Objects in use
Alpha.com (NetBIOS name: Alpha) Windows 2003 domain
Bravo.com (NetBIOS name: Bravo) Windows 2008 R2 domain
A two-way forest trust between Alpha and Bravo is established
A User Alpha\Alice
A Global Security Group in Alpha named GSG
A Domain Local Group in Bravo named DLG
Scenario:
Alpha\Alice is granted Alpha\GSG membership.
Alpha\GSG is granted Bravo\DLG membership.
Bravo\DLG is created as login in SQL Server and granted db_datareader in SomeDB.
Problem:
Alpha\Alice tries to connect from her workstation in Alpha.
Result:
Error: 18456, Severity: 14, State: 11.
Login failed for user 'Alpha\Alice'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: 13.17.19.23]
First Workaround: Grant Bravo\DLG membership to Alpha\Alice.
Test connection from her workstation. Same result. Reverse the last change.
Second Workaround: Create Alpha\Alice as login in SQL Server.
Test connection from workstation: Succesful
Whenever membership is altered, the user logs out of workstation so the TGT is updated.
This is not related to nested AD groups, since direct membership of Bravo\DLG didn't yield another result.
Any ideas how to troubleshoot this?
Appreciate any advice
/Tonny
/torpo