEntry: new entry 0x000000AB4AB36260 -> DC:DCinForestC DnsDomName:DomainInForestC..Some.Domain.Path Flags:0x73fd
07/17 13:16:54 [MISC] [2556] NlPingDcNameWithContext: DCinForestC.DomainInForestC..Some.Domain.Path responded over IP.
07/17 13:16:54 [MISC] [2556] NetpDcGetName: DomainInForestC..Some.Domain.Path using cached information ( NlDcCacheEntry = 0x000000AB4AB36260 )
07/17 13:16:54 [MISC] [2556] NetpDcDerefCacheEntry: destroying entry 0x000000AB4AB426A0
07/17 13:16:54 [MISC] [2556] DsGetDcName: results as follows: DCName:\\DCinForestC.DomainInForestC..Some.Domain.Path DCAddress:\\IPV6Address DCAddrType:0x1 DomainName:DomainInForestC.Some.Domain.Path DnsForestName:DomainInForestC.Some.Domain.Path Flags:0xe00073fd
DcSiteName:Default-First-Site-Name ClientSiteName:Default-First-Site-Name
07/17 13:16:54 [MISC] [2556] DsGetDcName function returns 0 (client PID=4): Dom:DomainInForestC.Some.Domain.Path Acct:(null) Flags: IP KDC
07/17 13:16:54 [SESSION] [1200] I_NetLogonGetAuthData called: (null) DomainInForestC (Flags 0x1)