How do I configure permissions for a Single Forest/Multi Domain instance of SSP
We've recently setup our production environment for Service Manager and the self-service portal. Our Active Directory environment is setup as follows:
- Root Forest Domain (RootDomain)
- Domain A (DomainA)
- Domain B (DomainB)
- Domain C (DomainC)
Our SCSM servers, service accounts, and groups exist primarily within DomainA. When we configured our test instance of SCSM and SSP, we were only making it available to members of DomainA, however now that we've built the production system we need to provide access to users from DomainB and DomainC.
From within the SCSM Console I've setup a User Role name "Self-Service Portal End Users"; this role currently does not limit access to any queues, groups, config items, or forms (we've selected the "All work items can be accessed" radio button in each of these areas). The users for this group consist of the following:
- DomainA\Domain Users
- DomainA\SSP_EndUsers (this is a domain local group, more on that below)
After reviewing this post, we created additional groups in Domain B and Domain C. Both of these domain have the following groups:
- SSP_EndUsers (Universal security group)
- SSP_DomainUsers (Global security group)
SSP_DomainUsers includes all user objects for the domain, and SSP_EndUsers contains SSP_DomainUsers as it's only member.
We've added the SSP_EndUsers group from both Domain B and Domain C to the SSP_EndUsers group in Domain A (which is where all of the SCSM components live), and restarted the CacheBuilder service; we see no errors in the CacheBuilder logs, but the users in Domain B and Domain C do not see the single request offering/service offering we've published.
At this point, I've running out of ideas for things to check and options to enable. What is the best way of providing access for users in the other domains to view/submit requests?
EDIT: Just to be clear... members of Domain A are able to see and submit requests without issues, it's Domain B and Domain C that are causing trouble